Hacking Bloghttps://hack.com.cy/notes/cloud/aws/ec2/Recent content on Hacking BlogHugoenBasic EC2 Enumeration Cheet Sheethttps://hack.com.cy/notes/cloud/aws/ec2/ec2/Thu, 21 Aug 2025 00:00:00 +0000https://hack.com.cy/notes/cloud/aws/ec2/ec2/<h3 id="1-list-ec2-instances"><strong>1. List EC2 Instances</strong></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws ec2 describe-instances --region <span class="o">[</span>region<span class="o">]</span> </span></span></code></pre></div><blockquote> <p>Shows instance IDs, public IPs, AMIs, key names, IAM roles, etc.</p> </blockquote> <p>Use JMESPath filters for cleaner output:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws ec2 describe-instances --query <span class="s2">&#34;Reservations[_].Instances[_].[InstanceId,PublicIpAddress,State.Name,KeyName,IamInstanceProfile.Arn]&#34;</span> </span></span></code></pre></div><hr> <h3 id="2-get-detailed-info-on-a-specific-instance"><strong>2. Get Detailed Info on a Specific Instance</strong></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws ec2 describe-instances --instance-ids <span class="o">[</span>i-xxxxxxxxxxxxxxx<span class="o">]</span> </span></span></code></pre></div><hr> <h3 id="3-identify-iam-role-attached-to-the-instance"><strong>3. Identify IAM Role Attached to the Instance</strong></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws ec2 describe-instances --query <span class="s2">&#34;Reservations[*].Instances[*].IamInstanceProfile.Arn&#34;</span> </span></span></code></pre></div><p>Then grab role name and enumerate permissions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws iam get-instance-profile --instance-profile-name <span class="o">[</span>name<span class="o">]</span> </span></span></code></pre></div><hr> <h3 id="4-list-security-groups"><strong>4. List Security Groups</strong></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws ec2 describe-security-groups </span></span></code></pre></div><blockquote> <p>Look for open ports, especially <code>0.0.0.0/0</code> on SSH (22), RDP (3389), or custom ports.</p>