Browsing Results - baeziy/AWSault GitHub Wiki
Browsing Results
After any scan, results are saved locally. You can browse them without rescanning using --show and --detail.
Where results are stored
Scan results are automatically saved to:
~/.awsault/last_scan.json
This file is overwritten on each new scan. It contains the full scan data including services, deep enumeration, findings, loot, and recon.
Listing permissions (--show)
Use --show to list which API calls succeeded or were denied for a service:
# check IAM permissions
awsault --show iam
# check multiple services
awsault --show iam,s3,lambda
# check all services
awsault --show all
Output format
For each service, --show displays three categories:
Allowed — API calls that succeeded, with the number of items returned:
ALLOWED:
list_buckets 5 items
list_objects_v2 23 items
get_bucket_acl 5 items
Denied — API calls blocked by IAM policy:
DENIED:
put_bucket_policy AccessDenied
delete_bucket AccessDenied
Errors — API calls that failed for non-permission reasons:
ERRORS:
list_multipart_uploads NoSuchBucket
Viewing result data (--detail)
Use --detail with --show to drill into the actual data returned by a specific API call:
# view the IAM users data
awsault --show iam --detail list_users
# view S3 buckets
awsault --show s3 --detail list_buckets
# view EC2 instances
awsault --show ec2 --detail describe_instances
# view Lambda functions
awsault --show lambda --detail list_functions
Requirements
--detailrequires exactly one service in--show(not multiple, notall)- The method name must match an API call that returned data (status: OK)
- Output is the full JSON response data for that call
Example
$ awsault --show iam --detail list_users
[
{
"UserName": "admin",
"UserId": "AIDAEXAMPLE1",
"Arn": "arn:aws:iam::123456789012:user/admin",
"CreateDate": "2023-01-15T10:30:00+00:00",
"PasswordLastUsed": "2024-03-20T14:22:00+00:00"
},
{
"UserName": "developer",
"UserId": "AIDAEXAMPLE2",
"Arn": "arn:aws:iam::123456789012:user/developer",
"CreateDate": "2023-06-01T08:00:00+00:00"
}
]
Browsing deep scan data
After a --godeep scan, you can revisit the identity recon, security findings, and extracted loot without rescanning.
Identity recon (--recon)
View the full identity permission map: who you are, effective policies, assumable roles, and privilege escalation paths.
awsault --recon
Output includes:
- Identity info (user/role name, account ID, ARN, groups)
- All effective policies with their Allow/Deny statements and resources
- Alternate policy versions (if any exist)
- Assumable roles with their attached policies
- Privilege escalation paths with severity ratings
- Suggested next step commands you can copy-paste
Security findings (--findings)
View all security audit findings from the last scan, sorted by severity:
awsault --findings
Output is a table with severity, service, resource, and finding description, followed by a severity summary count.
Extracted loot (--loot)
View extracted secrets and credentials with their actual values:
awsault --loot
Output shows each loot source (Secrets Manager, SSM, Lambda env vars, etc.) with the items found and their readable values.
Combining views
You can combine any of these flags in a single command:
# view recon and findings together
awsault --recon --findings
# view everything at once
awsault --recon --findings --loot
Reading policy and role documents (--policy)
Use --policy to fetch the full raw JSON document of any policy or role directly from AWS. AWSault automatically detects whether the name is an inline policy, managed policy, or role.
Reading a specific policy
--policy reads specific policy documents only. It never auto-detects roles. AWSault checks saved scan data first, then falls back to live API calls.
# read an inline or managed policy by name
awsault --policy S3Access
# read an AWS managed policy
awsault --policy AmazonEC2ReadOnlyAccess
# read a managed policy by ARN (useful for cross-account policies)
awsault --policy arn:aws:iam::123456789012:policy/CrossAccountPolicy
Managed policy versions
For managed policies, AWSault shows all available versions and the default. Use --version to read a non-default version:
awsault --policy AmazonEC2ReadOnlyAccess --version v2
Reading multiple policies at once
Pass comma-separated names to read several policies in one command:
awsault --policy S3Access,DbRead,LoggingPolicy
Each one is resolved and displayed independently. If one isn't found, the others still show.
Targeting a different user or role
Use --user or --role to read policies on a different principal (if your credentials have permission):
# read an inline policy on a different user
awsault --policy S3Access --user admin
# read an inline policy on a role
awsault --policy S3Access --role BackendRole
Listing all policies (--all-policies)
Use --all-policies to dump everything for a user or role. When targeting a role, it shows the trust policy first, then all inline and managed permission policies:
# all policies on current identity
awsault --all-policies
# all policies on another user
awsault --all-policies --user admin
# trust policy + all attached policies on a role
awsault --all-policies --role BackendRole
Access denied handling
If your credentials don't have permission to read a specific resource, AWSault tells you exactly which IAM action is missing:
Access denied -- requires iam:GetUserPolicy (AccessDenied)
Inline policies: Access denied -- requires iam:ListRolePolicies (AccessDenied)
Managed policies: Access denied -- requires iam:ListAttachedRolePolicies (AccessDenied)
Using with a specific profile
awsault --policy S3Access --profile staging
awsault --all-policies --profile staging
awsault --all-policies --role BackendRole --profile staging
Exporting without rescanning
Use --output to export the last scan to a file without running a new scan:
awsault --output report.html
awsault --output report.json
awsault --output report.csv
See Output Formats for details on each format.
Limitations
--showand--outputcannot be used together in the same command--detailrequires a single service in--show- Only the most recent scan is available (previous scans are overwritten)
- If no scan has been run yet,
--showwill tell you to run a scan first