# AWS - Unauthenticated Enum & Access {{#include ../../../banners/hacktricks-training.md}} ## AWS Credentials Leaks A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\ Some useful **tools**: - [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos) - [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos) - [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks) ## AWS Unauthenticated Enum & Access There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how: - [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md) - [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) - [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md) - [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) - [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md) - [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md) - [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md) - [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md) - [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md) - [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md) - [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md) - [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md) - [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md) - [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md) - [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md) - [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md) - [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md) - [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md) ## Cross Account Attacks In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed. During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**: ![](<../../../images/image (260).png>) Other services found vulnerable: - AWS Config - Serverless repository ## Tools - [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.) {{#include ../../../banners/hacktricks-training.md}}