Skip to content

MillerMedia/awtest

BranchesTags

Repository files navigation

AWTest 

     ___  _      ________        __
    /   || | /| / /_  __/__ ___ / /_
   / /| || |/ |/ / / / / -_|_-</ __/
  /_/ |_||__/|__/ /_/  \__/___/\__/

AWS Credential Permission Scanner for Security Assessments

Latest Release Tests License Go Report Card Go Version

AWTest quickly enumerates the permissions of AWS credentials by performing read-only list/describe operations across 63 AWS services with 117 API calls. Built for pentesters, red teamers, and cloud security assessors.

Features

  • Broad AWS Coverage -- 63 services, 117 API calls covering S3, EC2, IAM, Lambda, EKS, RDS, DynamoDB, GuardDuty, Security Hub, and more
  • Speed Presets -- --speed presets (safe, fast, insane) for OPSEC-aware scan parallelism
  • Multiple Output Formats -- Text, JSON, YAML, CSV, and table output
  • File Export -- Write results directly to a file with --output-file
  • Service Filtering -- Include or exclude specific services with --services and --exclude-services
  • Configurable Timeouts -- Set scan duration limits with --timeout
  • Concurrent Scanning -- --speed presets or fine-grained --concurrency control
  • Session Token Support -- Works with temporary credentials (STS)
  • Cross-Platform -- Pre-built binaries for macOS, Linux, and Windows

Installation

Homebrew (macOS/Linux)

brew install --cask MillerMedia/tap/awtest

Go Install

Requires Go 1.19+:

go install github.com/MillerMedia/awtest/cmd/awtest@latest

Binary Download

Download pre-built binaries from GitHub Releases:

Platform File
macOS (Intel) awtest_<version>_darwin_amd64.tar.gz
macOS (Apple Silicon) awtest_<version>_darwin_arm64.tar.gz
Linux (amd64) awtest_<version>_linux_amd64.tar.gz
Linux (arm64) awtest_<version>_linux_arm64.tar.gz
Windows awtest_<version>_windows_amd64.zip

Usage

Scan using current AWS CLI profile

awtest

Scan with explicit credentials

awtest --aki=AKIAEXAMPLE --sak=YourSecretAccessKey

Scan with temporary credentials (STS)

awtest --aki=ASIAEXAMPLE --sak=YourSecretKey --st=YourSessionToken

Output as JSON to a file

awtest --format=json --output-file=results.json

Scan only specific services

awtest --services=s3,ec2,iam,lambda

Exclude noisy services

awtest --exclude-services=cloudwatch,cloudtrail

Fast scan with moderate parallelism

awtest --speed=fast

Maximum speed with JSON output

awtest --speed=insane --format=json --output-file=results.json

Example Output

[AWTest] [user-id] [info] AKIABCDEFGHIJKLMNO
[AWTest] [account-number] [info] 123456789012
[AWTest] [iam-arn] [info] arn:aws:iam::123456789012:user/exampleUser
[AWTest] [s3:ListBuckets] [info] Found S3 bucket: example-bucket-1
[AWTest] [s3:ListBuckets] [info] Found S3 bucket: example-bucket-2
[AWTest] [ec2:DescribeInstances] [info] Found EC2 instance: i-0abcdef1234567890
[AWTest] [iam:ListUsers] [info] Found IAM user: exampleUser1
[AWTest] [lambda:ListFunctions] [info] Found Lambda function: myFunction
[AWTest] [eks:ListClusters] [info] Found EKS cluster: production
[AWTest] [rds:DescribeDBInstances] [info] Found RDS instance: mydb
[AWTest] [appsync:ListGraphqlApis] [info] Error: Access denied to this service.

Flags

Flag Description Default
--aki, --access-key-id AWS Access Key ID
--sak, --secret-access-key AWS Secret Access Key
--st, --session-token AWS Session Token
--region AWS Region us-west-2
--format Output format: text, json, yaml, csv, table text
--output-file Write output to file
--services Include only specific services (comma-separated) all
--exclude-services Exclude specific services (comma-separated) none
--timeout Maximum scan duration (e.g., 5m, 300s) 5m
--speed Speed preset: safe, fast, insane (controls scan parallelism) safe
--concurrency Number of concurrent service scans (overrides speed preset when specified) 1
--quiet Suppress info messages, show only findings false
--debug Enable debug output false
--version Print version and build info

Speed Presets & OPSEC

AWTest provides named speed presets that control scan parallelism. Choose the right preset based on your OPSEC requirements:

Preset Concurrency CloudTrail Profile Use Case
safe 1 worker Minimal footprint -- sequential calls resemble normal console usage Stealth engagements, red team ops, production infrastructure
fast 5 workers Moderate density -- more events in a shorter window, within normal operational patterns Time-sensitive pentests where speed matters more than stealth
insane 20 workers Dense burst -- all 63 services hammered simultaneously, visible API call spike Lab environments, time-critical bug bounty, OPSEC not a concern

Default behavior: Running awtest with no --speed flag defaults to safe (sequential scanning, identical to Phase 1 behavior).

Power-user override: Use --concurrency=N to set an exact worker count, overriding the speed preset's mapping:

# Use fast preset (5 workers)
awtest --speed=fast

# Override: use fast preset label but with 10 workers
awtest --speed=fast --concurrency=10

Output Formats

AWTest supports five output formats via the --format flag:

Format Best For Example
text Real-time terminal scanning (default) [AWTest] [s3:ListBuckets] [info] Found S3 bucket: my-bucket
json SIEM integration, automated pipelines, programmatic parsing {"service":"S3","method":"s3:ListBuckets","resource":"my-bucket"}
yaml Readable structured reports, documentation service: S3 | method: s3:ListBuckets
csv Spreadsheet analysis, data import, quick pivoting S3,s3:ListBuckets,bucket,my-bucket
table Structured terminal viewing, sharing in tickets ASCII table with aligned columns 
# Save JSON results for SIEM ingestion
awtest --format=json --output-file=results.json

# Generate YAML report
awtest --format=yaml --output-file=report.yaml

# Export CSV for spreadsheet analysis
awtest --format=csv --output-file=findings.csv

# View results as a formatted table
awtest --format=table

Real-World Use Cases

Penetration Testing

During a fintech engagement, you discover AWS keys in a public GitHub repo. Run awtest to quickly enumerate what the credentials can access:

awtest --aki=AKIAEXAMPLE --sak=YourSecretKey --speed=insane --format=json --output-file=findings.json

In seconds, awtest reveals an RDS instance with customer PII, S3 buckets with financial documents, and active Lambda functions -- a critical finding that would have taken hours to uncover manually.

Bug Bounty

You find hardcoded credentials in client-side JavaScript. Use awtest to demonstrate the full impact:

awtest --aki=AKIAEXAMPLE --sak=YourSecretKey --speed=insane --services=s3,secretsmanager,iam,lambda

AWTest reveals S3 buckets with user uploads and Secrets Manager entries, transforming a medium-severity credential exposure into a critical-severity finding with concrete evidence.

Incident Response

2 AM alert: credentials were committed to a public repo. Assess the blast radius before deciding whether to escalate -- use --speed=safe for a controlled scan with minimal CloudTrail footprint:

awtest --aki=AKIAEXAMPLE --sak=YourSecretKey --speed=safe --timeout=2m

AWTest shows the credentials only have access to CloudWatch logs and one S3 log bucket -- no customer data exposed, no emergency escalation needed.

Supported AWS Services (63 services, 117 API calls)

Click to expand full service list (63 services, 117 API calls)

Compute & Containers

Service API Calls
Batch ListJobs
EC2 DescribeInstances
ECS ListClusters
EKS ListClusters
Elastic Beanstalk DescribeApplications, DescribeEvents
EMR ListClusters, ListInstanceGroups, ListSecurityConfigurations
Fargate ListFargateTasks
Lambda ListFunctions

Databases

Service API Calls
DynamoDB ListTables, ListBackups, ListExports
ElastiCache DescribeCacheClusters
Neptune DescribeDBClusters, DescribeDBInstances, DescribeDBClusterParameterGroups
OpenSearch ListDomains, DescribeDomainAccessPolicies, DescribeDomainEncryption
RDS DescribeDBInstances
Redshift DescribeClusters

Security & Identity

Service API Calls
Certificate Manager (ACM) ListCertificates
Cognito Identity ListIdentityPools
Cognito User Pools ListUserPools
ECR DescribeRepositories, ListImages, GetRepositoryPolicy
GuardDuty ListDetectors, GetFindings, ListFilters
IAM ListUsers
KMS ListKeys
Macie ListClassificationJobs, ListFindings, DescribeBuckets
Organizations ListAccounts, ListOrganizationalUnits, ListPolicies
Secrets Manager ListSecrets
Security Hub GetEnabledStandards, GetFindings, ListEnabledProductsForImport
STS GetCallerIdentity
WAF ListWebACLs

Storage

Service API Calls
Backup ListBackupVaults, ListBackupPlans, ListRecoveryPointsByBackupVault, GetBackupVaultAccessPolicy
EFS DescribeFileSystems
Glacier ListVaults
S3 ListBuckets

Networking

Service API Calls
API Gateway RestApis, GetApiKeys, GetDomainNames
CloudFront ListDistributions
Direct Connect DescribeConnections, DescribeVirtualInterfaces, DescribeDirectConnectGateways
Route53 ListHostedZones, ListHealthChecks
VPC DescribeVpcs

Management & Monitoring

Service API Calls
CloudFormation ListStacks
CloudTrail DescribeTrails, ListTrails
CloudWatch DescribeAlarms
CloudWatch Logs DescribeLogGroupsAndStreams, ListMetrics
Config DescribeConfigurationRecorders
Systems Manager (SSM) DescribeParameters

Application Services

Service API Calls
EventBridge ListEventBuses
SES ListIdentities
SNS ListTopics
SQS ListQueues
Step Functions ListStateMachines

Developer Tools

Service API Calls
Amplify ListApps
AppSync ListGraphqlApis
CodeBuild ListProjects, ListProjectEnvironmentVariables, ListBuilds
CodeCommit ListRepositories, ListBranches
CodeDeploy ListApplications, ListDeploymentGroups, ListDeploymentConfigs
CodePipeline ListPipelines
Glue ListJobs, ListWorkflows

Analytics

Service API Calls
Athena ListWorkGroups, ListNamedQueries, ListQueryExecutions
Kinesis ListStreams, ListShards, ListStreamConsumers

Media & ML

Service API Calls
IVS ListChannels, ListStreams, ListStreamKeys
IVS Chat ListRooms
IVS Realtime ListStages
MediaConvert ListQueues, ListJobs, ListPresets
Rekognition ListCollections, DescribeProjects, ListStreamProcessors
SageMaker ListNotebookInstances, ListEndpoints, ListModels, ListTrainingJobs
Transcribe ListTranscriptionJobs, ListLanguageModels, ListVocabularies, StartTranscriptionJob

IoT

Service API Calls
IoT ListThings, ListCertificates, ListPolicies

Contributing

Contributions are welcome! The most common contribution is adding support for a new AWS service. A complete service implementation template is provided at cmd/awtest/services/_template/ with step-by-step instructions and an annotated reference implementation.

See CONTRIBUTING.md for the full guide, including:

  • Development workflow and prerequisites
  • 10-step guide to adding a new AWS service
  • Code standards and naming conventions
  • Testing standards with table-driven test examples
  • 16-item service validation checklist
  • PR process and review expectations

Support the Project

If you find this project helpful, please consider supporting its development:

Buy me a coffee

License

This project is licensed under the MIT License.

About

Quickly enumerate AWS credential permissions across 63 services — built for pentesters, red teamers, and cloud security assessors

Topics

cli golang aws security enumeration penetration-testing infosec pentest aws-security red-team cloud-security credential-testing cloud-enumeration

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 7

v1.1.0 Latest
Mar 15, 2026
+ 6 releases

Packages

 
 
 

Contributors

Languages