Home - baeziy/AWSault GitHub Wiki
AWSault
Post-compromise AWS enumeration and analysis tool for penetration testers.
You have valid AWS credentials. AWSault tells you what those credentials can access, what is misconfigured, and where the secrets are.
Author: baeziy | Contact: [email protected] | License: GPL-3.0
What it does
AWSault automates the tedious post-compromise enumeration workflow. Given a set of AWS credentials, it:
- Surface scans 120+ AWS services with 500+ read-only API calls to map what you can access
- Deep enumerates discovered resources — pulls IAM policies, S3 configs, Lambda env vars, EC2 user data, and more
- Audits security with 16 detection rules covering OWASP-style cloud misconfigurations
- Extracts loot from 7 secret sources (Secrets Manager, SSM, Lambda, EC2, ECS, CodeBuild, CloudFormation)
- Maps your identity — enumerates every policy on your principal, discovers assumable roles, and detects 14 known IAM privilege escalation paths
- Suggests next steps — generates 240+ context-aware AWS CLI commands across all services based on what access you have
Quick example
# surface scan with default credentials
awsault
# full assault with HTML report
awsault --godeep --all-regions --output report.html
# check what IAM permissions you have from last scan
awsault --show iam
# drill into the actual data
awsault --show iam --detail list_users
Wiki contents
| Page | Description |
|---|---|
| Installation | All install methods + PATH setup for every platform |
| Quick Start | Get scanning in 60 seconds |
| Credentials | How AWSault finds and validates AWS credentials |
| Surface Scan | Phase 1 — bulk permission checking across all services |
| Deep Enumeration | Phase 2 — resource chaining and config pulling |
| Security Audit | Phase 3 — 16 detection rules and what they catch |
| Loot Extraction | Phase 4 — secret and credential harvesting |
| Identity Recon | Phase 5 — full identity permission mapping |
| Privilege Escalation | 14 IAM privesc techniques detected |
| Browsing Results | Using --show and --detail to explore scan data |
| Suggested Next Steps | Context-aware CLI commands for every accessible service |
| Output Formats | JSON, CSV, and HTML report details |
| Service Registry | All 120+ supported AWS services |
| CLI Reference | Every flag and option |
| Architecture | Codebase structure and data flow |
| Extending AWSault | Adding services, chains, rules, loot sources, and suggestions |
Platform support
Works on Linux, macOS, and Windows. Requires Python 3.8+ and valid AWS credentials.