After every scan (surface or --godeep), AWSault generates context-aware AWS CLI commands for every service where at least one API call succeeded. This tells you exactly what to try next without having to look up CLI syntax yourself.

AWSault maintains a mapping of 240+ suggested commands across all 121 supported services. When a service returns at least one OK call, the relevant commands are shown with:

• The correct --profile flag (matching the profile you used)
• The correct --region flag (matching the region you scanned)
• The actual account ID where applicable (e.g., for listing public snapshots)

Commands are grouped by service and include a short description of what each one does.

--------------------------------------------------
SUGGESTED NEXT STEPS

  Based on your scan results, here are commands to investigate further.

  EC2 (1/27 calls OK)
    # List your own EC2 snapshots
    aws ec2 describe-snapshots --owner-ids self --profile staging --region us-east-1
    # List public snapshots from this account
    aws ec2 describe-snapshots --owner-ids 123456789012 --include-deprecated --profile staging
    # Try describing snapshots across other regions
    aws ec2 describe-snapshots --owner-ids self --region us-west-2 --profile staging

  DYNAMODB (1/5 calls OK)
    # List DynamoDB tables
    aws dynamodb list-tables --profile staging --region us-east-1
    # Describe a table (keys, indexes, encryption)
    aws dynamodb describe-table --table-name <table-name> --profile staging --region us-east-1
    # Sample data from a table
    aws dynamodb scan --table-name <table-name> --max-items 10 --profile staging --region us-east-1

  S3 (FULL ACCESS)
    # List all S3 buckets
    aws s3 ls --profile staging
    # List contents of a specific bucket
    aws s3 ls s3://<bucket-name> --recursive --profile staging
    # Check bucket policy
    aws s3api get-bucket-policy --bucket <bucket-name> --profile staging

Commands are tailored to each service. High-value services get more suggestions focused on post-exploitation:

Lower-value services still get basic listing commands so you have a complete picture.

AWSault generates two types of suggested commands:

1. Scan-based suggestions (this page) — generated from the surface scan results. These fire for every service with OK calls, regardless of whether you ran --godeep. They tell you what to investigate based on what permissions you have.

2. Identity recon suggestions (see Identity Recon) — generated from the identity permission map during --godeep. These are more targeted: privilege escalation commands, role assumption, and resource-specific access based on your actual policy statements.

Both appear at the end of the scan output. The identity recon suggestions are inside the IDENTITY PERMISSION MAP section. The scan-based suggestions appear in a separate SUGGESTED NEXT STEPS section.

When using --all-regions, the suggestions use the combined results across all regions. The --region flag is omitted from commands since you've already scanned all regions and the commands work in any region.

To add suggestions for a new service or new commands for an existing service, edit src/awsault/recon/suggestions.py. Each entry maps a service name to a list of (api_method, description, command_template) tuples. Templates support {profile}, {region}, {p} (both), and {account_id} placeholders.