Hey everyone,
I hope you all are doing well.
Today, I would like to share some AWS CLI commands that I've found incredibly useful in my cloud security projects. As AWS is our primary cloud provider, having a good grasp of AWS CLI is essential. In this post, I'll be focusing on IAM (Identity and Access Management) enumeration through the command line.
Note: I've compiled these commands for my own quick reference. As I discover more valuable commands, I'll keep adding them here in the future.
Let's get started!
To begin, it's crucial to learn how to configure AWS keys via the CLI. This skill is essential because many clients entrust you with programmatic keys to assess potential vulnerabilities.
1. Configure AWS Credentials:
You can configure the AWS keys using the following command:
aws configure
You will be prompted to enter your AWS Access Key ID, AWS Secret Access Key, default region, and default output format.
2. WhoAmI:
To check the identity associated with your AWS CLI session, you can use the sts get-caller-identity command, commonly referred to as "whoami":
aws sts get-caller-identity
3. List IAM Users:
IAM users are commonly used for representing individuals, employees, or applications that require access to your AWS environment. Use the following command to list IAM users in your AWS account:
aws iam list-users
4. List IAM Groups:
IAM Groups are collections of users who share similar access requirements. You can use the following command to list IAM groups in your AWS account:
aws iam list-groups
5. List IAM Roles:
In short, IAM roles are associated with specific job functions or responsibilities within an organization. Use the following command to list IAM roles in your AWS account:
aws iam list-roles
6.List Attached Policies for a User/Group/Role:
A policy is a set of rules or guidelines that define what actions are allowed or denied in a specific context. Most policies are stored in AWS as JSON documents.
To list the attached policies for an IAM user, group, or role, please replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:
aws iam list-attached-user-policies --user-name USER_NAME
aws iam list-attached-group-policies --group-name GROUP_NAME
aws iam list-attached-role-policies --role-name ROLE_NAME
List Attached policy for an IAM user:
List Attached policy for an IAM group:
List Attached policy for an IAM role:
7. List Inline Policies for a User/Group/Role:
To list inline policies for an IAM user, group, or role, replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:
aws iam list-user-policies --user-name USER_NAME
aws iam list-group-policies --group-name GROUP_NAME
aws iam list-role-policies --role-name ROLE_NAME
8. List Managed Policies:
To list managed policies in your AWS Identity and Access Management (IAM) environment. When you run this command, it retrieves and displays a list of IAM policies that are available in your AWS account.
aws iam list-policies
9. List Policy Versions:
To list all versions of a managed policy, specify the policy ARN (Amazon Resource Name):
aws iam list-policy-versions --policy-arn POLICY_ARN
10. Get Policy Document:
To view the policy document for a specific policy version, use the get-policy-version command with the version ID and policy ARN:
aws iam get-policy-version --policy-arn POLICY_ARN --version-id VERSION_ID
Example:
11. Assuming an IAM Role:
Assuming a role in AWS is like temporarily wearing a permission hat to access resources securely. You can assume a role using the following command:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyNewRole --role-session-name MySession
Example:
After assuming a role, you can obtain temporary credentials, and you can export them into your environment variables as follows:
export AWS_ACCESS_KEY_ID=your_access_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_access_key
export AWS_SESSION_TOKEN=your_session_token
Make sure to replace your_access_key_id, your_secret_access_key, and your_session_token with the actual values you received when assuming the role.
12. List Instance Profiles:
IAM instance profile is used to link an IAM role to an EC2 instance, allowing the instance to assume the role and obtain temporary credentials to access AWS services and resources based on the role's permissions. Use the following command to list IAM instance profiles in your AWS account:
aws iam list-instance-profiles
Example:
13. List SSH Public Keys:
To list SSH public keys associated with IAM users:
aws iam list-ssh-public-keys --user-name USER_NAME
Example:
14. List MFA Devices:
MFA in AWS is a security feature that requires users to provide two or more factors of authentication (typically something they know and something they have) to access their AWS account, enhancing security and reducing the risk of unauthorized access.
You can list multi-factor authentication (MFA) devices associated with IAM users by using the following command.
aws iam list-mfa-devices --user-name USER_NAME
15. List Service-Specific Credentials:
Service-specific credentials in AWS are temporary and limited-scope security credentials designed for use by AWS services and third-party applications. Use the following command to list AWS service-specific credentials for an IAM user.
aws iam list-service-specific-credentials --user-name USER_NAME
Example:
16. Creating an IAM User:
You can create an IAM user using the create-user command:
aws iam create-user --user-name MyNewUser
17. Creating an IAM Group:
You can create an IAM group using the create-group command:
aws iam create-group --group-name MyNewGroup
18. Attaching a Policy to a User or Group:
You can attach an existing IAM policy to a user or group using the attach-user-policy or attach-group-policy command:
aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --user-name MyNewUser
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name MyNewGroup
19. List Server Certificates:
A server certificate refers to a digital certificate used to secure network communication between clients and your server or service. These certificates are primarily used for enabling secure, encrypted connections using protocols like HTTPS, which is crucial for protecting data in transit.
aws iam list-server-certificates
When you run this command, it will return a list of server certificates associated with your AWS account, including information such as the certificate name, the Amazon Resource Name (ARN), the expiration date, and the path.
20. Generating AWS Credential Reports
AWS Credential Reports provide valuable insights into the security of your AWS account by detailing IAM user access and activity. To generate a credential report using the AWS Command Line Interface (CLI), follow these steps:
1. Generate the Report: Use the generate-credential-report command to initiate the report generation process. This command doesn't provide immediate access to the report but triggers its creation.
aws iam generate-credential-report
2. Wait for Completion: Credential reports typically take a few hours to generate. Check the status using the get-credential-report command. Repeat this step until the report is marked as "Ready."
aws iam get-credential-report
3. Retrieve the Report: Once the report is ready, use the get-credential-report command to retrieve and save the report in a CSV file for analysis.
aws iam get-credential-report --query 'Content' --output text | base64 -d > credential-report.csv
Well, folks, that's a wrap for this post.If you're into cloud penetration testing, feel free to dive into my Pwned Labs lab-solving playlist.
Thanks for stopping by, and take care!
Top comments (0)