Skip to content



Phase Steps
  1. Obtain complete inventory (see "Enum" section in Resources page)
  2. Further resource enumeration (pacu)
  3. Get count of resources in the AWS environment, across all regions (resource_counter - Counts number of resources in categories across regions)
  4. Obtain Public IPs
    • obtain list of all regions used from pacu (alldata)
    • loop through the regions with aws_public_ips (Fetch all public IP addresses tied to your AWS account)
Obtain overall overview of the security posture
  1. Evaluate the AWS account against CIS (aws-security-benchmark)
  2. Check for misconfigurations and security risks (cloudsploit)
  3. Audit the security posture of the AWS infrastructure (cs-suite)
Manually review the services Especially:
  1. Identity (IAM, KMS)
  2. Computing (EC2, Lambda)
  3. Storage (S3, EBS)
  4. DB (Elasticache, RDS)
  5. Networking (ELB, Security Groups, CloudFront)
    • Verify the public CloudFronts are not susceptible to subdomain hijacking (
  6. Management (Cloudwatch, Cloudtrail, Config)
  7. Messaging (SNS, SQS)
Additional Items
  1. Run portscan on public IPs
  2. OS hardening (lynis)
  3. Check for credentials
    • UserData: ReadOnlyAccess gives access to the DescribeInstanceAttribute API which can be used to download the Userdata for the instance
    • Lambda code: aws lambda get-function --function-name FUNCTION_NAME --query Code.Location
    • PN: DescribeVpnConnections call will return an XML document in CustomerGatewayConfiguration that contains the on-prem VPN IP address and shared secrets