In the middle of a red team engagement or cloud pentest, you stumble upon AWS credentials. Maybe it’s in a .env file, maybe via EC2 metadata, or tucked inside a CI/CD pipeline.
The next question is always:
“What can these credentials actually access?”
This is where AWS Access Auditor comes in — a lean, stealthy Python tool designed to enumerate accessible AWS services using a given Access Key and Secret Key, without making noise or risking detection.
☁️ What Is AWS Access Auditor?
AWS Access Auditor is a Python-based CLI tool that lets you safely and silently audit what AWS services a set of credentials can access. Whether you’re a cloud engineer, red teamer, or auditor, it helps you understand the scope of a key compromise in seconds.
🔍 When to Use It
Typical discovery scenarios include:
- Leaked credentials in repos or containers
- IAM role assumption through misconfigured trust policies
- Dumped environment files from dev pipelines
- Credentials found in memory during live forensics
Rather than poking around manually (and noisily), fire up this tool for quick, read-only enumeration.
✅ Key Features
- 🔐 Credential Validation: Uses
sts.get_caller_identity()to verify keys safely. - 🔎 Silent Scanning: Makes low-risk
list_*ordescribe_*API calls across 30+ services. - 📊 Real-Time Feedback: Prints allowed services as it discovers them.
- 🧾 Summary Output: Gives a clean recap at the end.
- 📁 Optional Logging: Send results to a file for reporting or later analysis.
🛠️ Setup Instructions
Clone the tool and set up your environment:
git clone git@github.com:CyberSquirrel-AI/aws_access_auditor.git
cd aws-access-auditor
python3 -m venv venv
source venv/bin/activate # or venv\Scripts\activate on Windows
pip install boto3
🚀 Running the Tool
Use it like this:
python aws_access_auditor.py \
--access-key YOUR_ACCESS_KEY \
--secret-key YOUR_SECRET_KEY \
--log-file creds_output.log
If the keys are valid and access is allowed, you’ll see:
Access to S3 is ALLOWED.
Access to Lambda is ALLOWED.
...
Summary of allowed services:
- S3
- Lambda
- EC2
🔒 OPSEC-Friendly by Design
AWS Access Auditor is built with stealth in mind:
- Only read-only calls are made — no creation, deletion, or modification.
- Fails silently on AccessDenied errors.
- No CloudTrail noise or alerts from high-risk actions.
It’s ideal for red teams or quiet internal audits.
🧰 What Services Are Tested?
Over 30 AWS services are supported out of the box:
- Core: EC2, S3, Lambda, IAM, RDS, DynamoDB
- Containers & Compute: ECS, EKS
- Logging & Monitoring: CloudTrail, CloudWatch
- Networking & Delivery: API Gateway, Route 53, ELB
- Streaming & Messaging: Kinesis, SQS, SNS
- Data Services: Elasticache, Redshift, Athena, Aurora
- Security & Identity: Secrets Manager, Config, GuardDuty, WAF, ACM
- Others: SageMaker, EFS, Glue, Backup, CloudFormation, ECR, Code* services
🧱 Easily Extendable
Want more depth? Extend the script to:
- Include resource-level details like S3 bucket names or EC2 instance IDs
- Add support for temporary credentials and session tokens
- Pipe results into a loot tracker or a cloud attack framework like Pacu
⚠️ Legal & Ethical Disclaimer
This tool is for authorized auditing and testing only.
Running it on AWS accounts you don’t own or have permission to assess is illegal and unethical.
✅ Final Thoughts
If you’re working in offensive security or cloud governance, AWS Access Auditor is a must-have. With a single command, you can quickly map the attack surface of a compromised key — safely, silently, and efficiently.
Stay stealthy. Enumerate responsibly. 🔐