AWS CLI#

The AWS Command Line Interface is the operator’s unified tool for driving AWS services from the terminal. It maps every console action to a scriptable command, useful for both administration and offensive recon.

$ aws [options] <command> <subcommand> [parameters]
$ aws help                              # available top-level commands
$ aws ec2 help                          # available EC2 commands
$ aws ec2 describe-instances help       # detailed help

Cloudtrail, logging audit#

$ aws cloudtrail describe-trails                              # list trails
$ aws s3 ls                                                   # list S3 buckets
$ aws cloudtrail create-subscription --name awslog --s3-new-bucket awslog2020
$ aws cloudtrail describe-trails --output text | cut -f 8
$ aws cloudtrail get-trail-status --name awslog
$ aws cloudtrail delete-trail --name awslog
$ aws s3 rb s3://awslog2020 --force
$ aws cloudtrail add-tags --resource-id awslog --tags-list "Key=log-type,Value=all"
$ aws cloudtrail list-tags --resource-id-list
$ aws cloudtrail remove-tags --resource-id awslog --tags-list "Key=log-type,Value=all"

IAM users#

Limits, 5000 users, 100 groups, 250 roles, 2 access keys per user.

$ aws iam list-users                                # all users
$ aws iam list-users --output text | cut -f 6       # usernames only
$ aws iam get-user                                  # current user info
$ aws iam list-access-keys                          # current user keys
$ aws iam create-user --user-name aws-admin2        # new user
$ aws iam list-users --no-paginate                  # all users (no paging)
$ aws iam get-user --user-name aws-admin2           # one user's info
$ aws iam delete-user --user-name aws-admin2        # delete user

Create multiple users from a file.

allUsers=$(cat ./user-names.txt)
for userName in $allUsers; do
    aws iam create-user --user-name $userName
done

IAM passwords#

$ aws iam get-account-password-policy
$ aws iam update-account-password-policy \
      --minimum-password-length 12 \
      --require-symbols \
      --require-numbers \
      --require-uppercase-characters \
      --require-lowercase-characters \
      --allow-users-to-change-password
$ aws iam delete-account-password-policy

IAM access keys#

$ aws iam list-access-keys
$ aws iam list-access-keys --user-name aws-admin2
$ aws iam create-access-key --user-name aws-admin2 --output text | tee aws-admin2.txt
$ aws iam get-access-key-last-used --access-key-id AKIAINA6AJZY4EXAMPLE
$ aws iam update-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --status Inactive --user-name aws-admin2
$ aws iam delete-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --user-name aws-admin2

IAM groups, policies, and roles#

$ aws iam list-groups
$ aws iam create-group --group-name FullAdmins
$ aws iam delete-group --group-name FullAdmins
$ aws iam list-policies
$ aws iam get-policy --policy-arn <value>
$ aws iam list-entities-for-policy --policy-arn <value>
$ aws iam list-attached-group-policies --group-name FullAdmins
$ aws iam attach-group-policy --group-name FullAdmins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
$ aws iam add-user-to-group --group-name FullAdmins --user-name aws-admin2
$ aws iam get-group --group-name FullAdmins
$ aws iam list-groups-for-user --user-name aws-admin2
$ aws iam remove-user-from-group --group-name FullAdmins --user-name aws-admin2
$ aws iam detach-group-policy --group-name FullAdmins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

S3 buckets#

$ aws s3 ls
$ aws s3api create-bucket --acl "public-read-write" --bucket bucket_name
$ aws s3 ls | grep bucket_name

# check for public-facing s3 buckets
$ aws s3api list-buckets --query 'Buckets[*].[Name]' --output text | \
    xargs -I {} bash -c 'if [[ $(aws s3api get-bucket-acl --bucket {} \
    --query "Grants[?Grantee.URI==\`http://acs.amazonaws.com/groups/global/AllUsers\` \
    && Permission==\`READ\`]" --output text) ]]; then echo {}; fi'

EC2 keypairs#

$ aws ec2 describe-key-pairs
$ aws ec2 create-key-pair --key-name <value> --output text
$ ssh-keygen -t rsa -b 4096
$ aws ec2 import-key-pair --key-name keyname_test --public-key-material file:///home/user/id_rsa.pub
$ aws ec2 delete-key-pair --key-name <value>

Security groups#

$ aws ec2 describe-security-groups
$ aws ec2 create-security-group --vpc-id vpc-1a2b3c4d --group-name web-access --description "web access"
$ aws ec2 describe-security-groups --group-id sg-0000000
$ aws ec2 authorize-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr 0.0.0.0/24
$ aws ec2 authorize-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr <my_ip>/32
$ aws ec2 revoke-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr 0.0.0.0/24
$ aws ec2 delete-security-group --group-id sg-00000000

Images#

$ aws ec2 describe-images --filter "Name=is-public,Values=false" \
    --query 'Images[].[ImageId, Name]' --output text | sort -k2
$ aws ec2 deregister-image --image-id ami-00000000

Instances#

$ aws ec2 describe-instances
$ aws ec2 describe-instances --filters Name=instance-state-name,Values=running
$ aws ec2 run-instances --image-id ami-f0e7d19a --instance-type t2.micro \
    --security-group-ids sg-00000000 --dry-run
$ aws ec2 terminate-instances --instance-ids <instance_id>
$ aws ec2 describe-instance-status
$ aws ec2 describe-instance-status --instance-ids <instance_id>
$ aws ec2 describe-tags
$ aws ec2 create-tags --resources "ami-1a2b3c4d" --tags Key=name,Value=debian
$ aws ec2 delete-tags --resources "ami-1a2b3c4d" --tags Key=Name,Value=

CloudWatch#

$ aws logs create-log-group --log-group-name "DefaultGroup"
$ aws logs describe-log-groups
$ aws logs describe-log-groups --log-group-name-prefix "Default"
$ aws logs delete-log-group --log-group-name "DefaultGroup"
$ aws logs create-log-stream --log-group-name "DefaultGroup" --log-stream-name "syslog"
$ aws logs describe-log-streams --log-group-name "syslog"
$ aws logs describe-log-streams --log-stream-name-prefix "syslog"
$ aws logs delete-log-stream --log-group-name "DefaultGroup" --log-stream-name "Default Stream"

Lambda#

$ aws lambda get-function-configuration --function-name <NAME> --profile <PROFILE>

SNS#

$ aws sns list-topics --profile <PROFILE>
$ aws sns get-topic-attributes --topic-arn "arn:aws:sns:us-east-1:945109781822:<suffix>" --profile <PROFILE>
$ aws sns list-subscriptions --profile <PROFILE>
$ aws sns get-subscription-attributes --subscription-arn "arn:aws:sns:us-east-1:945109781822:<custom>" --profile <PROFILE>

RDS#

$ aws rds describe-db-security-groups --db-security-group-name <SG> --profile <PROFILE>
$ aws rds describe-db-instances --db-instance-identifier <DB_ID> --profile <PROFILE>

References#