Skip to content

AWS Commands

Seth Art edited this page Apr 15, 2024 · 31 revisions

AWS Command Usage and Examples

Prerequisites: https://github.com/BishopFox/cloudfox#prerequisites

To list AWS commands: ./cloudfox aws -h

For help with each command: ./cloudfox aws [command_name] -h

all-checks

Command all-checks
Summary This command runs all other aws commands, with the exception of outbound-assumed-roles
Introduced v1.6.0
Author Bishop Fox
Background We created all-checks so that there is a way to get most of the cloudfox aws functionality with one single command. The outbound-assumed-roles command is just too slow to include in all-checks, but we didn't want to rename it almost-all-checks, so we kept the name as is 😄.

It's also important to know that in all-checks, each sub-command is run with reasonable default options, but that does not include all cloudfox functionality. Some commands allow you to access really cool additional functionality with additional options, so make sure to check out each command individual as well.
Use case 1: Run (almost) all of the commands at once and record all output to your local filesystem
❯ cloudfox aws -p cflab all-checks
Example output: all-checks
❯ cloudfox aws -p cflab all-checks
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[🦊 cloudfox 🦊 ] Getting a lay of the land, aka "What regions is this account using?"
[inventory][cflab] Enumerating selected services in all regions for account 049881439828.
[inventory][cflab] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, DynamoDB,
[inventory][cflab] 			EC2, ECS, EKS, ELB, ELBv2, Glue, Grafana, IAM, Lambda, Lightsail, MQ,
[inventory][cflab] 			OpenSearch, RDS, S3, SecretsManager, SNS, SQS, SSM
[inventory] Status: 364/364 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory.csv]
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory-global.csv]
[inventory][cflab] 69 resources found in the services we looked at. This is NOT the total number of resources in the account.
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 37 tags found.
[tags][cflab] 25 unique resources with tags found.
[🦊 cloudfox 🦊 ] Gathering the info you'll want for your application & service enumeration needs.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.
[route53][cflab] Enumerating Route53 for account 049881439828.
[route53][cflab] No DNS records found, skipping the creation of an output file.
[filesystems][cflab] Enumerating filesystems for account 049881439828.
[filesystems][cflab] Supported Services: EFS, FSx
[filesystems] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[filesystems] Output written to [cloudfox-output/aws/cflab/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cflab/csv/filesystems.csv]
[filesystems][cflab] Loot written to [cloudfox-output/aws/cflab/loot/filesystems-mount-commands.txt]
[filesystems][cflab] 1 filesystems found.
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] 			Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[endpoints] Output written to [cloudfox-output/aws/cflab/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cflab/csv/endpoints.csv]
[endpoints][cflab] Loot written to [cloudfox-output/aws/cflab/loot/endpoints-UrlsOnly.txt]
[endpoints][cflab] 3 endpoints found.
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[eks][cflab] No clusters found, skipping the creation of an output file.
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 9 elastic network interfaces found.
[🦊 cloudfox 🦊 ] Looking for secrets hidden between the seat cushions.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instance-userdata][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instance-userdata.txt]
[env-vars][cflab] Enumerating environment variables in all regions for account 049881439828.
[env-vars][cflab] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 82/82 tasks complete (10 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[env-vars] Output written to [cloudfox-output/aws/cflab/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cflab/csv/env-vars.csv]
[env-vars][cflab] 3 environment variables found.
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]
[cloudformation][cflab] 2 cloudformation stacks found.
[🦊 cloudfox 🦊 ] Arming you with the data you'll need for privesc quests.
[buckets][cflab] Enumerating buckets for account 049881439828.
[buckets] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[buckets] Output written to [cloudfox-output/aws/cflab/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cflab/csv/buckets.csv]
[buckets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/bucket-commands.txt]
[buckets][cflab] 9 buckets found.
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.
[secrets][cflab] Enumerating secrets for account 049881439828.
[secrets][cflab] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[secrets] Output written to [cloudfox-output/aws/cflab/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cflab/csv/secrets.csv]
[secrets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/pull-secrets-commands.txt]
[secrets][cflab] 7 secrets found.
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.
[🦊 cloudfox 🦊 ] IAM is complicated. Complicated usually means misconfigurations. You'll want to pay attention here.
[principals][cflab] Enumerating IAM Users and Roles for account 049881439828.
[principals] Output written to [cloudfox-output/aws/cflab/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cflab/csv/principals.csv]
[principals][cflab] 35 IAM principals found.
[permissions][cflab] Enumerating IAM permissions for account 049881439828.
[permissions] Output written to [cloudfox-output/aws/cflab/table/permissions.txt]
[permissions] Output written to [cloudfox-output/aws/cflab/csv/permissions.csv]
[permissions][cflab] 3889 unique permissions identified.
[access-keys][cflab] Mapping user access keys for account: 049881439828.
[access-keys][cflab] Only active access keys are shown.
[access-keys] Output written to [cloudfox-output/aws/cflab/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cflab/csv/access-keys.csv]
[access-keys][cflab] Loot written to [cloudfox-output/aws/cflab/loot/access-keys.txt]
[access-keys][cflab] 5 access keys found.
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-federated.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-federated.csv]
[role-trusts][cflab] 3 role trusts found.
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.
[iam-simulator][cflab] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[iam-simulator] Output written to [cloudfox-output/aws/cflab/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cflab/csv/iam-simulator.csv]
[iam-simulator][cflab] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator][cflab] Loot written to [cloudfox-output/aws/cflab/loot/iam-simulator-pmapper-commands.txt]
[🦊 cloudfox 🦊 ] That's it! Check your output files for situational awareness and check your loot files for next steps.
[🦊 cloudfox 🦊 ] FYI, we skipped the outbound-assumed-roles module in all-checks (really long run time). Make sure to try it out manually.

access-keys

Command access-keys
Summary This command maps all active access key IDs for all users in an AWS account.
Introduced v1.6.0
Author Bishop Fox
Background For a long time, people were granted access to AWS via user accounts which could log in with a user/password (Web, aka Console access), or an access key/secret key (CLI access). The problem is that these access keys don't expire. So if you accidentally check in your access key to GitHub, or to PyPi, or to NPM, anyone with access to those sources can use your hardcoded credentials.

While putting your access keys into a public location is really bad, it is also bad if you drop these keys into a private location like a private repository or a private organizational Google Drive share. Because it means that any other users in your organization with access to that private repo, or that Google Drive share can just grab your credentials and log into AWS as you.
Use case 1: Found a key You just got an access key and you want to see if it belongs to any of your in-scope accounts and which user it belongs to. Look for the access key in the list of keys associated with this account and any other in-scope accounts.
Use case 2: Hunt for keys Use the access key IDs from this module as your seed list and search for them in other services like Github, Gitlab, Bitbucket, Slack, Sharepoint, Google Drive, Confluence, Jira, etc.
Loot file(s): loot/access-keys.txt

Example 1: maps all active access keys for all users in the account

❯ cloudfox aws --profile cf-exec -v2 access-keys
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942186266844000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭────────────────┬──────────────────────╮
│   User Name    │    Access Key ID     │
├────────────────┼──────────────────────┤
│ pele           │ AKIAQXHJKLZKIJ6QPJFK │
│ terraform-user │ AKIAQXHJKLZKG2U6MIFF │
╰────────────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 2 access keys found.

Example 2: look up a specific access key

❯ cloudfox aws --profile cf-exec -v2 access-keys --filter AKIAQXHJKLZKIJ6QPJFK
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942670815294000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭───────────┬──────────────────────╮
│ User Name │    Access Key ID     │
├───────────┼──────────────────────┤
│ pele      │ AKIAQXHJKLZKIJ6QPJFK │
╰───────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 1 access keys found.

api-gws

Command api-gws
Summary Enumerate API gateways. Get a loot file with formatted cURL requests.
Introduced v1.13.0
Author Wyatt Dahlenburg
Background API Gateways are the front door to many other services running in AWS. They can load files from S3 buckets, can redirect to lambda functions, and there are many other options as well. As a penetration tester, you want to use any information you have available to you. So if you have the ability to describe API gateways, you might find an API key that will let you interact with the backend service. This command grabs all of the information needed and generates cURL commands for you to poke at the APIs.
Loot file(s): loot/api-gws.txt

Example 1: maps all active access keys for all users in the account

[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[api-gw][cloudfoxable] Enumerating api-gateways for account 987990985088.
[api-gw] Status: 68/68 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭──────────────┬───────────┬──────────┬─────────┬──────────────────────────────────────────────────────────────────┬────────┬────────╮
│   Service    │  Region   │ Name     │ Method  │ Endpoint                                                         │ ApiKey │ Public │
├──────────────┼───────────┼──────────┼─────────┼──────────────────────────────────────────────────────────────────┼────────┼────────┤
│ APIGateway   │ us-east-2 │ api1     │ POST    │ https://abcdefgt7.execute-api.us-east-2.amazonaws.com/prod/add   │ abc    │ True   │
│ APIGateway   │ us-east-2 │ api2     │ OPTIONS │ https://defghigk.execute-api.us-east-2.amazonaws.com/prod/cart   │        │ True   │
│ APIGateway   │ us-east-1 │ api3     │ POST    │ https://zbbebfdsd.execute-api.us-east-1.amazonaws.com/UUID/UUID  │        │ True   │
│ APIGateway   │ us-east-2 │ api1     │ POST    │ https://abcdefgt7.execute-api.us-east-2.amazonaws.com/prod/remove│ abc    │ True   │
╰──────────────┴───────────┴─────────┴──────────┴──────────────────────────────────────────────────────────────────┴────────┴────────╯
[api-gw][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#api-gw
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088

buckets

Command buckets
Summary Lists the buckets in the account and gives you handy commands for inspecting them further.
Introduced v1.6.0
Author Bishop Fox
Background S3 buckets contain files. Buckets can be public or private, and files within buckets can also be public or private. If a bucket is public, and it contains sensitive or private data, that can be bad. That's the stuff you hear about on the news. The important to think to look for when evaluating bucket permissions is the combination of list and get permissions. If you can get (download) all of the objects in the bucket, but you can't list them, thats not useful unless you already know the file names or locations. But if you can list and get the objects, you can essentially download the entire bucket.

Just because a bucket is private, it does not mean it is not a target on a cloud penetration test. If you are acting as a compromised user or application, and that application has access to a private bucket, that is an attack path worth investigating. As a penetration tester, you'll want to figure out what buckets exist, select the ones that seem interesting, and then ultimately, you'll want to get the objects (files) that seem interesting within the buckets. The way this often plays out is that you use this buckets module to help find interesting items, and then as you gain more access on your penetration test, you check to see if you have gained access to a principal that has permission to access the objects you have identified as interesting. When you have, you can use the commands in the loot file to download the contents of the bucket.
Use case 1:
Find interesting buckets
The first thing you should do is look to see which buckets look interesting. Look for buckets names that look like they contain sensitive data, or secrets, or both.
Use case 2:
Selectively list and/or download files
Use the pre-populated commands in the loot file to list the file names of certain buckets, and download files from the buckets. You will need to execute these commands as a principal with permission to list and download objects in the targeted buckets, which you might or might not have.
Loot file(s): loot/bucket-commands.txt

Example:

❯ cloudfox aws --profile cf-exec -v2 buckets
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942714852430000
[buckets] Enumerating buckets for account 049881439828.
[buckets] Status: 1/1 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬────────┬──────────────────────────────────────╮
│ Service │ Region │                 Name                 │
├─────────┼────────┼──────────────────────────────────────┤
│ S3      │ Global │ cf-templates-1c3fmu2nov5ko-us-east-1 │
│ S3      │ Global │ cloudfox-bucket1                     │
│ S3      │ Global │ cloudfox-bucket2                     │
│ S3      │ Global │ cloudfox-bucket3                     │
│ S3      │ Global │ cloudfox-terraform-state             │
╰─────────┴────────┴──────────────────────────────────────╯
[buckets] Output written to [cloudfox-output/aws/cf-exec/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cf-exec/csv/buckets.csv]
[buckets] Loot written to [cloudfox-output/aws/cf-exec/loot/bucket-commands.txt]
[buckets] 5 buckets found.

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/bucket-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the buckets.
# E.g., export profile=dev-prod.
#############################################

# ------------------------------
# Bucket: cloudfox-bucket2-zwt9j
# Recursively list all file names
aws --profile $profile s3 ls --human-readable --summarize --recursive --page-size 1000 s3://cloudfox-bucket2-zwt9j/
# Download entire bucket (do this with caution as some buckets are HUGE)
mkdir -p ./s3-buckets/cloudfox-bucket2-zwt9j
aws --profile $profile s3 cp s3://cloudfox-bucket2-zwt9j/ ./s3-buckets/cloudfox-bucket2-zwt9j --recursive

cape (Cross-Account Privilege Escalation finder)

Command cape
Summary Enumerates cross-account privilege escalation paths. Cape can answer the questions and more: Which IAM principals in your other accounts can touch your production account? Which vendor accounts, GitHub repositories, Okta groups, and Terraform projects have a path to production? And the most pressing concern: Do any of these cross-account paths lead to administrative privileges?

Think of cape like this: Pmapper and cloudfox's role-trusts commands had a baby, and that baby can help you find cross account privilege escalation paths.
Introduced v1.14.0
Author Bishop Fox
Background As a penetration tester or security engineer, you have been given SecurityAudit permissions to 3 AWS accounts: production, operations, and development. Your objective is to figure out if there is any way the role developer in the development account can gain administrative permissions in the production account. Let's walk through how you can answer that question with cape below.

Usage Instructions:

  1. Configure a profile for each in scope account: production, operations, and development:
    ❯ cat ../tmp/sethenv.profiles
    dev.AWSAdministratorAccess
    Operations.AdministratorAccess
    prod.AWSAdministratorAccess
    
  2. Run pmapper for each profile:
    ❯ for line in `cat ../tmp/sethenv.profiles`; do pmapper --profile $line graph create; done
    
    Note: This will save the pmapper data on the host that ran pmapper in a predictable location that cloudfox will use as long as cloudfox is run on the same host/container/machine that ran pmapper.
  3. Run cloudfox's cape command on each profile using cloudfox's -l (profile-list) option:
    ./cloudfox aws -l ../tmp/sethenv.profiles cape --admin-only
    
    Note: The --admin-only flag significantly reduces the amount of time it takes for cape to run, so I suggest running that first. Then, feel free to try it without that flag. It will work, but might take hours depending on how many accounts are in scope.
  4. Cloudfox's cape command will give you the standard table output by default, but this output is almost impossible to read without ultra wide screen monitor. So to address this, I created a terminal user interface using a go library called Bubbletea. Check it out with the following command:
    cloudfox aws -l ../tmp/sethenv.profiles cape tui --admin-only
    

image

cloudformation

Command cloudformation
Summary Lists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output.
Introduced v1.8.0
Author Bishop Fox
Background Cloudformation is AWS's infrastructure as code service. You can create a Cloudformation template, than when executed, creates the AWS resources described in the template. For example, a single Cloudformation template, when executed, can create an EC2 instance, an S3 bucket, and an IAM role, and then it can then attach the IAM role to the EC2 instance. You can sometimes find secrets in Cloudformation templates. This is not as fruitful as finding secrets in environment variables or EC2 user-data scripts, but it is still worth looking. AWS automatically redacts secrets that match certain naming conventions in certain locations, but if you get lucky, you will find a password, API key, or something valuable here.
Use case 1:
Look for Secrets
Search the loot file for any secrets.
Loot file(s): loot/cloudformation-data.txt

Example:

❯ cloudfox aws --profile cflab -v2 cloudformation
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────┬───────────┬─────────────────────────────┬──────╮
│    Service     │  Region   │            Name             │ Role │
├────────────────┼───────────┼─────────────────────────────┼──────┤
│ cloudformation │ us-west-1 │ intro                       │      │
│ cloudformation │ us-west-2 │ privesc-cloudformationStack │      │
│ cloudformation │ us-west-2 │ token                       │      │
╰────────────────┴───────────┴─────────────────────────────┴──────╯
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/cloudformation-data.txt
#############################################
# Look for secrets. Use something like trufflehog
#############################################

=============================================
Stack Name: privesc-cloudformationStack
Stack Outputs:
Stack Parameters:
Stack Template:
 {"Resources":{"Secret1":{"Properties":{"Description":"Super strong password that nobody would ever be able to guess","Name":"iam-vulnerable","SecretString":"Summer2021!"},"Type":"AWS::SecretsManager::Secret"}}}
=============================================
=============================================
Stack Name: token
Stack Outputs:
Stack Parameters:
Stack Parameter Key: IP
Stack Parameter Value: 74.69.129.103
Stack Parameter Key: VPC
Stack Parameter Value: vpc-0c924df8a157859e0
Stack Parameter Key: Subnet
Stack Parameter Value: subnet-0be80af569fa0e1a4
Stack Template:
 Parameters:
  IP:
    Type: String
    Description: Enter your source IPv4 address
...omitted for brevity...

codebuild

Command codebuild
Summary Enumerate CodeBuild projects.
Introduced v1.11.0
Author Bishop Fox

Example:

❯ cloudfox aws --profile cflab -v2 codebuild
[🦊 cloudfox v1.13.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[codebuild][cflab] Enumerating codebuild projects for account 049881439828.
[codebuild] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────┬───────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────────┬────────────────────╮
│  Region   │ Name                      │                        Role                                             │ IsAdminRole? │ CanPrivEscToAdmin? │
├───────────┼───────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────────┼────────────────────┤
│ us-west-2 │ testing-deployment        │ arn:aws:iam::049881439828:role/ecs/deployment/testing                   │ No           │ No                 │
│ us-west-2 │ notifications-deployment  │ arn:aws:iam::049881439828:role/ecs/deployment/code-build-notifications  │ No           │ No                 │
│ us-west-2 │ search-deployment         │ arn:aws:iam::049881439828:role/ecs/deployment/code-build--search        │ No           │ No
╰───────────┴───────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────────┴────────────────────╯
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/table/codebuild.txt
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/csv/codebuild.csv
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/json/codebuild.json

databases

Command databases
Summary Enumerate RDS databases. Get a loot file with connection strings
Introduced v1.11.0
Author Bishop Fox (Contributions from @enzowritescode)

Example:

❯ cloudfox aws --profile cloudfoxable databases
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[databases][cloudfoxable] Enumerating databases for account 987990985088.
[databases][cloudfoxable] Supported Services: RDS, Redshift, DynamoDB, DocumentDB, Neptune
[databases] Status: 51/51 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[databases][cloudfoxable] Loot written to [/Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/loot/databases-UrlsOnly.txt]
╭──────────┬────────┬───────────┬──────────────────┬──────┬──────────┬──────────┬──────╮
│ Service  │ Engine │  Region   │       Name       │ Size │ UserName │ Endpoint │ Port │
├──────────┼────────┼───────────┼──────────────────┼──────┼──────────┼──────────┼──────┤
│ DynamoDB │        │ us-west-2 │ my-user-profiles │ 0    │ N/A      │ N/A      │ 0    │
╰──────────┴────────┴───────────┴──────────────────┴──────┴──────────┴──────────┴──────╯
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/databases.txt
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/databases.csv
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/databases.json
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/loot/databases-UrlsOnly.txt.txt
[databases][cloudfoxable] 2 databases found.
[databases][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#databases
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088

ecr

Command ecr
Summary List the most recently pushed image from all repositories.
Introduced v1.6.0
Author Bishop Fox
Background ECR is a container image registry, like DockerHub. An organization can use ECR to host public public images, but most organizations use it mainly for private images that are used in their private infrastructure. Sometimes, the people who create images include sensitive credentials or sensitive client data in the image itself, which should not be the case. The recommended approach is to keep the container image free of hardcoded credentials or data and to pull that information down to the container at runtime.

As a penetration tester, if you have access to a principal that can download container images from ECR, you should use commands in the loot file to pull selected container images to your local filesystem, look for secrets, sensitive data, or anything else that might help you mean the penetration testing objectives.
Use case 1: Look for Secrets and/or other sensitive data.
Loot file(s): loot/cloudformation-data.txt

Example:

❯ cloudfox aws --profile cf-exec -v2 ecr
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬───────────────┬───────────────────────────────────────────────────────────────────┬─────────────────────┬───────────┬───────────╮
│ Service │  Region   │     Name      │                                URI                                │      PushedAt       │ ImageTags │ ImageSize │
├─────────┼───────────┼───────────────┼───────────────────────────────────────────────────────────────────┼─────────────────────┼───────────┼───────────┤
│ ECR     │ us-west-2 │ cloudfox-repo │ 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest │ 2022-09-12 17:51:57 │ latest    │ 718945268 │
╰─────────┴───────────┴───────────────┴───────────────────────────────────────────────────────────────────┴─────────────────────┴───────────┴───────────╯
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the repositories.
# E.g., export profile=dev-prod.
#############################################

aws --profile $profile --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin 049881439828.dkr.ecr.us-west-2.amazonaws.com
docker pull 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker inspect 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker history --no-trunc 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker run -it --entrypoint /bin/sh 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker save 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest -o cloudfox-repo.tar

ecs-tasks

Command ecs-tasks
Summary List all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal.
Introduced v1.9.0
Author Dominic Breuker
Background The Elastic Container Service is a way for you to run containers in AWS in a managed way. You can run a container directly on a EC2 image if you'd like. You can also use Kubernetes to run containers. Think of ECS as somewhere in between doing it yourself, and using full blown Kubernetes. You create a task definition which defines what container image to use, what code to deploy, what IAM role to associate, and many other container configuration options. You can then configure a task that deploys the task definition and, optionally, maps a service to the task definition so it is accessible to other resources.

As a penetration tester, you can first think about attacking ECS tasks from a network perspective. Just like you can run code on an EC2 instance and target it via it's DNS name or IP address, you can do the same to ECS tasks. Like EC2, these are mostly going to be running web based services, but they can and often do run non web based services.

Also like EC2 instances, if you can compromise a service running on an ECS task and gain RCE or SSRF, you can access the temporary credentials applied to the task and perform any action that the task can perform.
Use case 1: Attack network services running on ECS tasks. Use the loot files with tools like nmap, Aquatone/EyeWitness/GoWitness. If you compromise a service, try to access the task's IAM role.
Loot file(s): loot/ecs-tasks-PublicIPs.txt
loot/ecs-tasks-PrivateIPs.txt

Example:

❯ cloudfox aws -p cflab ecs-tasks -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭──────────────────┬────────────────┬────────────┬──────────────────────────────────┬──────────────┬─────────────┬────────────────────────────────────────┬──────────────┬────────────────────╮
│     Cluster      │ TaskDefinition │ LaunchType │                ID                │ External IP  │ Internal IP │                RoleArn                 │ IsAdminRole? │ CanPrivEscToAdmin? │
├──────────────────┼────────────────┼────────────┼──────────────────────────────────┼──────────────┼─────────────┼────────────────────────────────────────┼──────────────┼────────────────────┤
│ cloudfox-cluster │ webapp:13      │ FARGATE    │ 44050e9c230a408593b9e7709be01ddf │ 35.92.101.69 │ 10.0.1.113  │ arn:aws:iam::049881439828:role/rapinoe │ No           │ No                 │
╰──────────────────┴────────────────┴────────────┴──────────────────────────────────┴──────────────┴─────────────┴────────────────────────────────────────┴──────────────┴────────────────────╯
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.

Example:

❯ cat cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt
52.41.51.204
❯ cat cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt
10.0.1.205

eks

Command eks
Summary List all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to reach cluster or node group. Generates a loot file with the aws eks udpate-kubeconfig command needed to connect to each cluster.
Introduced v1.9.0
Author Bishop Fox
Background Kubernetes is a container orchestrator, aka, a way to run containers. EKS is AWS's managed Kubernetes offering. Penetration testing AWS with managed Kubernetes is kind of by like the movie inception. You don't have a clear view of the Kubernetes layer until you're in the Kubernetes layer. You first need to gain access to a user with access to the Kubernetes cluster, or a service within the cluster to see what's going on.

Another thing to note is you can have an environment where 90% of the "secret sauce" of the company uses AWS native services like EC2, S3, RDS, Lambda, etc., and maybe 10% uses EKS/Kubernetes. You can also have an environment where 10% of the "secret sauce" is running on AWS services, and 90% is running inside the EKS cluster. Another illustrative example: you can have an AWS account running at a cost of $100k/month where the whole account consists of 1 EKS cluster! Not an EC2 instance, Lambda function, RDS database, or S3 bucket in sight.

As a penetration tester, if EKS is in use, you wan't to see if there is any way to gain access to a principal with access to the target cluster(s). One important note here, is that you might find a principal with the eks:update-kubeconfig permission, but that is only half of what you need to access the cluster. That gives you the ability to connect to the cluster, but then it depends on if your user has access to the cluster (that configuration can happens in the cluster itself (kube-system/configmaps/aws-auth), and not in AWS).
Use case 1:
Look for access to clusters
Use the loot file commands to see if any of your compromised principals have access to any of the EKS clusters. This authorization check happens inside the cluster, so this is a case where brute force (seeing if you can access all of the clusters) might be fruitful.
Loot file(s): loot/eks-kubeconfig-commands.txt

Example:

❯ cloudfox aws -p cflab eks -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────┬────────┬───────────────┬─────────────────────────────────────────┬──────────────┬────────────────────╮
│ Service │  Region   │ Name     │ Public │ NodeGroup     │                 Role                    │ IsAdminRole? │ CanPrivEscToAdmin? │
├─────────┼───────────┼──────────┼────────┼───────────────┼─────────────────────────────────────────┼──────────────┼────────────────────┤
│ EKS     │ us-east-1 │ test-eks │ true   │ nodegroup1    │ arn:aws:iam::049881439828:role/role1    │ No           │ No                 │
│ EKS     │ us-east-1 │ test-eks │ true   │ nodegroup2    │ arn:aws:iam::049881439828:role/role2    │ No           │ No                 │
╰─────────┴───────────┴──────────┴────────┴───────────────┴─────────────────────────────────────────┴──────────────┴────────────────────╯
[eks] Output written to [cloudfox-output/aws/cflab/table/eks.txt]
[eks] Output written to [cloudfox-output/aws/cflab/csv/eks.csv]
[eks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/eks-kubeconfig-commands.txt]
[eks][cflab] 1 clusters with a total of 2 node groups found.

Loot Example:

cat cloudfox-output/aws/cflab/loot/eks-kubeconfig-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the repositories.
# E.g., export profile=found_creds
#############################################

aws --profile $profile --region us-east-1 eks update-kubeconfig --name cflab

elastic-network-interfaces

Command elastic-network-interfaces
Summary List all elastic network interfaces, including eni ID, type, external IP, private IP, VPCID, attached instance and a description.
Introduced v1.9.0
Author Dominic Breuker
Background Elastic network interfaces are the virtual NICs that get attached to resources in your account, like EC2 instances, RDS databases, ECS tasks, and Elastic Load Balancers. This command get's you ALL of the IP addresses associated with ENIs. Think of the data returned by this module as a superset of the data returned from the instances command. This command gives you all of the IPs associated with EC2 instances, but it also includes IP addresses associated with RDS databases, EFS mounts, Gateways, ELBs, and more. In other words, if you only scan the IP addresses assigned to EC2 instances, you will miss services running in the AWS account.

As a penetration tester, you can take the IP addresses generated from this command and feed them into your port scanning tools like nmap and your application fingerprinting tools like Aquatone/EyeWitness/GoWitness.
Use case 1 Identify and attack network services
Loot file(s): loot/elastic-network-interfaces-PrivateIPs.txt
loot/elastic-network-interfaces-PublicIPs.txt

Example:

❯ cloudfox aws -p cflab eni -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────────────────┬───────────┬────────────────┬──────────────┬───────────────────────┬─────────────────────┬────────────────────────────────────────────────────────────────────────────────────╮
│          ID           │   Type    │  External IP   │ Internal IP  │        VPC ID         │  Attached Instance  │                                    Description                                     │
├───────────────────────┼───────────┼────────────────┼──────────────┼───────────────────────┼─────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ eni-0d53e3af1ccb2ff78 │ interface │ 34.221.102.135 │ 10.0.1.198   │ vpc-0a5b555f19236f968 │ i-09c4720abd8089326 │                                                                                    │
│ eni-00ba66c87a55bb1a0 │ interface │ NoExternalIP   │ 10.0.1.160   │ vpc-0a5b555f19236f968 │                     │ EFS mount target for fs-056221b8056f6cb13 (fsmt-0e32c91201616cd48)                 │
│ eni-0c9cedc3ea703c03f │ interface │ 52.12.121.187  │ 10.0.1.106   │ vpc-0a5b555f19236f968 │ i-08c087a559323aff9 │                                                                                    │
│ eni-0b315774508ae9615 │ interface │ 54.187.4.219   │ 10.0.1.111   │ vpc-0a5b555f19236f968 │ i-08ec238f610e9c915 │                                                                                    │
│ eni-0b409f9e9de0325d0 │ interface │ 52.26.221.228  │ 10.0.1.63    │ vpc-0a5b555f19236f968 │ i-06ba5dcc0b5de0257 │                                                                                    │
│ eni-0ae4d60fd191fee82 │ interface │ 52.41.51.204   │ 10.0.1.205   │ vpc-0a5b555f19236f968 │                     │ arn:aws:ecs:us-west-2:049881439828:attachment/15b7c6be-e4c5-4a40-9da2-226fd2f7fab2 │
│ eni-0da7f0c3498e8688d │ interface │ 34.214.146.170 │ 172.31.29.24 │ vpc-0c924df8a157859e0 │ i-02ec97d835d8738dc │                                                                                    │
╰───────────────────────┴───────────┴────────────────┴──────────────┴───────────────────────┴─────────────────────┴────────────────────────────────────────────────────────────────────────────────────╯
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 7 elastic network interfaces found.

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt
172.31.29.24
10.0.1.34
10.0.1.205
10.0.1.111
10.0.1.160
10.0.1.63
10.0.1.139
10.0.1.106
10.0.1.198
❯ cat cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt
34.214.146.170
54.188.27.193
52.41.51.204
54.187.4.219
52.26.221.228
54.187.54.60
52.12.121.187
34.221.102.135

endpoints

Command endpoints
Summary This command enumerates endpoints from various services.
Introduced v1.6.0
Author Bishop Fox
Background This command queries multiple AWS services that create AWS endpoints for you, i.e., the ones suffixed with *.amazonaws.com, *.cloudfront.net, and *.on.aws. This is yet another place you want to look for vulnerable applications and services in the target environment. There will certainly be overlap between the domain based output of this endpoints command and the IP addresses retrieved from the elastic-network-interfaces command, but due to virtual hosting, sometimes you will get a different result when you use the correct hostname (aka, this endpoint data). Additionally, with the endpoints command you get the specific port the service is hosted on, rather than just the IP address, which means you can skip the nmap phase if you'd like.

As a penetration tester, you can take the endpoints generated from this command and feed them into your application fingerprinting tools like Aquatone/EyeWitness/GoWitness.
Use case 1 Look for public endpoints that expose sensitive information
Use case 2 Look for any endpoint (public or private that does not require authentication, use weak or default credentials, or contain vulnerabilities
Loot file(s): loot/endpoints-UrlsOnly.txt.txt

Example:

❯ cloudfox aws --profile cf-exec -v2 endpoints
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] 			Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬──────────────┬───────────────────────────────────────────────────────────────────────┬──────┬──────────┬────────╮
│  Service   │  Region   │     Name     │                               Endpoint                                │ Port │ Protocol │ Public │
├────────────┼───────────┼──────────────┼───────────────────────────────────────────────────────────────────────┼──────┼──────────┼────────┤
│ App Runner │ us-west-2 │ example      │ https://wejpymersj.us-west-2.awsapprunner.com                         │ 443  │ https    │ True   │
│ ELB        │ us-west-2 │ cloudfox-elb │ http://cloudfox-elb-834557314.us-west-2.elb.amazonaws.com:80          │ 80   │ HTTP     │ True   │
│ Lambda     │ us-west-2 │ lambda2      │ https://scyoucfcogj5mthweznc5fcuva0mpokg.lambda-url.us-west-2.on.aws/ │ 443  │ https    │ True   │
│ Lambda     │ us-west-2 │ lambda1      │ https://jrtbo2vgw6o74nexfozi3ltgey0kupgn.lambda-url.us-west-2.on.aws/ │ 443  │ https    │ True   │
│ RDS        │ us-west-2 │ cloudfox-rds │ cloudfox-rds.ckzvqq0tjs4a.us-west-2.rds.amazonaws.com                 │ 3306 │ mysql    │ True   │
╰────────────┴───────────┴──────────────┴───────────────────────────────────────────────────────────────────────┴──────┴──────────┴────────╯
[endpoints] Output written to [cloudfox-output/aws/cf-exec/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cf-exec/csv/endpoints.csv]
[endpoints] Loot written to [cloudfox-output/aws/cf-exec/loot/endpoints-UrlsOnly.txt]
[endpoints] 5 endpoints enumerated.

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/endpoints-UrlsOnly.txt
http://cloudfox-elb-1403229762.us-west-2.elb.amazonaws.com:80
https://lxs33inw57msz5qkrylengyr240zvxqg.lambda-url.us-west-2.on.aws/
https://fzh63adzkekw4tqlrssqqpepra0dfwjk.lambda-url.us-west-2.on.aws/

env-vars

Command env-vars
Summary Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported.
Introduced v1.6.0
Author Bishop Fox
Background Environment variables are used to store environmental context at an operating system level. For example, if you don't want to hard-code a specific S3 bucket name into your application, but rather you want your application to write to one S3 bucket when the app runs in prod, and another S3 bucket when it runs in dev, you can code your application to read the value of the S3_BUCKET environment variable at runtime, and use that to figure out which bucket to use for writing. Some AWS services, like Lambda and ECS allow you to set environment variables when you define the workload. This is perfectly normal and benign.

However, when sensitive credentials are set as environment variables, this can lead to unintended privilege escalation. Specifically, the issue is that there might be users who have the IAM permissions to read the workload configuration, including environment variables, even though they don't have permission to execute the workloads. Think about someone who has the lambda:listfunctions permission, but nothing else. If the user has access to read the environment variables for all lambda functions, and inside an environment variable administrative credentials for the AWS are stored, the user with nothing other than lambda:listfunctions can now gain administrative access to the account.

As a penetration tester, look through the env-vars output, and if you find any secrets/credentials, you should track down who has access to those credentials using cloudfox iam-simulator's advanced options, and/or pmapper's who-can command syntax.
Use case 1 Look for secrets. If you find one, find what IAM principals have permissions to use the secret, and try to gain access to one of those IAM principals.

Example:

❯ cloudfox aws --profile cf-exec -v2 env-vars
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942784490595000
[env-vars] Enumerating environment variables in all regions for account 049881439828.
[env-vars] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 105/105 tasks complete (48 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬─────────┬─────────────────┬─────────────────────────────────╮
│  Service   │  Region   │  Name   │       Key       │              Value              │
├────────────┼───────────┼─────────┼─────────────────┼─────────────────────────────────┤
│ App Runner │ us-west-2 │ example │ secret_password │ 12345                           │
│ Lambda     │ us-west-2 │ lambda1 │ RDS_PASSWORD    │ ]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7 │
│ Lambda     │ us-west-2 │ lambda1 │ RDS_USER        │ admin                           │
╰────────────┴───────────┴─────────┴─────────────────┴─────────────────────────────────╯
[env-vars] Output written to [cloudfox-output/aws/cf-exec/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cf-exec/csv/env-vars.csv]
[env-vars] 3 environment variables found.

filesystems

Command filesystems
Summary Enumerate the EFS and FSx filesystems that you might be able to mount without credentials (if you have the right network access).
Introduced v1.6.0
Author Bishop Fox
Background EFS is the most famous AWS filesytem, but this command also looks at the FSx family of filesystems as well. The important thing here is that while EFS and some of the other filessytems provide a mechanim to enforce IAM based authentication, that option is often not used. So this means that if you have internal network access to the VPC, most likely via a compromised or simulated assumed-breach host, you might just be able to mount a filesystem without any credentials and start browsing around.

As a penetration tester, look through the filesystems loot output for the specific commands to mount all of the filesystems contained within the account. If you are in the right VPC and subnet, you might be able to mount the filesystem and browse the files. This is another one of those cases where it might just be easier to run all of the commands in the loot file from your compromised host and just hope for the best. Even if IAM is enforced, this just means that have to first gain access to a role that has the right EFS/FSx permissions to mount the share, and then you can mount the share and accces the data.

Example: Enumerate any EFS or FSx shares

❯ cloudfox aws --profile cf-exec -v2 filesystems
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942818660709000
[filesystems] Enumerating filesystems for account 049881439828.
[filesystems] Supported Services: EFS, FSx
[filesystems] Status: 42/42 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬────────────┬────────────────────────┬───────────────────────╮
│ Service │  Region   │     Name     │  DNS Name  │      Mount Target      │        Policy         │
├─────────┼───────────┼──────────────┼────────────┼────────────────────────┼───────────────────────┤
│ EFS     │ us-west-2 │ cloudfox-efs │ 10.0.1.115 │ fsmt-079d42aa439682a63 │ Default (No IAM auth) │
╰─────────┴───────────┴──────────────┴────────────┴────────────────────────┴───────────────────────╯
[filesystems] Output written to [cloudfox-output/aws/cf-exec/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cf-exec/csv/filesystems.csv]
[filesystems] Loot written to [cloudfox-output/aws/cf-exec/loot/filesystems-mount-commands.txt]
[filesystems] 1 filesystems found.

Loot Example:

❯ cat cloudfox-output/aws/cflab/loot/filesystems-mount-commands.txt
##########  Mount instructions for EFS - cloudfox-efs ##########
mkdir -p /efs/fsmt-0e32c91201616cd48/
sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 10.0.1.160:/ /efs/fsmt-0e32c91201616cd48

iam-simulator

Command filesystems
Summary Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
Introduced v1.6.0
Author Bishop Fox
Background The IAM "Simulate Principal Policy" feature allows you to test test if a particular IAM principal (i.e., user or role) can perform an action on a resource.

As a penetration tester, there are some actions (aka permissions) that are quite interesting, and I often want to know who can perform those permissions on all resources. For example, who can read all objects in all S3 buckets? It would be nice to have a short list of everyone who can do that. Or, who can use the ssm:StartSession permission on all resources? That's what the default mode does. It takes a hardcoded list of actions that are interesting to penetration testers, and asks who has the permission to perform those actions.

However, this is only the default mode in cloudfox. If you look at the examples below, you can use the command line parameters to ask a lot of different questions to the iam-simulator.
Use case 1 Check every principal against the hardcoded list of interesting (for a pentester) permissions
Use case 2 Check a specific principal against the hardcoded list of interesting permissions
Use case 3 Check a specific principal against a specific permission
Use case 4 Check all principals against a specific permission

Example: Default mode checks every principal against a hardcoded list of specific permissions for any resource

❯ cloudfox aws --profile cf-exec -v2 iam-simulator
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942906111954000
[iam-simulator] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │                                                      Principal                                                       │                    Query                    │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole                                                         │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:role/adams                                                                                 │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:role/press                                                                                 │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:user/terraform-user                                                                        │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:role/not-admin                                                                             │ Appears to be an administrator              │
│ IAM     │ arn:aws:iam::049881439828:role/CloudFox-exec-role                                                                    │ can apprunner:DescribeService on *          │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                       │ can apprunner:DescribeService on *          │
│ IAM     │ arn:aws:iam::049881439828:role/CloudFox-exec-role                                                                    │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876          │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS                               │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM     │ arn:aws:iam::049881439828:role/rapinoe                                                                               │ can ecr:BatchGetImage on *                  │
│ IAM     │ arn:aws:iam::049881439828:role/rapinoe                                                                               │ can ecr:GetAuthorizationToken on *          │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876          │ can ecs:DescribeTaskDefinition on *         │
│ IAM     │ arn:aws:iam::049881439828:role/CloudFox-exec-role                                                                    │ can ecs:DescribeTaskDefinition on *         │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                       │ can ecs:DescribeTaskDefinition on *         │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876          │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/CloudFox-exec-role                                                                    │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                       │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/lavelle                                                                               │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer        │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5                │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5                │ can s3:GetObject on *                       │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor         │ can s3:ListBucket on *                      │
│ IAM     │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                       │ can s3:ListBucket on *                      │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5                │ can s3:ListBucket on *                      │
│ IAM     │ arn:aws:iam::049881439828:role/dempsey                                                                               │ can ssm:StartSession on *                   │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/csv/iam-simulator.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-exec/loot/iam-simulator-pmapper-commands.txt]

Example 2: Check a specific principal against the hardcoded list of interesting permissions

❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do any actions of interest.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │                          Principal                           │                    Query                    │
├─────────┼──────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can apprunner:DescribeService on *          │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:BatchGetImage on *                  │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:GetAuthorizationToken on *          │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecs:DescribeTaskDefinition on *         │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can eks:UpdateClusterConfig on *            │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on *                       │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can lambda:ListFunctions on *               │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:GetObject on *                       │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:ListBucket on *                      │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can secretsmanager:GetSecretValue on *      │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:GetParameter on *                   │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:StartSession on *                   │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:sSendCommand on *                   │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can sts:AssumeRole on *                     │
╰─────────┴──────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯

Example 3: Check a specific principal against a specific permission

❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole --action iam:PassRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do iam:PassRole.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬───────────────────────╮
│ Service │                          Principal                           │         Query         │
├─────────┼──────────────────────────────────────────────────────────────┼───────────────────────┤
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on * │
╰─────────┴──────────────────────────────────────────────────────────────┴───────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941825.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941825.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]

Example 4: Check all principals against a specific permission

❯ cloudfox aws --profile cf-prod iam-simulator -v2 --action ecr:putimage
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if any principal can do ecr:putimage.
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────╮
│ Service │                                                      Principal                                                       │             Query              │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────┤
│ IAM     │ arn:aws:iam::049881439828:user/terraform-user                                                                        │ Appears to be an administrator │
│ IAM     │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator │
│ IAM     │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole                                                         │ Appears to be an administrator │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941969.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941969.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]

instances

Command instances
Summary List all EC2 instances, including IP address information and associated IAM principal.
Introduced v1.6.0
Background The EC2 service allows you to run virtual machines in AWS. As a penetration tester with internal access to the Virtual Private Cloud (VPC), you can use CloudFox to enumerate which IP addresses are live, and then apply your traditional penetration testing methodology here - nmap to identify services, use other tools to identify what applications are running on any open ports, etc.

If you can compromise a service running on an EC2 instance and gain RCE or SSRF, you can access the temporary credentials applied to the task and perform any action that the task can perform.

Additionally, EC2 instances often store scripts or other metadata in the user-data attribute, and that is often a place where you can find secrets or other sensitive information.
Use case 1: Attack network services running on EC2 tasks. Use the loot files with tools like nmap, Aquatone/EyeWitness/GoWitness. If you compromise a service, try to access the task's IAM role.
Use case 2: Use the --userdata flag to generate a loot file that contains the user-data for every EC2 instance in the account, so that you can look for secrets or other sensitive data
Use case 3: Quickly identify which EC2 instances, including which instances have admin permissions attached and target those for privesc
Loot file(s): loot/instances-ec2PrivateIPs.txt
loot/instances-ec2PrivateIPs.txt
loot/instances-userdata.txt

Example 1: Enumerate general information about EC2 instances, including which instances have admin permissions attached

❯ cloudfox aws -p cflab instances -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────┬─────────────────────┬────────────┬─────────┬────────────────┬──────────────┬──────────────────────────────────────────────────────┬──────────────┬────────────────────╮
│   Name    │         ID          │    Zone    │  State  │  External IP   │ Internal IP  │                         Role                         │ IsAdminRole? │ CanPrivEscToAdmin? │
├───────────┼─────────────────────┼────────────┼─────────┼────────────────┼──────────────┼──────────────────────────────────────────────────────┼──────────────┼────────────────────┤
│           │ i-02ec97d835d8738dc │ us-west-2b │ running │ 34.214.146.170 │ 172.31.29.24 │ arn:aws:iam::049881439828:role/imdvs2-challenge-role │ No           │ No                 │
│ instance1 │ i-06ba5dcc0b5de0257 │ us-west-2a │ running │ 52.26.221.228  │ 10.0.1.63    │                                                      │              │                    │
│ instance2 │ i-09c4720abd8089326 │ us-west-2a │ running │ 34.221.102.135 │ 10.0.1.198   │                                                      │              │                    │
│ instance3 │ i-08c087a559323aff9 │ us-west-2a │ running │ 52.12.121.187  │ 10.0.1.106   │ arn:aws:iam::049881439828:role/press                 │ YES          │ YES                │
│ instance4 │ i-08ec238f610e9c915 │ us-west-2a │ running │ 54.187.4.219   │ 10.0.1.111   │                                                      │              │                    │
╰───────────┴─────────────────────┴────────────┴─────────┴────────────────┴──────────────┴──────────────────────────────────────────────────────┴──────────────┴────────────────────╯
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.

Example 2: obtain only userData attributes for EC2 instances
This is a separate flag because userData does not fit in table or CSV output formats.

❯ cloudfox aws --profile cf-exec -v2 instances --userdata
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943069534483000
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
=============================================

Instance Arn: arn:aws:ec2:us-west-2:049881439828:instance/i-020e69c99ce4c7a97
Region: us-west-2
Instance Profile: NoInstanceProfile

User Data:
#!/bin/bash
export RDS_USER="admin"
export RDS_PASSWORD="]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7"

=============================================

[instance-userdata] Loot written to [cloudfox-output/aws/cf-exec/loot/instance-userdata.txt]

inventory

Command inventory
Summary Quickly identify the rough size and the regions used for an AWS account.
Introduced v1.6.0
Background As a penetration tester, inventory is a great way to quickly get a rough idea of which regions are used by a particular AWS account, which of the more popular service are being used, and roughly how big an account is.

It's important to know that CloudFox's inventory command only count's a subset of the services that AWS supports.
Use case 1: Quickly learn what regions are being used. This will prevent you from completely missing huge chucks (or small chunks) of attackable surface area because you forgot to look at other regions.
Use case 2: Quickly learn what the most common services are. This will help you focus your methodology on the services that are used by this particular AWS account

Example:

❯ cloudfox aws --profile cf-exec -v2 inventory
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943145181650000
[inventory] Enumerating selected services in all regions for account 049881439828.
[inventory] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, EC2, ECS, EKS,
[inventory] 			ELB, ELBv2, Grafana, IAM, Lambda, Lightsail, MQ, OpenSearch, RDS, S3, SecretsManager, SSM
[inventory] Status: 357/357 tasks complete (90 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────┬───────────┬───────────╮
│         Resource Type          │ us-west-2 │ us-east-1 │
├────────────────────────────────┼───────────┼───────────┤
│ Total                          │ 24        │ 10        │
│ APIGateway RestAPIs            │ -         │ -         │
│ APIGatewayv2 APIs              │ -         │ -         │
│ AppRunner Services             │ 1         │ -         │
│ CloudFormation Stacks          │ 7         │ 8         │
│ Cloudfront Distributions       │ -         │ -         │
│ EC2 Instances                  │ 4         │ 2         │
│ ECS Tasks                      │ 1         │ -         │
│ EKS Clusters                   │ -         │ -         │
│ ELB Load Balancers             │ 1         │ -         │
│ ELBv2 Load Balancers           │ -         │ -         │
│ Grafana Workspaces             │ -         │ -         │
│ Lambda Functions               │ 2         │ -         │
│ Lightsail Instances/Containers │ -         │ -         │
│ MQ Brokers                     │ -         │ -         │
│ OpenSearch DomainNames         │ -         │ -         │
│ RDS DB Instances               │ 1         │ -         │
│ SecretsManager Secrets         │ 3         │ -         │
│ SSM Parameters                 │ 4         │ -         │
╰────────────────────────────────┴───────────┴───────────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory.csv]
╭───────────────┬───────╮
│ Resource Type │ Total │
├───────────────┼───────┤
│ S3 Buckets    │ 5     │
│ IAM Users     │ 2     │
│ IAM Roles     │ 29    │
╰───────────────┴───────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory-global.csv]
[inventory] 70 resources enumerated in the services we looked at. This is NOT the total number of resources in the account.

lambda

Command lambda
Summary Lists the Lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function.
Introduced v1.8.0
Background The Lambda service allows you to run code in AWS without an EC2 instance or even your own container image. You upload your code, and other things can "trigger" your lambda function to act.

If you can compromise a service running on an lambda function and gain RCE, you can access the temporary credentials applied to the container running the function and perform any action that the task can perform.
Use case 1: Quickly identify which Lambda instances, including which functions have admin permissions attached and target those for exploitation.
Loot file(s): loot/lambda.txt

Example:

❯ cloudfox aws -p cflab lambda -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬─────────────────────────────────────────┬──────────────┬────────────────────╮
│ Service │  Region   │ Resource Arn │                  Role                   │ IsAdminRole? │ CanPrivEscToAdmin? │
├─────────┼───────────┼──────────────┼─────────────────────────────────────────┼──────────────┼────────────────────┤
│ Lambda  │ us-west-2 │ lambda2      │ arn:aws:iam::049881439828:role/adams    │ YES          │ YES                │
│ Lambda  │ us-west-2 │ lambda1      │ arn:aws:iam::049881439828:role/aaronson │ No           │ No                 │
╰─────────┴───────────┴──────────────┴─────────────────────────────────────────┴──────────────┴────────────────────╯
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.

network-ports

Command network-ports
Summary Enumerates AWS services that are potentially exposing a network service. The security groups and the network ACLs are parsed for each resource to determine what ports are potentially exposed.
Introduced v1.10.0
Author Wyatt Dahlenburg
Background Network ACLs and Security Groups are frequently used to define access to AWS network services. This module attempts to parse the rules to determine if anyone can access an exposed port or range or ports.

The supported services are currently: EC2, ECS, EFS, ElastiCache, ELBv2, Lightsail, and RDS.

Try scanning from any or all network locations you have access to, such as within a VPC.

Consider modifying the nmap flags to store the results in your preferred output format. Try out a nmap merge script to aggregate your scan results into a single file:
https://github.com/CBHue/nMap_Merger/blob/master/nMapMerge.py
https://github.com/opsdisk/scantron/blob/master/console/scan_results/merge_nmap_xml_files.py
Use case 1: Quickly identify AWS services, which may be exposing TCP or UDP ports.
Loot file(s): loot/network-ports-private-ipv4.txt
loot/network-ports-public-ipv4.txt
loot/network-ports-public-ipv6.txt

Example:

❯ cloudfox aws -p cflab network-ports -v2
[🦊 cloudfox v1.10.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[network-ports][cflab] Enumerating potentially accessible network services for account 049881439828.
[network-ports][cflab] Supported Services: EC2, ECS, EFS, ElastiCache, ELBv2, Lightsail, RDS
[network-ports] Status: 115/115 tasks complete (0 errors -- For details check /Users/user/.cloudfox/cloudfox-error.log)
╭───────────┬───────────┬──────────┬────────────────────────────────────────────────────┬──────────────────╮
│  Service  │  Region   │ Protocol │                        Host                        │      Ports       │
├───────────┼───────────┼──────────┼────────────────────────────────────────────────────┼──────────────────┤
│ EC2       │ us-east-1 │ tcp      │ 172.31.57.70                                       │ 80,443,8000-8010 │
│ EC2       │ us-east-1 │ udp      │ 172.31.57.70                                       │ 8081             │
│ EC2       │ us-east-1 │ tcp      │ 10.8.7.67                                          │ 0-65535          │
│ EC2       │ us-east-1 │ udp      │ 10.8.7.67                                          │ 0-65535          │
│ ECS       │ us-east-1 │ tcp      │ 10.0.1.245                                         │ 8080             │
│ Lightsail │ us-east-1 │ tcp      │ 172.26.13.73                                       │ 0-65535          │
│ Lightsail │ us-east-1 │ udp      │ 172.26.13.73                                       │ 0-65535          │
│ EC2       │ us-east-1 │ tcp      │ 52.91.145.179                                      │ 80,443,8000-8010 │
│ EC2       │ us-east-1 │ udp      │ 52.91.145.179                                      │ 8081             │
│ EC2       │ us-east-1 │ tcp      │ 18.215.254.56                                      │ 0-65535          │
│ EC2       │ us-east-1 │ udp      │ 18.215.254.56                                      │ 0-65535          │
│ ECS       │ us-east-1 │ tcp      │ 34.200.248.106                                     │ 8080             │
│ ELBv2     │ us-east-1 │ tcp      │ elb-1-a58eb4ba1c690b7e.elb.us-east-1.amazonaws.com │ 53,80,8081,9888  │
│ ELBv2     │ us-east-1 │ udp      │ elb-1-a58eb4ba1c690b7e.elb.us-east-1.amazonaws.com │ 53               │
│ Lightsail │ us-east-1 │ tcp      │ 44.192.57.241                                      │ 0-65535          │
│ Lightsail │ us-east-1 │ udp      │ 44.192.57.241                                      │ 0-65535          │
│ EC2       │ us-east-1 │ tcp      │ 2600:1f18:62ae:4900:a4c4:a17b:72a3:ce52            │ 0-65535          │
│ EC2       │ us-east-1 │ udp      │ 2600:1f18:62ae:4900:a4c4:a17b:72a3:ce52            │ 0-65535          │
│ Lightsail │ us-east-1 │ tcp      │ 2600:1f18:6770:db00:4c5b:4f32:1735:dca8            │ 0-65535          │
│ Lightsail │ us-east-1 │ udp      │ 2600:1f18:6770:db00:4c5b:4f32:1735:dca8            │ 0-65535          │
╰───────────┴───────────┴──────────┴────────────────────────────────────────────────────┴──────────────────╯
[network-ports][cflab] Output written to [cloudfox-output/aws/cflab/table/network-ports.txt]
[network-ports][cflab] Output written to [cloudfox-output/aws/cflab/csv/network-ports.csv]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-private-ipv4.txt]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-public-ipv4.txt]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-public-ipv6.txt]
[network-ports][cflab] 20 network services found.

orgs

Command orgs
Summary Enumerate accounts in an organization.
Introduced v1.13.0
Background As a penetration tester, lateral movement is always important. In the early days all AWS accounts were individual units, but these days they can be grouped together and managed by an AWS service called Organizations. One account is converted to a management account, and that account can control child accounts. As a result, as a penetration tester, if you can find a way to gain administrative access in the organizational management account you very likely have control over all resources in all child accounts. Think of it is being similar to gaining Enterprise Admin access in an AD domain.
Use case 1: When run from a child account, it can only tell you about that caller(child) and about the management account.
Use case 2: When run from a management account, it will list you ALL child accounts.

Use case 1 example: Run from child account:

❯ cloudfox aws -p cloudfoxable orgs
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[org][cloudfoxable] Checking if account 987990985088 is the management account in an organization.
╭──────────────┬──────────────┬──────────────────────┬────────┬────────────────────╮
│     Name     │      ID      │ isManagementAccount? │ Status │       Email        │
├──────────────┼──────────────┼──────────────────────┼────────┼────────────────────┤
│ Mgmt Account │ 289507344597 │ true                 │ ACTIVE │ [email protected] │
│ This account │ 987990985088 │ false                │ ACTIVE │ Unknown            │
╰──────────────┴──────────────┴──────────────────────┴────────┴────────────────────╯
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/org.txt
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/org.csv
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/org.json
[org][cloudfoxable] 2 accounts found.
[org][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#org
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088

Use case 2 example: Run from management account:

❯ cloudfox aws -p playground.AWSAdministratorAccess orgs
[🦊 cloudfox v1.13.2 🦊 ][playground.AWSAdministratorAccess] AWS Caller Identity: arn:aws:sts::289507344597:assumed-role/AWSReservedSSO_AWSAdministratorAccess_04a51e460aab782d/seth
[🦊 cloudfox v1.13.2 🦊 ][playground.AWSAdministratorAccess] Account is part of an Organization and is the Management account
[org][playground.AWSAdministratorAccess] Checking if account 289507344597 is the management account in an organization.
╭──────────────┬──────────────┬──────────────────────┬────────┬────────────────────╮
│     Name     │      ID      │ isManagementAccount? │ Status │ Email              │
├──────────────┼──────────────┼──────────────────────┼────────┼────────────────────┤
│ client       │ 717042662323 │ false                │ ACTIVE │ [redacted]         │
│ cloudfoxable │ 987990985088 │ false                │ ACTIVE │ [redacted]         │
│ playground   │ 289507344597 │ true                 │ ACTIVE │ [email protected] │
│ Log Archive  │ 628867649448 │ false                │ ACTIVE │ [redacted]         │
│ Audit        │ 002311171827 │ false                │ ACTIVE │ [redacted]         │
│ dev          │ 884343876563 │ false                │ ACTIVE │ [redacted]         │
│ prod         │ 013727781308 │ false                │ ACTIVE │ [redacted]         │
│ cloudfox-lab │ 049881439828 │ false                │ ACTIVE │ [redacted]         │
│ Operations   │ 654654594067 │ false                │ ACTIVE │ [redacted]         │
╰──────────────┴──────────────┴──────────────────────┴────────┴────────────────────╯
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/table/org.txt
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/csv/org.csv
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/json/org.json
[org][playground.AWSAdministratorAccess] 10 accounts found.
[org][playground.AWSAdministratorAccess] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#org
[🦊 cloudfox v1.13.2 🦊 ][playground.AWSAdministratorAccess] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/289507344597

outbound-assumed-roles

Command outbound-assumed-roles
Summary List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
Introduced v1.6.0
Background You can think of role assumption like Run-As in Windows/Active Directory. It's essentially like saying user A has permissions to run commands as user B. In AWS, you can create a role in one account (e.g., the development account) that can be assumed by another principal, even in a different account (e.g., the production account).

So how do you find these relationships? If you have read-only style access to the development account, you can use the cloudfox role-trusts command to quickly look at all of the roles in that development account and see which roles are configured to trust which principals, which is useful info for a penetration tester.

But, let's say you don't have read-only type access to production, and you want to know if there is any role in production that trusts a principal in development. One cool way to do that is by looking at the Cloudtrail logs in development for any AssumedRole events that show that a principal in development has assumed a role in production. And that's exactly what this command does.

This command searches all Cloudtrail logs so in large accounts that have been around for a while, it can take a long time to run, which is why it has been removed from all-checks.

Also note, that if your goal is to get to production, and you already have read-only access to production, it is much easier to just run the role-trusts command in production and look for any roles that trust something in development.
Use case 1: You have access to account A, but not account B, and you want to see if there are any principals in account A that have access to assume roles in account B. If you find any, you can target those principals in account A because once you gain access ot them, you can then gain access to account B.

Example:

❯ cloudfox aws --profile cf-exec -v2 outbound-assumed-roles
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943206814835000
[outbound-assumed-roles] Enumerating outbound assumed role entries in cloudtrail for account 049881439828.
[outbound-assumed-roles] Going back through 7 days of cloudtrail events. (This command can be pretty slow, FYI)
[outbound-assumed-roles] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬─────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────────┬─────────────────────╮
│  Service   │  Region   │  Type   │               Source Principal                │               Destination Principal               │ Log Entry Timestamp │
├────────────┼───────────┼─────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────────┼─────────────────────┤
│ CloudTrail │ us-east-1 │ IAMUser │ arn:aws:iam::049881439828:user/terraform-user │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ 2022-09-12 00:39:12 │
│ CloudTrail │ us-east-1 │ IAMUser │ arn:aws:iam::049881439828:user/terraform-user │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ 2022-09-12 00:39:11 │
...omitted for brevity...
╰────────────┴───────────┴─────────┴───────────────────────────────────────────────┴───────────────────────────────────────────────────┴─────────────────────╯
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/table/outbound-assumed-roles.txt]
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/csv/outbound-assumed-roles.csv]
[outbound-assumed-roles] 954 log entries found.

permissions

Command permissions
Summary Enumerates all of the IAM permissions available to a principal (resource-based permissions not included yet).
Introduced v1.6.0
Background A principal (which means a user or a role) gets it's permissions from the policies applied to it. Each user or role can have 0, 1, or many policies applied to it, and each of those policies can grant any number of permissions.

This module is very simple - It just iterates over each principal, and then iterates over every policy applied to each principal, and then prints every permission granted within each of the policies. What this gives you is a really quick and dirty way to see what permissions any principal has.

It's important to note that this module does not take into account transitive access. If user A can privesc to user B, user A can really do all of the stuff that user be can do, but we don't take that into account here. We simply list the permissions that user A has been directly assigned.
Use case 1: You want to know what permissions a user or role has without going to the web console and expanding each policy widget one at a tine
Use case 2: You want to quickly find out all of the principals that have access to a specific service you are interested in. (You can grep the output for the specific service or permission - just be mindful that if the user has been granted ec2:* and you grep for ec2:RunInstances, your grep will not match. If you want to be more precise, use the iam-simulator command instead)

Example:

❯ cloudfox aws --profile cf-prod permissions -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946240793435000
[permissions] Enumerating IAM permissions for account 049881439828.
╭─────────┬────────────────┬────────────────────────────────────────────────────────┬─────────────┬──────────────────────────────────────────┬────────┬─────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────╮
│ Service │ Principal Type │                          Name                          │ Policy Type │               Policy Name                │ Effect │                               Action                                │                                      Resource                                       │
├─────────┼────────────────┼────────────────────────────────────────────────────────┼─────────────┼──────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────┤
│ IAM     │ Role           │ aaronson                                               │ Managed     │ lambda-policy1                           │ Allow  │ logs:CreateLogGroup                                                 │ *                                                                                   │
│ IAM     │ Role           │ aaronson                                               │ Managed     │ lambda-policy1                           │ Allow  │ logs:CreateLogStream                                                │ *                                                                                   │
│ IAM     │ Role           │ aaronson                                               │ Managed     │ lambda-policy1                           │ Allow  │ logs:PutLogEvents                                                   │ *                                                                                   │
│ IAM     │ Role           │ adams                                                  │ Managed     │ lambda-policy2                           │ Allow  │ *                                                                   │ *                                                                                   │
│ IAM     │ Role           │ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Managed     │ AdministratorAccess                      │ Allow  │ *                                                                   │ *                                                                                   │
│ IAM     │ Role           │ AWSReservedSSO_interns_9b819cbe299f5da5                │ Managed     │ the_interns                              │ Allow  │ ec2:DescribeInstances                                               │ *                                                                                   │
│ IAM     │ Role           │ AWSReservedSSO_interns_9b819cbe299f5da5                │ Managed     │ the_interns                              │ Allow  │ lambda:ListFunctions                                                │ *                                                                                   │
│ IAM     │ Role           │ AWSReservedSSO_interns_9b819cbe299f5da5                │ Managed     │ the_interns                              │ Allow  │ lambda:ListFunctionUrlConfigs                                       │ *                                                                                   │                                  *
...omitted for brevity...
│ IAM     │ Role           │ lavelle                                                │ Managed     │ lambda-admin                             │ Allow  │ lambda:*                                                            │ *                                                                                   │
│ IAM     │ Role           │ lloyd                                                  │ Managed     │ cf-admin                                 │ Allow  │ cloudformation:*                                                    │ *                                                                                   │
│ IAM     │ Role           │ mckennie                                               │ Managed     │ cloudformation                           │ Allow  │ cloudformation:UpdateStack                                          │ *                                                                                   │
│ IAM     │ Role           │ mckennie                                               │ Managed     │ cloudformation                           │ Allow  │ cloudformation:DescribeStacks                                       │ *                                                                                   │
│ IAM     │ Role           │ morgan                                                 │ Managed     │ just-one-ec2                             │ Allow  │ ec2:DescribeInstanceAttributeInput                                  │ arn:aws:ec2:us-east-1:049881439828:instance/i-020e69c99ce4c7a97                     │
│ IAM     │ Role           │ not-admin                                              │ Managed     │ not-admin-access                         │ Allow  │ *                                                                   │ *                                                                                   │
│ IAM     │ Role           │ OrganizationAccountAccessRole                          │ Managed     │ AdministratorAccess                      │ Allow  │ *                                                                   │ *                                                                                   │
│ IAM     │ Role           │ press                                                  │ Managed     │ service-admin                            │ Allow  │ *                                                                   │ *                                                                                   │
│ IAM     │ Role           │ pulisic                                                │ Managed     │ privesc-ec2InstanceConnect-policy        │ Allow  │ ec2:DescribeInstances                                               │ *                                                                                   │
...omitted for brevity...
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ ecr:BatchGetImage                                                   │ *                                                                                   │
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ ecr:GetAuthorizationToken                                           │ *                                                                                   │
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ ssm:TerminateSession                                                │ *                                                                                   │
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ ec2:DescribeSnapshots                                               │ *                                                                                   │
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ logs:PutLogEvents                                                   │ *                                                                                   │
│ IAM     │ Role           │ rapinoe                                                │ Managed     │ cloudfox-ecs-role-policy                 │ Allow  │ ecr:BatchCheckLayerAvailability                                     │ *                                                                                   │
│ IAM     │ Role           │ test                                                   │ Inline      │ test_inline                              │ Allow  │ s3:ListBucket                                                       │ arn:aws:s3:::*                                                                      │
│ IAM     │ Role           │ test                                                   │ Inline      │ test_inline                              │ Allow  │ s3:ListAllMyBuckets                                                 │ *                                                                                   │
│ IAM     │ User           │ terraform-user                                         │ Managed     │ AdministratorAccess                      │ Allow  │ *                                                                   │ *                                                                                   │
╰─────────┴────────────────┴────────────────────────────────────────────────────────┴─────────────┴──────────────────────────────────────────┴────────┴─────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────╯

pmapper

Command pmapper
Summary Looks for pmapper data stored on the local filesystem, in the locations defined here. If pmapper data has been found (you already ran pmapper graph create), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin.
Introduced v1.9.0
Background As documented in our blog post IAM Vulnerable - Assessing the AWS Assessment Tools pmapper, or principalmapper, is the most accurate open source AWS policy simulator project that takes into account privilege escalation. Cloudfox will not install or run pmapper for you, but because pmapper stores it's graph data in a predictable location, this CloudFox command will look to see if that data exists, and if it does, it give you a list of all of the principals that pmapper thinks can escalate to admin.

Additionally, some of the other CloudFox commands have been configured to enrich their output with pmapper data if it exists. If pmapper data does not exist, this command will try to give you the right commands to run pmapper.

Also, if the pmapper data is found, a bunch of the other cloudfox commands will use the data. If the data is not found, they will use CloudFox's iam-simulator command to try to figure out who is an admin, which is really just a wrapper around AWS's IAM simulate principal policy API call.

Example:

❯ cloudfox aws -p cflab pmapper -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬──────────┬────────────────────╮
│                                                    Principal Arn                                                     │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:user/pele                                                                                  │ No       │ YES                │
│ arn:aws:iam::049881439828:user/terraform-user                                                                        │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/adams                                                                                 │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO                               │ No       │ YES                │
│ arn:aws:iam::049881439828:role/dempsey                                                                               │ No       │ YES                │
│ arn:aws:iam::049881439828:role/donovan                                                                               │ No       │ YES                │
│ arn:aws:iam::049881439828:role/lavelle                                                                               │ No       │ YES                │
│ arn:aws:iam::049881439828:role/not-admin                                                                             │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole                                                         │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/press                                                                                 │ YES      │ YES                │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────┴────────────────────╯
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.

principals

Command principals
Summary Enumerates IAM users and Roles so you have the data at your fingertips.
Introduced v1.6.0
Background AWS uses the term principal to encompass IAM users and IAM roles. It's nice to have this information in a greppable form.

Example:

❯ cloudfox aws --profile cf-exec -v2 principals
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946413386360000
[principals] Enumerating IAM Users and Roles for account 049881439828.
╭─────────┬──────┬────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Service │ Type │                          Name                          │                                                           Arn                                                            │
├─────────┼──────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ IAM     │ User │ pele                                                   │ arn:aws:iam::049881439828:user/pele                                                                                      │
│ IAM     │ User │ terraform-user                                         │ arn:aws:iam::049881439828:user/terraform-user                                                                            │
│ IAM     │ Role │ aaronson                                               │ arn:aws:iam::049881439828:role/aaronson                                                                                  │
│ IAM     │ Role │ adams                                                  │ arn:aws:iam::049881439828:role/adams                                                                                     │
│ IAM     │ Role │ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0     │
│ IAM     │ Role │ AWSReservedSSO_interns_9b819cbe299f5da5                │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5                    │
│ IAM     │ Role │ AWSReservedSSO_SecurityAudit_f67a30bf6639f876          │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876              │
│ IAM     │ Role │ AWSServiceRoleForAccessAnalyzer                        │ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer            │
│ IAM     │ Role │ AWSServiceRoleForAmazonElasticFileSystem               │ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem │
│ IAM     │ Role │ AWSServiceRoleForAppRunner                             │ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner                       │
│ IAM     │ Role │ AWSServiceRoleForECS                                   │ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS                                   │
│ IAM     │ Role │ AWSServiceRoleForElastiCache                           │ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache                   │
│ IAM     │ Role │ AWSServiceRoleForElasticLoadBalancing                  │ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing │
│ IAM     │ Role │ AWSServiceRoleForOrganizations                         │ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations               │
│ IAM     │ Role │ AWSServiceRoleForRDS                                   │ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS                                   │
│ IAM     │ Role │ AWSServiceRoleForSSO                                   │ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO                                   │
│ IAM     │ Role │ AWSServiceRoleForSupport                               │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                           │
│ IAM     │ Role │ AWSServiceRoleForTrustedAdvisor                        │ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor             │
│ IAM     │ Role │ CloudFox-exec-role                                     │ arn:aws:iam::049881439828:role/CloudFox-exec-role                                                                        │
│ IAM     │ Role │ dempsey                                                │ arn:aws:iam::049881439828:role/dempsey                                                                                   │
│ IAM     │ Role │ donovan                                                │ arn:aws:iam::049881439828:role/donovan                                                                                   │
│ IAM     │ Role │ lavelle                                                │ arn:aws:iam::049881439828:role/lavelle                                                                                   │
│ IAM     │ Role │ lloyd                                                  │ arn:aws:iam::049881439828:role/lloyd                                                                                     │
│ IAM     │ Role │ mckennie                                               │ arn:aws:iam::049881439828:role/mckennie                                                                                  │
│ IAM     │ Role │ morgan                                                 │ arn:aws:iam::049881439828:role/morgan                                                                                    │
│ IAM     │ Role │ not-admin                                              │ arn:aws:iam::049881439828:role/not-admin                                                                                 │
│ IAM     │ Role │ OrganizationAccountAccessRole                          │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole                                                             │
│ IAM     │ Role │ press                                                  │ arn:aws:iam::049881439828:role/press                                                                                     │
│ IAM     │ Role │ pulisic                                                │ arn:aws:iam::049881439828:role/pulisic                                                                                   │
│ IAM     │ Role │ rapinoe                                                │ arn:aws:iam::049881439828:role/rapinoe                                                                                   │
│ IAM     │ Role │ test                                                   │ arn:aws:iam::049881439828:role/test                                                                                      │
╰─────────┴──────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
[principals] Output written to [cloudfox-output/aws/cf-exec/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cf-exec/csv/principals.csv]
[principals] 31 IAM principals found.

ram

Command ram
Summary List all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths.
Introduced v1.8.0
Background AWS RAM is a service that enables users to share AWS resources with other AWS accounts or within their own organization. This is useful to builders, but it also has scary security implications. It is a way poke holes the account level securiy boundry. For example, if you compromise the DEV environment, but there is a resouce from the PROD account that is shared with the DEV account, this becomes a potential path for an attacker to from DEV to PROD.

Example:

❯ cloudfox aws --profile cflab -v2 ram
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬────────────┬───────────────────┬──────────────┬─────────────────────────────────────────────────────╮
│ Service │  Region   │ Share Name │       Type        │    Owner     │                     Share Type                      │
├─────────┼───────────┼────────────┼───────────────────┼──────────────┼─────────────────────────────────────────────────────┤
│ RAM     │ us-east-1 │ ram_test   │ ec2:Subnet        │ 289507344597 │ Inbound share (Another account shared this with me) │
│ RAM     │ us-east-1 │ ram_test   │ codebuild:Project │ 289507344597 │ Inbound share (Another account shared this with me) │
╰─────────┴───────────┴────────────┴───────────────────┴──────────────┴─────────────────────────────────────────────────────╯
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.

role-trusts

Command resource-trusts
Summary Enumerate resource trusts from popular services. This command does not check all AWS services that support resource trusts, but it does focus on the big ones that can be most likely abused from an offensive security perspective.
Introduced v1.13.0
Background In AWS's security model, you have IAM permissions attached to IAM principals. These permissions allow access to resources. Think about this as a forward trust. An IAM policy allows user seth to perform certain actions on certain other AWS resources defined by the policy. The IAM policy is applied to seth. However, you can also have backwards trust relationships, or permissions applied on resources themselves that allow certain principals to access them. You can have an S3 bucket, or an SNS topic, or an SQS queue that grant the user seth some permissions on them. This is important because let's say that the user seth does not have ANY IAM permissions at all. You might think that seth can't do anything. But that's not true. If the s3 bucket important-stuff allows seth to list and download objects, then seth can do exactly that, even if he has no IAM permissions that allow those actions applied directly to his user. Hopefully this helped and did not make you even more confused. If it helps, consider this example. Let's say you want to make a bucket, or SNS topic, or SQS queue public. How would you do that? Resource policies. You would apply a resource policy that allows read or write permission to * or everyone.

Example:

❯ cloudfox aws -p cloudfoxable resource-trusts
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[resource-trusts][cloudfoxable] Enumerating Resources with resource policies for account 987990985088.
[resource-trusts][cloudfoxable] Supported Services: CodeBuild, ECR, EFS, Glue, Lambda, SecretsManager, S3, SNS, SQS
[resource-trusts] Status: 137/137 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────────────────────────────────┬────────┬─────────────┬────────────────────────────────────────────────────────────────────────────────────────────────╮
│                            ARN                             │ Public │ Interesting │                                    Resource Policy Summary                                     │
├────────────────────────────────────────────────────────────┼────────┼─────────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤
│ arn:aws:sns:us-west-2:987990985088:eventbridge-sns         │ No     │ Yes         │ Everyone can sns:Subscribe & can sns:Publish                                                   │
│                                                            │        │             │ -> Only when aws:SourceIp IpAddress 74.69.129.103/32                                           │
│ arn:aws:sns:us-west-2:987990985088:executioner             │ No     │ Yes         │ Everyone can sns:Subscribe & can sns:Publish                                                   │
│                                                            │        │             │ -> Only when aws:PrincipalAccount = 987990985088                                               │
│ arn:aws:sns:us-west-2:987990985088:public                  │ Yes    │ Yes         │ * can sns:Publish                                                                              │
│ arn:aws:sqs:us-west-2:987990985088:internal_message_bus    │ No     │ Yes         │ Everyone can sqs:SendMessage & can sqs:ReceiveMessage                                          │
│                                                            │        │             │ -> Only when aws:SourceIp IpAddress 74.69.129.103/32                                           │
│ arn:aws:sqs:us-west-2:987990985088:process_orders          │ Yes    │ Yes         │ * can sqs:SendMessage                                                                          │
│ arn:aws:lambda:us-west-2:987990985088:function:auth-me     │ No     │ Yes         │ Everyone can lambda:InvokeFunctionUrl                                                          │
│                                                            │        │             │ -> Only when lambda:FunctionUrlAuthType = NONE                                                 │
│ arn:aws:lambda:us-west-2:987990985088:function:furls1      │ No     │ Yes         │ Everyone can lambda:InvokeFunctionUrl                                                          │
│                                                            │        │             │ -> Only when lambda:FunctionUrlAuthType = NONE                                                 │
│ arn:aws:s3:::aws-cloudtrail-logs-987990985088-308a6ed7     │ No     │ No          │ Statement 0 says: cloudtrail.amazonaws.com can s3:GetBucketAcl                                 │
│                                                            │        │             │ -> Only when AWS:SourceArn = arn:aws:cloudtrail:us-west-2:987990985088:trail/management-events │
│                                                            │        │             │                                                                                                │
│                                                            │        │             │ Statement 1 says: cloudtrail.amazonaws.com can s3:PutObject                                    │
│                                                            │        │             │ -> Only when AWS:SourceArn = arn:aws:cloudtrail:us-west-2:987990985088:trail/management-events │
│                                                            │        │             │ -> Only when s3:x-amz-acl = bucket-owner-full-control                                          │
│ arn:aws:sns:us-west-2:987990985088:user-updates-topic      │ No     │ No          │ Statement 0 says: * can sns:Publish                                                            │
│                                                            │        │             │ -> Only when AWS:SourceOwner = 111111111111                                                    │
│                                                            │        │             │                                                                                                │
│                                                            │        │             │ Statement 1 says: * can sns:Subscribe                                                          │
│                                                            │        │             │ -> Only when AWS:SourceOwner = 111111111111                                                    │
│ arn:aws:sns:us-west-2:987990985088:user-updates-topic.fifo │ No     │ No          │ Default resource policy: Not exploitable                                                       │
│ arn:aws:lambda:us-west-2:987990985088:function:executioner │ No     │ No          │ sns.amazonaws.com can lambda:InvokeFunction                                                    │
│                                                            │        │             │ -> Only when AWS:SourceArn is like arn:aws:sns:us-west-2:987990985088:executioner              │
╰────────────────────────────────────────────────────────────┴────────┴─────────────┴────────────────────────────────────────────────────────────────────────────────────────────────╯
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/resource-trusts.txt
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/resource-trusts.csv
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/resource-trusts.json
[resource-trusts][cloudfoxable] 11 resource policies found.
[resource-trusts][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#resource-trusts
[🦊 cloudfox v1.13.2 🦊 ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088

role-trusts

Command role-trusts
Summary This command will give you three tables. One for roles that trust one or more principals. Another one for roles that trust an AWS service. And a third for roles that trust a federated identity. It is possible that one role shows up in multiple tables because one role can trust one or more of these entities.
Introduced v1.6.0
Background You can think of role assumption like Run-As in Windows/Active Directory. It's essentially like saying user A has permissions to run commands as user B. In AWS, you can create a role in one account (e.g., the development account) that can be assumed by another principal, even in a different account (e.g., the production account).

So how do you find these relationships? If you have read-only style access to the development account, you can use the cloudfox role-trusts command to quickly look at all of the roles in that development account and see which roles are configured to trust which principals, which is useful info for a penetration tester. And you can do the same in any other in-scope account where you have read-only access.
Use case 1 Use this data to search IAM role trust policies for trusts to a specific principal or an AWS account. This is particularly useful when assessing privilege escalation paths through assume role actions. In most cases, the assuming role will also need to have the sts:AssumeRole permission, however if the trusted principal is specifically named in the trust policy and belongs in the same account as the trusting role, the the trusted role does not need the sts:AssumeRole permission.

Example:

❯ cloudfox aws -p cflab role-trusts -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
╭──────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────┬────────────┬──────────┬────────────────────╮
│                             Role                             │                                  Trusted Principal                                  │ ExternalID │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────┼────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/morgan                        │ arn:aws:iam::049881439828:user/pele                                                 │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/not-admin                     │ arn:aws:iam::049881439828:user/pele                                                 │            │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/CloudFox-exec-role            │ arn:aws:iam::049881439828:user/security                                             │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/dempsey                       │ arn:aws:iam::049881439828:user/terraform-user                                       │            │ No       │ YES                │
│ arn:aws:iam::049881439828:role/donovan                       │ arn:aws:iam::049881439828:user/terraform-user                                       │            │ No       │ YES                │
│ arn:aws:iam::049881439828:role/mckennie                      │ arn:aws:iam::049881439828:user/terraform-user                                       │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/pulisic                       │ arn:aws:iam::049881439828:user/terraform-user                                       │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ arn:aws:iam::289507344597:root                                                      │            │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/test                          │ arn:aws:sts::049881439828:assumed-role/AWSReservedSSO_interns_9b819cbe299f5da5/seth │            │ No       │ No                 │
╰──────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────┴────────────┴──────────┴────────────────────╯
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────┬────────────┬──────────┬────────────────────╮
│                                                           Role                                                           │          Trusted Service           │ ExternalID │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────┼────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer            │ access-analyzer.amazonaws.com      │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner                       │ apprunner.amazonaws.com            │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/lloyd                                                                                     │ cloudformation.amazonaws.com       │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/press                                                                                     │ ec2.amazonaws.com                  │            │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/imdvs2-challenge-role                                                                     │ ec2.amazonaws.com                  │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/rapinoe                                                                                   │ ecs-tasks.amazonaws.com            │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS                                   │ ecs.amazonaws.com                  │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache                   │ elasticache.amazonaws.com          │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem │ elasticfilesystem.amazonaws.com    │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing │ elasticloadbalancing.amazonaws.com │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aaronson                                                                                  │ lambda.amazonaws.com               │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/adams                                                                                     │ lambda.amazonaws.com               │            │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/lavelle                                                                                   │ lambda.amazonaws.com               │            │ No       │ YES                │
│ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations               │ organizations.amazonaws.com        │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS                                   │ rds.amazonaws.com                  │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO                                   │ sso.amazonaws.com                  │            │ No       │ YES                │
│ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport                           │ support.amazonaws.com              │            │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor             │ trustedadvisor.amazonaws.com       │            │ No       │ No                 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────┴────────────┴──────────┴────────────────────╯
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────┬─────────────────┬──────────┬────────────────────╮
│                                                         Role                                                         │                                    Trusted Provider                                     │ Trusted Subject │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────┼─────────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable  │ YES      │ YES                │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5                │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable  │ No       │ No                 │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876          │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable  │ No       │ No                 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────┴─────────────────┴──────────┴────────────────────╯

route53

Command route53
Summary This command lists the DNS records for all public and private zones managed by Route53. Use this for application and service enumeration
Introduced v1.6.0
Background Route53 is AWS's DNS registrar service. There is no requirement that you need to use route53 in your AWS account, but many organizations that use AWS also use route53 for their hosted zones.

As a penetratin tester, it is really great news when a client uses Route53 because we can simply enumerate all of the hosted zones using our read-only access and use that to find potentiallh exploitable endpoints.

Example:

❯ cloudfox aws --profile default route53  -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::111111111111:user/seth
[route53] Enumerating Route53 for account 111111111111.

 Service   Name                    Type   Value                                                                             PrivateZone
--------- ----------------------- ------ --------------------------------------------------------------------------------- -------------
 Route53   test2.internal.         NS     ns-1536.awsdns-00.co.uk.                                                          True
 Route53   test2.internal.         NS     ns-0.awsdns-00.com.                                                               True
 Route53   test2.internal.         NS     ns-1024.awsdns-00.org.                                                            True
 Route53   test2.internal.         NS     ns-512.awsdns-00.net.                                                             True
 Route53   test2.internal.         SOA    ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400   True
 Route53   host1.test2.internal.   A      192.168.0.1                                                                       True
 Route53   host2.test2.internal.   A      8.8.8.8                                                                           True
 Route53   test1.internal.         NS     ns-1536.awsdns-00.co.uk.                                                          True
 Route53   test1.internal.         NS     ns-0.awsdns-00.com.                                                               True
 Route53   test1.internal.         NS     ns-1024.awsdns-00.org.                                                            True
 Route53   test1.internal.         NS     ns-512.awsdns-00.net.                                                             True
 Route53   test1.internal.         SOA    ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400   True
 Route53   host1.test1.internal.   A      10.0.0.1                                                                          True
 Route53   host2.test1.internal.   A      10.0.0.2                                                                          True

[route53] Output written to [cloudfox-output/aws/default/table/route53.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-public-Zones.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-private-Zones.txt]
[route53] 14 DNS records found.

secrets

Command secrets
Summary This command lists secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them
Introduced v1.6.0
Background AWS SecretsManager and SSM Paremeters two different ways to store secrets in AWS that can be used by other services. They have some differences that make one a better fit for some use cases, and the other a better fit for others, but as a penetration tester, you can think about them as roughly the same.

These services allow you to store secrets as resources, and then rather than hardcoding these secrets in your lambda functions and other resources, you can code the secret name into your lambda function (or lambda function environment variable) so that the secret is only pulled at runtime (rather than being hardcoded).

As a penetration tester, it's really helpful to look at what secrets are stored in these services, and if you find something that looks interesting, you can spend your time trying to gain access to a principal that has access to that secret. For instnace, you might find a secret in an AWS account that is a hardcoded credential to a GCP or Azure account. If you can gain admin in this AWS account, that means you can also gain access to anything those secrets provide access to as well.

Example:

❯ cloudfox aws --profile cf-exec -v2 secrets
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946619726857000
[secrets] Enumerating secrets for account 049881439828.
[secrets] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────┬───────────┬───────────────────────────────┬───────────────────────────────────────────────────────────────╮
│    Service     │  Region   │             Name              │                          Description                          │
├────────────────┼───────────┼───────────────────────────────┼───────────────────────────────────────────────────────────────┤
│ SecretsManager │ us-west-2 │ database-secret               │                                                               │
│ SecretsManager │ us-west-2 │ app-secret                    │                                                               │
│ SecretsManager │ us-west-2 │ iam-vulnerable                │ Super strong password that nobody would ever be able to guess │
│ SSM            │ us-west-2 │ /production/database/password │                                                               │
│ SSM            │ us-west-2 │ /production/database/username │                                                               │
│ SSM            │ us-west-2 │ /staging/database/password    │                                                               │
│ SSM            │ us-west-2 │ /staging/database/user        │                                                               │
╰────────────────┴───────────┴───────────────────────────────┴───────────────────────────────────────────────────────────────╯
[secrets] Output written to [cloudfox-output/aws/cf-exec/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cf-exec/csv/secrets.csv]
[secrets] Loot written to [cloudfox-output/aws/cf-exec/loot/pull-secrets-commands.txt]
[secrets] 7 secrets found.

sns

Command secrets
Summary This command enumerates all of the sns topics and gives you the commands to subscribe to a topic or send messages to a topic (if you have the permissions needed). This command only deals with topics, and not the SMS functionality. This command also attempts to summarize topic resource policies if they exist.
Introduced v1.10.0
Author Dominic Breuker and BF team
Background AWS SNS is pub/sub service. This command only deas with topics, and not the SMS functionality. The way topics work is that you have publishers, or applications/services authorized to send messages to a topic, and you have subscribers, or applications/services that receive messages from a topic. The interesting thing about SNS topics is that you can have one or more publishers and one or more subscribers.

As a penetration tester, you usually become interested in SNS topics if you find you have compromised a principal that has some SNS permissions, like sns:subscribe or sns:publish.

If you have sns:subscribe, you can add yourself as a subscriber. The cool thing here is that adding yourself as a subscriber does not affect the other subscribers, so it's kind of like adding a network tap on an ethernet cable. You just get a copy of all of the messages sent to the topic. Why would you do this? Well two reasons: First, you can look for sensitive information in the messages.

And secondly, if you also have sns:publish you can first subscribe and see if there are any injection points in the message that might get you some type of SSRF/RCE type vuln in the service that is consuming the SNS messages

Example:

❯ cloudfox aws -p cflab -v2 sns
[🦊 cloudfox v1.10.0-prerelease 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[sns][cflab] Enumerating SNS topics for account 049881439828.
[sns] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────────────────────────────────┬─────────┬──────────────────────────────────────────────────╮
│                            ARN                             │ Public? │             Resource Policy Summary              │
├────────────────────────────────────────────────────────────┼─────────┼──────────────────────────────────────────────────┤
│ arn:aws:sns:us-west-2:049881439828:lambda-sns              │ No      │ Default resource policy: Not exploitable         │
│ arn:aws:sns:us-west-2:049881439828:user-updates-topic      │ No      │ * can perform 8 actions                          │
│                                                            │         │ -> Only when AWS:PrincipalAccount = 049881439828 │
│ arn:aws:sns:us-west-2:049881439828:user-updates-topic.fifo │ No      │ Default resource policy: Not exploitable         │
╰────────────────────────────────────────────────────────────┴─────────┴──────────────────────────────────────────────────╯
[sns][cflab] Output written to [cloudfox-output/aws/cflab/table/sns.txt]
[sns][cflab] Output written to [cloudfox-output/aws/cflab/csv/sns.csv]
[sns][cflab] Loot written to [cloudfox-output/aws/cflab/loot/sns-commands.txt]
[sns][cflab] 3 topics found.
[sns][cflab] Access policies stored to: cloudfox-output/aws/cflab/loot/sns-policies
[sns][cflab] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#sns

sqs

Command secrets
Summary This command enumerates all of the sqs queues and gives you the commands to receive messages from a queue and send messages to a queue (if you have the permissions needed). This command also attempts to summarize queue resource policies if they exist.
Introduced v1.10.0
Author Dominic Breuker and BF team
Background AWS SQS let's you send, store, and receive messages from a queue. It is often used in application to application communication. The way queues work is that you have applications/services authorized to send messages to a queue, and you have applications/services that pull (and subsequently delete) messages from a queue.

As a penetration tester, you usually become interested in SQS queues if you find you have compromised a principal that has some SQS permissions, like sqs:ReceiveMessage or sqs:SendMessage.

If you have sqs:ReceiveMessage, you can read messages off of the queue, however this should be done with caution in a production environment. Receiving a message does not delete it from the queue, but this action can potentially cause latency or it could DoS applications that consume the queue messages depending on the queue type. The first reason you would want to read messages off of the queue is that you can look for sensitive information in the messages. .

And secondly, if you also have sqs:SendMessage you can inspect received messages to see if there are any injection points in the message that might get you some type of SSRF/RCE type vuln in the service that is consuming the SNS messages, and then use sqs:SendMessage to send malicious messages.

Example:

❯ cloudfox aws -p cflab -v2 sqs
[🦊 cloudfox v1.10.0-prerelease 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[sqs][cflab] Enumerating SQS queues for account 049881439828.
[sqs] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────────────────────────────────────────────────────────────────┬─────────┬────────────────────────────────────────────────────────────╮
│                                  Arn                                  │ Public? │                  Resource Policy Summary                   │
├───────────────────────────────────────────────────────────────────────┼─────────┼────────────────────────────────────────────────────────────┤
│ arn:aws:sqs:us-west-2:049881439828:lambda-sqs                         │ No      │                                                            │
│ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue            │ YES     │ Statement 0 says: s3.amazonaws.com can SQS:SendMessage     │
│                                                                       │         │ Statement 1 says: arn:aws:iam::049881439828:root can SQS:* │
│                                                                       │         │ Statement 2 says: Everyone can perform 2 actions           │
│ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue-deadletter │ No      │                                                            │
│ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue.fifo       │ No      │                                                            │
╰───────────────────────────────────────────────────────────────────────┴─────────┴────────────────────────────────────────────────────────────╯
[sqs][cflab] Output written to [cloudfox-output/aws/cflab/table/sqs.txt]
[sqs][cflab] Output written to [cloudfox-output/aws/cflab/csv/sqs.csv]
[sqs][cflab] Loot written to [cloudfox-output/aws/cflab/loot/sqs-commands.txt]
[sqs][cflab] 4 queues found.
[sqs][cflab] Access policies stored to: cloudfox-output/aws/cflab/loot/sqs-policies
[sqs][cflab] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#sqs

tags

Command tags
Summary List all resources with tags and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account.
Introduced v1.6.0
Background AWS allows you to put tags on resources, and sometimes these tags can be really helpful in gaining situational awareness. The tag values might give you hint's as to what is going on in the target AWS account that are not obvious otherwise.

Example:

❯ cloudfox aws --profile cflab -v2 tags
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭──────────────────────┬───────────┬─────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       Service        │  Region   │          Type           │              Key              │                                                        Value                                                         │
├──────────────────────┼───────────┼─────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ ec2                  │ us-west-2 │ subnet                  │ Name                          │ cloudfox Operational Subnet 2                                                                                        │
│ ec2                  │ us-west-2 │ route-table             │ Name                          │ cloudfox Public Route Table                                                                                          │
│ ec2                  │ us-west-2 │ security-group          │ Name                          │ allow_ssh_from_world                                                                                                 │
│ ec2                  │ us-west-2 │ instance                │ Name                          │ instance2                                                                                                            │
│ ec2                  │ us-west-2 │ instance                │ Name                          │ instance3                                                                                                            │
│ ec2                  │ us-west-2 │ instance                │ aws:cloudformation:stack-name │ token                                                                                                                │
... omitted for brevity...
│ secretsmanager       │ us-west-2 │ secret                  │ Name                          │ App Secret                                                                                                           │
│ secretsmanager       │ us-west-2 │ secret                  │ aws:cloudformation:stack-id   │ arn:aws:cloudformation:us-west-2:049881439828:stack/privesc-cloudformationStack/24092300-4a49-11ed-a9d0-0666e24333c1 │
│ secretsmanager       │ us-west-2 │ secret                  │ aws:cloudformation:logical-id │ Secret1                                                                                                              │
│ secretsmanager       │ us-west-2 │ secret                  │ Name                          │ Database Secret                                                                                                      │
│ secretsmanager       │ us-west-2 │ secret                  │ aws:cloudformation:stack-name │ privesc-cloudformationStack                                                                                          │
│ secretsmanager       │ us-west-2 │ secret                  │ Name                          │ scenario1 Secret                                                                                                     │
│ sqs                  │ us-west-2 │ terraform-example-queue │ Environment                   │ production
╰──────────────────────┴───────────┴─────────────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 39 tags found.
[tags][cflab] 26 unique resources with tags found.

workloads

Command workloads
Summary Finds workloads with admin permissions or a path to admin permissions. To find paths to to admin you need to run pmapper first on the same host that you will run cloudfox.
Introduced v1.13.0
Background AWS allows you assign IAM roles to workloads. This is more secure than hardcoding credentials into the workloads, however, if the workload becomes compromised, it still means that the attacker will gain access to all of the IAM permissions given to the workload. That's why it's important to use the principle of least privilege when assigning permissions to workloads, and why you rarely want ANY cloud workload running with administrative permissions.

Example:

❯ cloudfox aws --profile cflab workloads
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[workloads][cloudfoxable] Enumerating compute workloads in all regions for account 987990985088.
[workloads][cloudfoxable] Supported Services: App Runner, EC2, ECS, Lambda
[workloads] Status: 68/68 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬────────────────────────────────────────────────────────────────┬──────────────┬────────────────────╮
│ Service │  Region   │     Name     │                              Role                              │ IsAdminRole? │ CanPrivEscToAdmin? │
├─────────┼───────────┼──────────────┼────────────────────────────────────────────────────────────────┼──────────────┼────────────────────┤
│ EC2     │ us-west-2 │ bastion      │ arn:aws:iam::987990985088:role/reyna                           │ No           │ No                 │
│ Lambda  │ us-west-2 │ consumer     │ arn:aws:iam::987990985088:role/swanson                         │ No           │ No                 │
│ Lambda  │ us-west-2 │ auth-me      │ arn:aws:iam::987990985088:role/sauerbrunn                      │ No           │ No                 │
│ Lambda  │ us-west-2 │ test         │ arn:aws:iam::987990985088:role/service-role/test-role-yrxw8win │ No           │ No                 │
│ Lambda  │ us-west-2 │ producer     │ arn:aws:iam::987990985088:role/producer                        │ No           │ No                 │
│ Lambda  │ us-west-2 │ furls1       │ arn:aws:iam::987990985088:role/aaronson                        │ No           │ No                 │
│ Lambda  │ us-west-2 │ executioner  │ arn:aws:iam::987990985088:role/ream                            │ No           │ No                 │
│ Lambda  │ us-east-2 │ cloudfoxtest │ arn:aws:iam::987990985088:role/service-role/lambdaAdmin        │ YES          │ YES                │
╰─────────┴───────────┴──────────────┴────────────────────────────────────────────────────────────────┴──────────────┴────────────────────╯
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/workloads.txt
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/workloads-admin.txt
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/workloads.csv
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/workloads-admin.csv
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/workloads.json
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/workloads-admin.json
[workloads][cloudfoxable] 8 compute workloads found.
[workloads][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#workloads
[🦊 cloudfox v1.14.0-prerelease 🦊 ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088