AWS - Accounts Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Account IDs

If you have a target there are ways to try to identify account IDs of accounts related to the target.

Brute-Force

You create a list of potential account IDs and aliases and check them

# Check if an account ID exists
curl -v https://<acount_id>.signin.aws.amazon.com
## If response is 404 it doesn't, if 200, it exists
## It also works from account aliases
curl -v https://vodafone-uk2.signin.aws.amazon.com

You can automate this process with this tool.

OSINT

Look for urls that contains <alias>.signin.aws.amazon.com with an alias related to the organization.

Marketplace

If a vendor has instances in the marketplace, you can get the owner id (account id) of the AWS account he used.

Snapshots

  • Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)

  • RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)

  • Public AMIs (EC2 -> AMIs -> Public images)

Errors

Many AWS error messages (even access denied) will give that information.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated