AWS - EC2 Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Check in this page more information about this:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Public Ports

It's possible to expose the any port of the virtual machines to the internet. Depending on what is running in the exposed the port an attacker could abuse it.

SSRF

Cloud SSRFHackTricks

Public AMIs & EBS Snapshots

AWS allows to give access to anyone to download AMIs and Snapshots. You can list these resources very easily from your own account:

# Public AMIs
aws ec2 describe-images --executable-users all

## Search AMI by ownerID
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]'

## Search AMI by substr ("shared" in the example)
aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]'

# Public EBS snapshots (hard-drive copies)
aws ec2 describe-snapshots --restorable-by-user-ids all
aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'

If you find a snapshot that is restorable by anyone, make sure to check AWS - EBS Snapshot Dump for directions on downloading and looting the snapshot.

Public URL template

# EC2
ec2-{ip-seperated}.compute-1.amazonaws.com
# ELB
http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
https://{user_provided}-{random_id}.{region}.elb.amazonaws.com

Enumerate EC2 instances with public IP

aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text