How to create an AWS account

In order to be able to query an s3 bucket that has misconfigured permissions like for example that gives access to its bucket to any authenticated user, we need to create a user in AWS (this is free)

  1. Create a free account on Amazon (check out the resources below for help on this step)

  2. Head to the IAM console

  3. Go to "users" > "Add users" and follow the whole process it should be pretty straight forward refer to this documentation in case you hesitate about something.

  4. Make sure you kept all the infos about your user on your password manager you will need for awscli.

  5. In order for your user to be able to query other buckets you will need to give it permissions. You can do this by adding it to a group. Go to your user

  • Click on the tab "Groups"

  • Click on "add a user to groups"

  • Click on "create a group", create one an give it a name, it is really helpful to use the premaid permissions policies (I chose the one called AdministratorAccess)

  • Name your group add your user to it and you should be good to go!

Create and ec2 instance

If you stumble on a snapshot during a pentest, you will need to create an ec2 instance in order to access it.

This part is taken from executeatwill's walkthrough of You can read it here

Ensure under AWS IAM that AdministratorAccess permissions is added to user

Launch EC2 new instance on the region of the snapshot you found

Select “Free Tier”

Here under network I recommend that you authorize SSH traffic only from your IP range (if you choose it will authorize anyone on the internet).

Add Storage of snapshot created: snapshot storage name: same name as the snapshot you found.

  • Now you just need to ssh to your new instance and mount the drive where you put the snapshot you found.

Once you're done, I recommend that you delete the snapshot

Connect to a bucket

  • If we found a key or buckets during enumeration, we need to check them and see if we can connect to them.

  • sudo apt install awscli install aws cli

  • aws configure --profile profilename create a profile with our configs from our created user

  • aws configure list check your current configuration

  • aws configure list --profile profilename check the config of a specific profile

  • aws s3 ls s3://target --profile profilename ls the content of a bucket

  • aws s3 ls s3://target --no-sign-request --region us-west-2

Example with the CTF made available by flAWS

  • aws s3 --profile profilename cp s3://bucket/file . copy a file from a bucket to our local directory

  • aws s3 sync ss3://bucket/folder --profile profile . copy a full folder to our local directory

  • If you find private key (Access_key and secret_access_key) you can configure it in a new profile with the command aws configure --profile profilename

  • Then, you just need to aws --profile profilename s3 ls to list the content of its s3 bucket.


AWS documentation

Learning resources

General AWS resources

AWS Pentest

Vulnerable labs to practice on


Create your lab


AWS Security

Last updated