HackTricks Cloud
HackTricks Cloud
Ask or search…
⌃K
Links

AWS - EC2 Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
Check in this page more information about this:

Public Ports

It's possible to expose the any port of the virtual machines to the internet. Depending on what is running in the exposed the port an attacker could abuse it.

SSRF

Public AMIs & EBS Snapshots

AWS allows to give access to anyone to download AMIs and Snapshots. You can list these resources very easily from your own account:
# Public AMIs
aws ec2 describe-images --executable-users all
​
## Search AMI by ownerID
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]'
​
## Search AMI by substr ("shared" in the example)
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]'
​
# Public EBS snapshots (hard-drive copies)
aws ec2 describe-snapshots --restorable-by-user-ids all
aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'

Public URL template

# EC2
ec2-{ip-seperated}.compute-1.amazonaws.com
# ELB
http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
https://{user_provided}-{random_id}.{region}.elb.amazonaws.com

Enumerate EC2 instances with public IP

aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: