Comment on page
AWS - Unauthenticated Enum & Access

Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
AWS Credentials Leaks
A common way to obtain access or information about an AWS account is by searching for leaks. You can search for leaks using google dorks, checking the public repos of the organization and the workers of the organization in Github or other platforms, searching in credentials leaks databases... or in any other part you think you might find any information about the company and its cloud infa.
Some useful tools:
​https://github.com/carlospolop/leakos​
​https://github.com/carlospolop/pastos​
​https://github.com/carlospolop/gorks​
AWS Unauthenticated Enum & Access
There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how:
​Accounts Unauthenticated Enum​
​Cloud9 Unauthenticated Enum​
​Cloudfront Unauthenticated Enum​
​Cloudsearch Unauthenticated Enum​
​Cognito Unauthenticated Enum​
​DocumentDB Unauthenticated Enum​
​EC2 Unauthenticated Enum​
​Elasticsearch Unauthenticated Enum​
​IAM Unauthenticated Enum​
​IoT Unauthenticated Access​
​Kinesis Video Unauthenticated Access​
​Media Unauthenticated Access​
​MQ Unauthenticated Access​
​MSK Unauthenticated Access​
​RDS Unauthenticated Access​
​Redshift Unauthenticated Access​
​SQS Unauthenticated Access​
​S3 Unauthenticated Access​
Cross Account Attacks
In the talk Breaking the Isolation: Cross-Account AWS Vulnerabilities it's presented how some services allow(ed) any AWS account accessing them because AWS services without specifying accounts ID were allowed.
During the talk they specify several examples, such as S3 buckets allowing cloudtrail (of any AWS account) yo write to them:
Other services found vulnerable:
AWS Config
Serverless repository
Tools
​cloud_enum: Multi-cloud OSINT tool. Find public resources in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.)
Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
AWS - Other Services Enum
AWS - Accounts Unauthenticated Enum
Last modified 4mo ago