CLI Reference

Complete reference for all AWSault command-line flags and options.

Synopsis

awsault [OPTIONS]

Options

Credential & Region

Flag	Argument	Default	Description
--profile	NAME	(boto3 chain)	AWS profile from ~/.aws/credentials or ~/.aws/config
--region	REGION	(profile or us-east-1)	Override the AWS region for all API calls

Scan scope

Flag	Argument	Default	Description
--services	SERVICE,SERVICE,...	all	Comma-separated list of services to scan. Use --list-services to see available names
--threads	N	10	Number of concurrent threads for API calls
--all-regions	(none)	(off)	Scan permissions once, discover resources across all regions

Scan mode

Flag	Argument	Default	Description
--godeep	(none)	(off)	Full assault: deep enumeration + security audit + loot extraction + identity recon

Result browsing

Flag	Argument	Default	Description
--show	SERVICE,SERVICE,... or all	(none)	List allowed/denied permissions from the last scan without rescanning
--detail	METHOD_NAME	(none)	View the actual response data for a specific API call. Requires --show with a single service
--recon	(none)	(off)	View identity recon: policies, assumable roles, and privesc paths from last scan
--findings	(none)	(off)	View security audit findings from last scan
--loot	(none)	(off)	View extracted secrets and credentials from last scan
--policy	NAME or ARN	(none)	Read policy documents live from AWS. Comma-separated for multiple. Accepts names or ARNs
--version	VERSION	(none)	Read a specific version of a managed policy. Requires --policy with a single name
--all-policies	(none)	(off)	List and read all policies (inline + managed) attached to a user or role
--user	USERNAME	(none)	Target a different IAM user. Use with --policy or --all-policies
--role	ROLENAME	(none)	Target a different IAM role. Use with --policy or --all-policies

Output

Flag	Argument	Default	Description
--output	FILEPATH	(none)	Export results to file. Format determined by extension: .json, .csv, or .html
--verbose	(none)	(off)	Print API response data in the terminal during scanning

Informational

Flag	Argument	Default	Description
--list-services	(none)	(none)	Print all supported service names and exit

Usage examples

Basic scanning

# surface scan with default credentials
awsault

# surface scan with a named profile
awsault --profile staging

# surface scan in a specific region
awsault --region eu-west-1

# scan only specific services
awsault --services iam,s3,ec2,lambda

# scan with more concurrency
awsault --threads 20

Full assault

# full assault (all 5 phases)
awsault --godeep

# full assault across all regions
awsault --godeep --all-regions

# full assault with HTML report
awsault --godeep --output report.html

# full assault, specific services, specific region
awsault --godeep --services iam,s3,lambda --region us-west-2

# full assault with verbose API output
awsault --godeep --verbose

Browsing results

# list IAM permissions from last scan
awsault --show iam

# list permissions for multiple services
awsault --show iam,s3,lambda,ec2

# list all services
awsault --show all

# view the actual data for a specific call
awsault --show iam --detail list_users
awsault --show s3 --detail list_buckets
awsault --show ec2 --detail describe_instances

# view identity recon (policies, roles, privesc paths)
awsault --recon

# view security audit findings
awsault --findings

# view extracted secrets and loot
awsault --loot

# combine deep data views
awsault --recon --findings
awsault --recon --findings --loot

# read policy documents live from AWS
awsault --policy S3Access
awsault --policy S3Access,DbRead,LoggingPolicy
awsault --policy AmazonEC2ReadOnlyAccess
awsault --policy AmazonEC2ReadOnlyAccess --version v2
awsault --policy arn:aws:iam::123456:policy/CrossAcct
awsault --policy S3Access --profile staging

# target a different user or role
awsault --policy S3Access --user admin
awsault --policy S3Access --role BackendRole

# list and read all policies on an identity
awsault --all-policies
awsault --all-policies --user admin
awsault --all-policies --role BackendRole
awsault --all-policies --profile staging

Exporting

# export last scan to HTML
awsault --output report.html

# export last scan to JSON
awsault --output results.json

# export last scan to CSV
awsault --output results.csv

# scan and export in one command
awsault --godeep --output report.html

Discovery

# list all supported services
awsault --list-services

Flag combinations

Combination	Valid	Notes
--godeep --output report.html	Yes	Scan and export
--godeep --all-regions	Yes	Multi-region full assault
--show iam --detail list_users	Yes	Browse specific result data
--show iam,s3 --detail list_users	No	--detail needs single service
--show iam --output report.html	No	Can't use --show with --output
--recon --findings --loot	Yes	View all deep data at once
--recon --findings	Yes	Combine any deep data views
--policy S3Access	Yes	Read inline or managed policy
--policy A,B,C	Yes	Read multiple policies at once
--policy MyPolicy --version v2	Yes	Read specific managed policy version
--policy A,B --version v2	No	--version needs single policy
--version v2 (without --policy)	No	--version needs --policy
--all-policies	Yes	Dump all policies on current identity
--policy S3Access --user admin	Yes	Read policy on a different user
--policy S3Access --role SomeRole	Yes	Read inline policy on a role
--policy arn:aws:...	Yes	Read managed policy by ARN
--all-policies --role BackendRole	Yes	Trust + all policies on a role
--user admin --role BackendRole	No	--user and --role are mutually exclusive
--user admin (alone)	No	--user/--role require --policy or --all-policies
--output report.html (no scan flags)	Yes	Export last scan without rescanning
--services iam,s3 --godeep	Yes	Deep scan on specific services
--profile prod --region eu-west-1	Yes	Profile with region override

Exit codes

Code	Meaning
0	Success
1	Error (invalid credentials, no scan data, invalid arguments)