πŸ” AWS CLI Privilege Escalation & Recon Playbook#

1. Identity – Who am I?#

Get current identity#

aws sts get-caller-identity --profile <profile>

Returns Account ID, User ID, and ARN of your current identity.
Confirms if you are a user, a role, or a temporary session (STS).

Get account alias#

aws iam list-account-aliases --profile <profile>

Displays the friendly account alias (instead of numeric ID).
Useful if multiple accounts are in play.

2. IAM – Users, Roles, and Policies#

List IAM users#

aws iam list-users --profile <profile>

Shows all users in the account.
Other accounts = potential pivot targets.

List IAM groups#

aws iam list-groups --profile <profile>

Groups may carry privileged policies.

List IAM roles#

aws iam list-roles --profile <profile>

Roles are valuable targets β€” if assumable, they can lead to privesc.

Show attached managed policies#

aws iam list-attached-user-policies --user-name <username> --profile <profile>

Managed policies are reusable, often broad (e.g., AdministratorAccess).

Show inline policies#

aws iam list-user-policies --user-name <username> --profile <profile>

Inline policies are custom rules attached directly to users.

Dump policy JSON#

aws iam get-policy --policy-arn <arn> --profile <profile>
aws iam get-policy-version --policy-arn <arn> --version-id v1 --profile <profile>

Lets you read the actual permissions granted by a policy.

3. EC2 & VPC – Instances & Networking#

List instances#

aws ec2 describe-instances --profile <profile>

Shows running EC2 instances.
Look for attached IAM instance profiles.

List subnets#

aws ec2 describe-subnets --profile <profile>

Enumerates network ranges.
Helps plan lateral movement.

List security groups#

aws ec2 describe-security-groups --profile <profile>

Reveals firewall rules (open ports, allowed IPs).

Check instance IAM roles#

aws ec2 describe-iam-instance-profile-associations --profile <profile>

Tells you which IAM roles are bound to EC2.
Those roles often hold privileged permissions.

4. S3 – Object Storage#

List buckets#

aws s3api list-buckets --profile <profile>

Shows all visible buckets.

List bucket contents#

aws s3 ls s3://<bucket-name> --profile <profile>

Enumerates files.
Try downloading (aws s3 cp) if possible.

5. DynamoDB – Database Recon#

List tables#

aws dynamodb list-tables --profile <profile>

Enumerates DynamoDB tables.

Dump table contents#

aws dynamodb scan --table-name <table> --profile <profile>

Reads all items (if allowed).
Can reveal sensitive data or credentials.

6. Elastic Beanstalk – Applications & Secrets#

List Beanstalk applications#

aws elasticbeanstalk describe-applications --profile <profile>

Entry point for hunting app configs and env vars.

List environments for an app#

aws elasticbeanstalk describe-environments --application-name <AppName> --profile <profile>

Each environment is a deployed version of the app.

Get environment config#

aws elasticbeanstalk describe-configuration-settings --application-name <AppName> --environment-name <EnvName> --profile <profile>

πŸ”₯ High-value target: often leaks AWS keys, DB creds, API tokens in environment variables.

7. Lambda – Functions & Roles#

List Lambda functions#

aws lambda list-functions --profile <profile>

Finds deployed serverless functions.

Get function configuration#

aws lambda get-function-configuration --function-name <fn> --profile <profile>

Metadata + environment variables (secrets often stored here).

Get function code#

aws lambda get-function --function-name <fn> --profile <profile>

Retrieves actual function code (if allowed).
Useful for finding hardcoded credentials.

8. Secrets Manager & SSM#

List secrets#

aws secretsmanager list-secrets --profile <profile>

Enumerates secrets stored in AWS Secrets Manager.

Get secret value#

aws secretsmanager get-secret-value --secret-id <id> --profile <profile>

Dumps the secret content.

List SSM parameters#

aws ssm describe-parameters --profile <profile>

Enumerates SSM parameter store.

Get parameter value#

aws ssm get-parameter --name <param> --with-decryption --profile <profile>

Retrieves parameter content (with decryption if required).

9. Misc Recon#

CloudFormation stacks#

aws cloudformation describe-stacks --profile <profile>

Reveals deployed infra as IaC templates.

ECR repositories#

aws ecr describe-repositories --profile <profile>

Lists Docker image repos.
Images may contain secrets.

RDS instances#

aws rds describe-db-instances --profile <profile>

Lists relational databases (RDS).
Can combine with secrets to access DBs.

🧭 Workflow Summary#

  1. Identity β†’ Who am I? (sts get-caller-identity)
  2. IAM β†’ What perms do I have? (list-roles, list-attached-user-policies)
  3. Services β†’ Enumerate EC2, S3, DynamoDB, etc.
  4. Secrets β†’ Look for keys in Beanstalk, Lambda, SSM, Secrets Manager.
  5. Escalate β†’ If you get new creds/roles, assume them and restart the loop.

⚑ Tip: Always start with describe/list β†’ they’re low-noise, read-only and tell you what’s possible without modifying anything.