Output Formats - baeziy/AWSault GitHub Wiki

Output Formats

AWSault supports three export formats. The format is determined by the file extension.

awsault --godeep --output report.json
awsault --godeep --output report.csv
awsault --godeep --output report.html

You can also export a previous scan without rescanning:

awsault --output report.html

HTML Report

The HTML report is a self-contained single file with embedded CSS and JavaScript. No external dependencies — just open it in any browser.

Design

  • Dark theme optimized for readability
  • Responsive layout
  • All sections are collapsible

Tabs

Services Tab

  • Card for each scanned service with OK/Denied count badge
  • Click to expand and see every API call with status
  • Search bar — filter services by name
  • Status filters — show All, Has Access, or No Access
  • Expand/Collapse all buttons

Findings Tab

  • Color-coded findings by severity (CRITICAL = red, HIGH = orange, MEDIUM = yellow, LOW = blue)
  • Each finding shows: severity badge, service, resource, title, detail, recommendation

Loot Tab

  • Grouped by source (Secrets Manager, SSM, Lambda, etc.)
  • Each item shows a READABLE or DENIED badge
  • Click to expand and see the full JSON data

Recon Tab

Shows the full identity permission map:

  • Identity info — type, principal, account, ARN, groups
  • Effective Policies — collapsible cards for each policy with:
    • Policy name, type badge (inline/AWS managed/customer managed)
    • What it's attached to
    • Full ARN (for managed policies)
    • Color-coded Allow/Deny statements with actions and resources
  • Assumable Roles — collapsible cards with:
    • Role name and description
    • Why you can assume it (trust policy or policy grant)
    • Full policy breakdown with statements
  • Privilege Escalation Paths — severity-badged cards with:
    • Technique name and description
    • Triggering action and source policy
    • Affected resources
    • Alternate policy versions (for SetDefaultPolicyVersion) with full statements

Tab label shows counts: Recon (3P / 2R / 1E) = 3 Policies, 2 Roles, 1 Escalation path

Summary header

Top of the report shows key metrics:

  • Account ID and ARN
  • Region
  • Scan mode (surface / godeep)
  • Services scanned
  • OK/Total API calls
  • Denied count
  • Finding count (total and critical/high)
  • Loot count

JSON Export

Full structured dump of all scan data.

Structure

{
  "meta": {
    "account": "123456789012",
    "arn": "arn:aws:iam::123456789012:user/pentester",
    "region": "us-east-1",
    "mode": "godeep"
  },
  "services": {
    "iam": {
      "summary": { "total": 15, "ok": 3, "denied": 12, "errors": 0 },
      "calls": [
        { "method": "list_users", "status": "ok", "count": 5, "data": [...] },
        { "method": "list_roles", "status": "denied", "error": "AccessDenied" }
      ]
    }
  },
  "deep": {
    "s3": { ... },
    "iam_users": { ... },
    "iam_self": { ... }
  },
  "findings": [
    {
      "severity": "CRITICAL",
      "service": "s3",
      "resource": "public-bucket",
      "title": "Public access block missing",
      "detail": "...",
      "recommendation": "..."
    }
  ],
  "loot": {
    "SecretsManager": [...],
    "SSM Parameters": [...]
  },
  "recon": {
    "Type": "user",
    "Principal": "pentester",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/pentester",
    "Groups": ["developers"],
    "Policies": [...],
    "AssumableRoles": [...],
    "PrivescPaths": [...]
  }
}

Use cases

  • Programmatic analysis with jq or Python
  • Diffing between scans
  • Feeding into other security tools
  • Archival

CSV Export

Flat tabular format with sections separated by headers.

Sections

1. Services (one row per API call):

service, method, status, item_count, error
iam, list_users, ok, 5,
iam, list_roles, denied, 0, AccessDenied

2. Findings (one row per finding):

severity, service, resource, title, detail, recommendation
CRITICAL, s3, public-bucket, Public access block missing, ..., Enable public access block

3. Loot (one row per item):

source, name, readable
SecretsManager, db-password, True
SSM Parameters, /prod/api-key, True

4. Identity Recon:

Identity info:

## identity_recon
identity, user/pentester
account, 123456789012
arn, arn:aws:iam::123456789012:user/pentester
groups, developers

Policy statements (one row per statement):

policy_name, policy_type, attached_to, effect, actions, resources
DevPolicy, customer-managed, user/pentester, Allow, s3:GetObject; s3:ListBucket, *

Assumable roles (one row per statement per policy per role):

## assumable_roles
role_name, role_arn, reason, policy_name, policy_type, effect, actions, resources
admin-role, arn:..., trust policy, AdminPolicy, aws-managed, Allow, *, *

Privilege escalation paths:

## privilege_escalation_paths
severity, name, action, via_policy, via_role, resources, description
CRITICAL, Policy Version Injection, iam:CreatePolicyVersion, DevPolicy, , *, Create a new policy version...

Use cases

  • Import into Excel/Google Sheets
  • Quick grep/awk analysis
  • Compliance reporting