aex.red

AWS

AWS Security Assessment

Setup & access: See AWS for credential types, profile management, and the IAM model. Tooling: See Cloud Audit Tools for ScoutSuite, Prowler, CloudFox, Pacu setup and usage.

1. IAM Review

# Enumerate users, roles, groups, policies
aws iam list-users --profile <profile>
aws iam list-roles --profile <profile>
aws iam list-groups --profile <profile>
aws iam list-policies --scope Local --profile <profile>
 
# Get inline and attached policies for a role
aws iam list-attached-role-policies --role-name <RoleName> --profile <profile>
aws iam list-role-policies --role-name <RoleName> --profile <profile>
 
# Get the policy document for a specific version
aws iam get-policy-version \
  --policy-arn <PolicyArn> \
  --version-id <VersionId> \
  --profile <profile>
 
# Enumerate a user's effective permissions
aws iam list-attached-user-policies --user-name <UserName> --profile <profile>
aws iam list-user-policies --user-name <UserName> --profile <profile>
 
# Access keys — identify stale keys
aws iam list-access-keys --profile <profile>
aws iam get-credential-report --profile <profile>
aws iam generate-credential-report --profile <profile>

What to look for:

  • Overly permissive policies: Action: "*", Resource: "*"
  • Privilege escalation paths: iam:PassRole, sts:AssumeRole, iam:CreateAccessKey, iam:AttachRolePolicy
  • Trust policies with wildcards in Principal or overly broad cross-account assumptions
  • Users with long-lived access keys (never rotated, or unused)
  • Policies attached directly to users rather than via roles/groups

2. Logging & Monitoring

# CloudTrail
aws cloudtrail describe-trails --profile <profile>
aws cloudtrail get-event-selectors --trail-name <TrailName> --profile <profile>
aws cloudtrail get-trail-status --name <TrailName> --profile <profile>
 
# GuardDuty
aws guardduty list-detectors --profile <profile>
aws guardduty get-detector --detector-id <ID> --profile <profile>
 
# AWS Config
aws configservice describe-configuration-recorders --profile <profile>
aws configservice describe-delivery-channels --profile <profile>
 
# Security Hub
aws securityhub describe-hub --profile <profile>

What to look for:

  • CloudTrail: multi-region trail enabled, log file validation on, management events recorded
  • GuardDuty: enabled in all regions, findings reviewed
  • AWS Config: recorder running, delivery channel configured
  • Logs shipped to S3 with SSE and CloudWatch

3. S3 Buckets

# List all buckets
aws s3 ls --profile <profile>
 
# Per-bucket checks
aws s3api get-bucket-acl --bucket <BucketName> --profile <profile>
aws s3api get-bucket-policy --bucket <BucketName> --profile <profile>
aws s3api get-bucket-encryption --bucket <BucketName> --profile <profile>
aws s3api get-bucket-versioning --bucket <BucketName> --profile <profile>
aws s3api get-public-access-block --bucket <BucketName> --profile <profile>
 
# Check for publicly accessible buckets without credentials
aws s3 ls s3://<BucketName> --no-sign-request

What to look for:

  • Public access: "Effect": "Allow", "Principal": "*" in bucket policy or ACL
  • Missing encryption at rest
  • Versioning and MFA delete disabled on buckets containing sensitive data
  • Public access block not enabled at account level

4. EC2 & Compute

# EC2 instances
aws ec2 describe-instances --profile <profile>
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,PublicIpAddress,Tags]' --profile <profile>
 
# Security groups
aws ec2 describe-security-groups --profile <profile>
 
# Key pairs
aws ec2 describe-key-pairs --profile <profile>
 
# Public AMIs owned by the account
aws ec2 describe-images --owners self --profile <profile>
 
# Public snapshots
aws ec2 describe-snapshots --owner-ids self --profile <profile>
 
# Lambda functions
aws lambda list-functions --profile <profile>
aws lambda get-function-configuration --function-name <FunctionName> --profile <profile>
# Check environment variables for secrets
aws lambda get-function-configuration --function-name <FunctionName> \
  --query 'Environment.Variables' --profile <profile>
 
# RDS
aws rds describe-db-instances --profile <profile>
aws rds describe-db-snapshots --profile <profile>
 
# EKS clusters
aws eks list-clusters --profile <profile>
aws eks describe-cluster --name <ClusterName> --region <region> --profile <profile>

What to look for:

  • Security groups allowing 0.0.0.0/0 on SSH (22), RDP (3389), or sensitive admin ports
  • EC2 instances with public IPs and no specific security group restrictions
  • Lambda functions with plaintext secrets in environment variables
  • Lambda execution roles with overly broad permissions
  • RDS instances with PubliclyAccessible: true
  • Public EBS snapshots
  • EKS clusters with public API server endpoint and no IP whitelist

5. VPC & Networking

# VPCs and subnets
aws ec2 describe-vpcs --profile <profile>
aws ec2 describe-subnets --profile <profile>
 
# Route tables and internet gateways
aws ec2 describe-route-tables --profile <profile>
aws ec2 describe-internet-gateways --profile <profile>
 
# NACLs and security groups
aws ec2 describe-network-acls --profile <profile>
 
# VPC peering and endpoints
aws ec2 describe-vpc-peering-connections --profile <profile>
aws ec2 describe-vpc-endpoints --profile <profile>
 
# VPC Flow Logs enabled?
aws ec2 describe-flow-logs --profile <profile>

What to look for:

  • Internet gateways attached to subnets containing sensitive resources
  • Overly permissive NACLs (0.0.0.0/0 ALLOW on inbound)
  • VPC peering connections — scope and whether traffic is appropriately restricted
  • VPC Flow Logs not enabled (limits forensic capability)
  • Unintended VPC endpoints exposing internal services

6. Secrets & Sensitive Data

# Secrets Manager
aws secretsmanager list-secrets --profile <profile>
aws secretsmanager describe-secret --secret-id <SecretId> --profile <profile>
 
# SSM Parameter Store
aws ssm describe-parameters --profile <profile>
aws ssm get-parameter --name <ParameterName> --with-decryption --profile <profile>
 
# KMS keys
aws kms list-keys --profile <profile>
aws kms describe-key --key-id <KeyId> --profile <profile>
aws kms list-key-policies --key-id <KeyId> --profile <profile>
 
# Lambda environment variables (see EC2 & Compute section)

What to look for:

  • Secrets accessible to overly broad IAM roles
  • Plaintext secrets in SSM Parameter Store (should be SecureString type)
  • KMS key policies granting access to * or external accounts
  • Automatic rotation not enabled on Secrets Manager entries

7. IAM Identity Center (SSO)

# List SSO instances
aws sso-admin list-instances --profile <profile>
 
# List permission sets
aws sso-admin list-permission-sets --instance-arn <InstanceArn> --profile <profile>
 
# List accounts and assignments
aws sso-admin list-accounts-for-provisioned-permission-set \
  --instance-arn <InstanceArn> \
  --permission-set-arn <PermissionSetArn> \
  --profile <profile>

What to look for:

  • Overly permissive permission sets (admin access assigned broadly)
  • MFA not enforced in the SSO configuration
  • External identity provider (IdP) configuration weaknesses

8. Automated Tools

See Cloud Audit Tools for ScoutSuite, Prowler, CloudFox, and Pacu setup and usage.

Recommended workflow for a standard AWS audit:

  1. Prowler — full CIS benchmark run, export CSV/HTML for the report
  2. ScoutSuite — visual inventory overview, catch misconfigs Prowler may miss
  3. CloudFox — follow up on any IAM/role findings to identify privilege escalation paths

9. Reporting & Output

# Export CLI output as JSON for post-processing
aws <service> <command> --output json --profile <profile> > results.json
 
# Filter with jq
jq '.Users[] | {UserName, Arn}' results.json
jq '.Reservations[].Instances[] | {InstanceId, PublicIpAddress}' ec2.json

Graph View

Backlinks