AWS Pentesting Cheat Sheet (EC2)

Reference

• AWS-CLI-EC2

1. List EC2 Instances

Shows instance IDs, public IPs, AMIs, key names, IAM roles, etc.

aws ec2 describe-instances --region [region]

Use JMESPath filters for cleaner output:

aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress,State.Name,KeyName,IamInstanceProfile.Arn]"

2. Get Detailed Info on a Specific Instance

aws ec2 describe-instances --instance-ids [i-xxxxxxxxxxxxxxx]

3. Identify IAM Role Attached to the Instance

aws ec2 describe-instances --query "Reservations[*].Instances[*].IamInstanceProfile.Arn"

Then grab role name and enumerate permissions:

aws iam get-instance-profile --instance-profile-name [name]

4. List Security Groups

Look for open ports, especially 0.0.0.0/0 on SSH (22), RDP (3389), or custom ports.

aws ec2 describe-security-groups

a. Check for overly permissive inbound rules:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[*].{From:FromPort,To:ToPort,CIDR:IpRanges}"

5. Describe Network Interfaces

See public/private IPs, subnet info, VPC IDs, attachment info.

aws ec2 describe-network-interfaces

6. List AMIs (Amazon Machine Images)

Use this to find custom images that may contain secrets or sensitive software.

aws ec2 describe-images --owners self

7. Check EBS Volume Info

Look for unencrypted volumes, large or attached volumes.

aws ec2 describe-volumes

a. Snapshot enumeration (potential data leaks):

aws ec2 describe-snapshots --owner-ids self

8. Enumerate Key Pairs

You can’t get private keys from AWS, but public names may hint at user naming patterns or poor key hygiene.

aws ec2 describe-key-pairs

9. Describe Regions & Availability Zones

aws ec2 describe-regions
aws ec2 describe-availability-zones