CLI

AWS CLI Basics

aws --version
aws help
aws ec2 help
aws ec2 run-instances help

Assume a Role

Edit ~/.aws/config to include:

  • [profile <rolename>]

  • role_arn = arn:aws:iam::<acc_id>:role/<rolename>

  • source_profile = default

This assigns an IAM user with credentials and permissions to assume the role of <rolename>

source_profile is the AWS CLI profile that has access to the role at the command line who can invoke it.

Assume Role Policies

The "giver" need the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/<user>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The "taker" needs the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:AssumeRole"
            "Resource": "arn:aws:iam::123456789012:role/<rolename>"
        }
    ]
}

MFA with AssumeRole

The "giver" policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/<user>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": true
                }
            }
        }
    ]
}

Then the "taker" in AWS CLI should add the configuration:

[profile <rolename>]
role_arn = arn:aws:iam::123456789012:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/<user>

Create Security Group

aws ec2 create-security-group --group-name <NAME> --description "<DESCRIPTION>"
aws ec2 authorize-security-group-ingress --group-name <NAME> --protocol <PROTOCOL> --port <PORTNUMBER> --cidr <CIDR>

Create Key Pair

aws ec2 create-key-pair --key-name <KEY_NAME> --query 'KeyMaterial' --output text > key.pem
chmod 400 key.pem

Run an EC2 instance

aws ec2 run-instances --image-id <IMAGE_ID> --security-group-ids <SG_ID> --count 1 --instance-type <INSTANCE_ID> --key-name <KEY_NAME> --query 'Instances[0].InstanceId'

To get the public IP of the instance:

aws ec2 describe-instances --instance-ids <INSTANCE_ID> --query 'Reservations[0].Instances[0].PublicIpAddress'

Filters

The --filters parameter can be used to specify particular types of instances to describe, which help automate large queries across many systems in the environment. Examples:

aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small"

aws ec2 describe-instances --filters "Name=tag-key,Values=Quarantine"

These filters can also be represented in JSON format:

[
    {
        "Name": "instance-type",
        "Values": [ "t2.micro", "m1.medium" ]
    },
    {
        "Name": "availability-zone",
        "Values": [ "us-east-1a" ]
    }
]

Then we can query using: aws ec2 describe-instances --filters file://filters.json

Skeleton: aws ec2 run-instances --generate-cli-skeleton > RunInstances.json

AWS CLI Output formats

  • JSON

  • text

  • table

We can change the config in the config file ~/.aws/config:

[default]
output = <format>

We can also define in the ENV VAR

export AWS_DEFAULT_OUTPUT="<format>"

Or within the command:

aws ec2 describe-instances --output <format>

PreviousWeaponized Office DocsNext100 Days of Web Pentest

Last updated