AWS CLI#
The AWS Command Line Interface is the operator’s unified tool for driving AWS services from the terminal. It maps every console action to a scriptable command, useful for both administration and offensive recon.
$ aws [options] <command> <subcommand> [parameters]
$ aws help # available top-level commands
$ aws ec2 help # available EC2 commands
$ aws ec2 describe-instances help # detailed help
Cloudtrail, logging audit#
$ aws cloudtrail describe-trails # list trails
$ aws s3 ls # list S3 buckets
$ aws cloudtrail create-subscription --name awslog --s3-new-bucket awslog2020
$ aws cloudtrail describe-trails --output text | cut -f 8
$ aws cloudtrail get-trail-status --name awslog
$ aws cloudtrail delete-trail --name awslog
$ aws s3 rb s3://awslog2020 --force
$ aws cloudtrail add-tags --resource-id awslog --tags-list "Key=log-type,Value=all"
$ aws cloudtrail list-tags --resource-id-list
$ aws cloudtrail remove-tags --resource-id awslog --tags-list "Key=log-type,Value=all"
IAM users#
Limits, 5000 users, 100 groups, 250 roles, 2 access keys per user.
$ aws iam list-users # all users
$ aws iam list-users --output text | cut -f 6 # usernames only
$ aws iam get-user # current user info
$ aws iam list-access-keys # current user keys
$ aws iam create-user --user-name aws-admin2 # new user
$ aws iam list-users --no-paginate # all users (no paging)
$ aws iam get-user --user-name aws-admin2 # one user's info
$ aws iam delete-user --user-name aws-admin2 # delete user
Create multiple users from a file.
allUsers=$(cat ./user-names.txt)
for userName in $allUsers; do
aws iam create-user --user-name $userName
done
IAM passwords#
$ aws iam get-account-password-policy
$ aws iam update-account-password-policy \
--minimum-password-length 12 \
--require-symbols \
--require-numbers \
--require-uppercase-characters \
--require-lowercase-characters \
--allow-users-to-change-password
$ aws iam delete-account-password-policy
IAM access keys#
$ aws iam list-access-keys
$ aws iam list-access-keys --user-name aws-admin2
$ aws iam create-access-key --user-name aws-admin2 --output text | tee aws-admin2.txt
$ aws iam get-access-key-last-used --access-key-id AKIAINA6AJZY4EXAMPLE
$ aws iam update-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --status Inactive --user-name aws-admin2
$ aws iam delete-access-key --access-key-id AKIAI44QH8DHBEXAMPLE --user-name aws-admin2
IAM groups, policies, and roles#
$ aws iam list-groups
$ aws iam create-group --group-name FullAdmins
$ aws iam delete-group --group-name FullAdmins
$ aws iam list-policies
$ aws iam get-policy --policy-arn <value>
$ aws iam list-entities-for-policy --policy-arn <value>
$ aws iam list-attached-group-policies --group-name FullAdmins
$ aws iam attach-group-policy --group-name FullAdmins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
$ aws iam add-user-to-group --group-name FullAdmins --user-name aws-admin2
$ aws iam get-group --group-name FullAdmins
$ aws iam list-groups-for-user --user-name aws-admin2
$ aws iam remove-user-from-group --group-name FullAdmins --user-name aws-admin2
$ aws iam detach-group-policy --group-name FullAdmins --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
S3 buckets#
$ aws s3 ls
$ aws s3api create-bucket --acl "public-read-write" --bucket bucket_name
$ aws s3 ls | grep bucket_name
# check for public-facing s3 buckets
$ aws s3api list-buckets --query 'Buckets[*].[Name]' --output text | \
xargs -I {} bash -c 'if [[ $(aws s3api get-bucket-acl --bucket {} \
--query "Grants[?Grantee.URI==\`http://acs.amazonaws.com/groups/global/AllUsers\` \
&& Permission==\`READ\`]" --output text) ]]; then echo {}; fi'
EC2 keypairs#
$ aws ec2 describe-key-pairs
$ aws ec2 create-key-pair --key-name <value> --output text
$ ssh-keygen -t rsa -b 4096
$ aws ec2 import-key-pair --key-name keyname_test --public-key-material file:///home/user/id_rsa.pub
$ aws ec2 delete-key-pair --key-name <value>
Security groups#
$ aws ec2 describe-security-groups
$ aws ec2 create-security-group --vpc-id vpc-1a2b3c4d --group-name web-access --description "web access"
$ aws ec2 describe-security-groups --group-id sg-0000000
$ aws ec2 authorize-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr 0.0.0.0/24
$ aws ec2 authorize-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr <my_ip>/32
$ aws ec2 revoke-security-group-ingress --group-id sg-0000000 --protocol tcp --port 80 --cidr 0.0.0.0/24
$ aws ec2 delete-security-group --group-id sg-00000000
Images#
$ aws ec2 describe-images --filter "Name=is-public,Values=false" \
--query 'Images[].[ImageId, Name]' --output text | sort -k2
$ aws ec2 deregister-image --image-id ami-00000000
Instances#
$ aws ec2 describe-instances
$ aws ec2 describe-instances --filters Name=instance-state-name,Values=running
$ aws ec2 run-instances --image-id ami-f0e7d19a --instance-type t2.micro \
--security-group-ids sg-00000000 --dry-run
$ aws ec2 terminate-instances --instance-ids <instance_id>
$ aws ec2 describe-instance-status
$ aws ec2 describe-instance-status --instance-ids <instance_id>
$ aws ec2 describe-tags
$ aws ec2 create-tags --resources "ami-1a2b3c4d" --tags Key=name,Value=debian
$ aws ec2 delete-tags --resources "ami-1a2b3c4d" --tags Key=Name,Value=
CloudWatch#
$ aws logs create-log-group --log-group-name "DefaultGroup"
$ aws logs describe-log-groups
$ aws logs describe-log-groups --log-group-name-prefix "Default"
$ aws logs delete-log-group --log-group-name "DefaultGroup"
$ aws logs create-log-stream --log-group-name "DefaultGroup" --log-stream-name "syslog"
$ aws logs describe-log-streams --log-group-name "syslog"
$ aws logs describe-log-streams --log-stream-name-prefix "syslog"
$ aws logs delete-log-stream --log-group-name "DefaultGroup" --log-stream-name "Default Stream"
Lambda#
$ aws lambda get-function-configuration --function-name <NAME> --profile <PROFILE>
SNS#
$ aws sns list-topics --profile <PROFILE>
$ aws sns get-topic-attributes --topic-arn "arn:aws:sns:us-east-1:945109781822:<suffix>" --profile <PROFILE>
$ aws sns list-subscriptions --profile <PROFILE>
$ aws sns get-subscription-attributes --subscription-arn "arn:aws:sns:us-east-1:945109781822:<custom>" --profile <PROFILE>
RDS#
$ aws rds describe-db-security-groups --db-security-group-name <SG> --profile <PROFILE>
$ aws rds describe-db-instances --db-instance-identifier <DB_ID> --profile <PROFILE>