CyberCheatsheets

AWS CLI Cheat Sheet

Command-line interface for AWS enumeration, credential validation, and misconfiguration discovery during cloud assessments.

Cloud & Containersawsenumerationiams3Updated 2026-06-02

Overview

The AWS CLI interacts with all major AWS APIs. In pentests, use it after obtaining access keys, instance roles, or SSRF-to-metadata to enumerate S3, IAM, EC2, Lambda, and secrets.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
unzip awscliv2.zip && sudo ./aws/install
aws --version

Configure profile

aws configure

Essential commands

Verify identity

aws sts get-caller-identity

List S3 buckets

aws s3 ls

List EC2 instances (all regions loop)

aws ec2 describe-instances --region us-east-1

Download bucket

aws s3 sync s3://bucket-name ./loot/ --no-sign-request   # only if public

Common workflows

On compromised EC2 (IMDSv1)

curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
ROLE=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
aws sts get-caller-identity

IAM enumeration —

aws iam list-users
aws iam list-roles
aws iam list-attached-user-policies --user-name USER
aws iam get-user-policy --user-name USER --policy-name POLICY
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123:user/USER
--action-names s3:GetObject iam:CreateUser --resource-arns '*'

S3 misconfiguration —

aws s3 ls s3://target-bucket/
aws s3api get-bucket-acl --bucket target-bucket
aws s3api get-bucket-policy --bucket target-bucket
aws s3 cp s3://target-bucket/secret.zip .

Multi-region EC2 / Lambda —

for r in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
echo "=== $r ==="
aws ec2 describe-instances --region $r --query 'Reservations[].Instances[].PublicIpAddress'
done
aws lambda list-functions --region us-east-1

Secrets Manager / SSM —

aws secretsmanager list-secrets --region us-east-1
aws secretsmanager get-secret-value --secret-id prod/db/password
aws ssm describe-parameters --region us-east-1
aws ssm get-parameter --name /app/key --with-decryption

Flags reference

--profile NAME

Use named profile

--region REGION

Override default region

--output json\

table\

--query JMESPath

Filter output

--no-sign-request

Unsigned (public S3 only)

AWS_PROFILE / AWS_DEFAULT_REGION

Environment overrides

Tips

  • Run Pacu or Prowler after CLI confirms valid creds for deeper checks.
  • IMDSv2 requires token header — harder from simple SSRF.
  • aws iam get-account-authorization-details dumps policies (large JSON).
  • CloudTrail may log every CLI call — scope and ROE matter.

References

Aide-mémoires similaires