astronaut
Logbook
Web Security • Research • CTF
Menu
May 17, 2026

AWS Storage + IAM Foundation

Phase 1 notes: S3, IAM, account ID discovery, CloudTrail investigation, and exposure risks in EBS/RDS.

research

Phase 1 — AWS Storage + IAM Foundation

Phase Summary

Completed 6 labs (4 Red / 2 Blue) focused on AWS storage and identity attack paths, plus defensive investigation with CloudTrail.

This phase built my core cloud security foundations around S3, IAM, AWS account ID discovery, public resource exposure, and CloudTrail triage.

Learning Objectives

  • Understand how attackers enumerate S3 and identify misconfigurations.
  • Learn why AWS account IDs can be useful for further cloud reconnaissance.
  • Practice IAM enumeration to map identities, permissions, and blast radius.
  • Investigate suspicious cloud activity using CloudTrail logs.
  • Assess data exposure risk from public EBS snapshots and internet-facing RDS.

Lab Path

OrderLabTypeSummary
1AWS S3 Enumeration Basics🔴 RedEnumerate S3 buckets, test access controls, and list objects to establish an initial foothold.
2Identify the AWS Account ID from a Public S3 Bucket🔴 RedDerive an AWS account ID from a public S3 bucket and use it to expand reconnaissance paths.
3Intro to AWS IAM Enumeration🔵 BlueUse AWS CLI to enumerate IAM users, roles, groups, policies, and effective permissions.
4Breach in the Cloud🔵 BlueAnalyze CloudTrail logs to identify suspicious S3/IAM behavior and triage a cloud breach.
5Loot Public EBS Snapshots🔴 RedAssess how public EBS snapshots can expose sensitive data to unauthorized access.
6Pillage Exposed RDS Instances🔴 RedEvaluate the risk of publicly accessible RDS instances and resulting database exposure.

Core Lessons from Phase 1

  1. S3 exposure is a frequent starting point for both reconnaissance and sensitive data discovery.
  2. AWS account ID is low-sensitivity but high-utility when chained with IAM-focused enumeration.
  3. IAM is the control plane of cloud risk, and permission mapping is key to understanding blast radius.
  4. CloudTrail provides critical detection and response telemetry for cloud incident investigations.
  5. Public EBS snapshots and exposed RDS services can create severe, direct data leak paths.