HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - EC2 Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

EC2 & Related Services

Check in this page more information about this:

pageAWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Public Ports

It's possible to expose the any port of the virtual machines to the internet. Depending on what is running in the exposed the port an attacker could abuse it.

SSRF

Public AMIs & EBS Snapshots

AWS allows to give access to anyone to download AMIs and Snapshots. You can list these resources very easily from your own account:

# Public AMIs
aws ec2 describe-images --executable-users all

## Search AMI by ownerID
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]'

## Search AMI by substr ("shared" in the example)
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]'

# Public EBS snapshots (hard-drive copies)
aws ec2 describe-snapshots --restorable-by-user-ids all
aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'

If you find a snapshot that is restorable by anyone, make sure to check AWS - EBS Snapshot Dump for directions on downloading and looting the snapshot.

Public URL template

# EC2
ec2-{ip-seperated}.compute-1.amazonaws.com
# ELB
http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
https://{user_provided}-{random_id}.{region}.elb.amazonaws.com

Enumerate EC2 instances with public IP

aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - DynamoDB Unauthenticated AccessNextAWS - ECR Unauthenticated Enum

Last updated