Bash › Cloud Automation
Cloud recon with the provider CLIs
Cloud environments are scripted through provider CLIs, and those same CLIs are how you assess them. Given a set of credentials (authorised, from an engagement), the AWS, Azure, and GCP command-line tools enumerate resources, permissions, and the misconfigurations that dominate cloud findings. This lesson is cloud recon from the shell.
You'll learn to
- Confirm whose credentials you hold
- Enumerate common cloud resources
- Spot the classic cloud misconfigurations
First: whose keys are these?
# AWS — confirm the identity behind the credentials:
aws sts get-caller-identity # account, user/role ARN
# What can this identity do? (often restricted, worth checking)
aws iam list-attached-user-policies --user-name "$(...)" 2>/dev/null
The cloud equivalent of whoami is aws sts get-caller-identity. Before anything else, confirm which account and principal your credentials belong to — it determines everything you can see and do.
Enumerating resources
# S3 buckets (the classic exposure):
aws s3 ls # buckets you can list
aws s3 ls s3://bucket-name --no-sign-request 2>/dev/null # public bucket?
# Compute and data:
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId,PublicIpAddress]' --output text
aws rds describe-db-instances --query 'DBInstances[].[DBInstanceIdentifier,PubliclyAccessible]' --output text
The --query flag (JMESPath) filters the JSON output to just the fields you want — the cloud version of piping to awk. Here it pulls instance IDs and public IPs, or flags publicly-accessible databases.
The classic misconfigurations
# Public S3 buckets — the most famous cloud leak:
aws s3 ls s3://target-bucket --no-sign-request
# Overly-permissive security groups (0.0.0.0/0 ingress):
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`)]].GroupId'
# Publicly accessible RDS databases — flagged by PubliclyAccessible=true above
Checkpoint
What is the cloud equivalent of running whoami, and why is it the right first command with a set of AWS credentials?
aws sts get-caller-identity. It returns the account ID and the ARN of the user or role the credentials belong to. It's the right first command because it tells you exactly which identity you're operating as and in which account, which determines everything you can enumerate and do. Just like whoami orients you on a Linux box, this orients you in the cloud account before any further enumeration.
Try it yourself
With authorised cloud credentials in a lab, run the identity check (aws sts get-caller-identity or the Azure/GCP equivalent). Then list the storage resources you can see and check whether any are publicly accessible. Use the —query flag to filter the output to just the fields that matter.
Key takeaways
- aws sts get-caller-identity is the cloud whoami — run it first.
- —query (JMESPath) filters CLI JSON output like awk filters text.
- Check storage exposure first: public buckets are the classic leak.
- Stay in scope, prefer read-only calls, and never exfiltrate real data.
Quick quiz
Next, Bash for red teams — operational scripting, data collection, and reporting.