This follow-up lab to continue understanding how to interact with AWS services using Python3 and the boto3 module. We will leverage the AWS command line, Burp Suite, and Python3 to further enumerate STS, S3, and SecretsManager.
Scenario
In the previous Python coding lesson, we showed how to use the Python requests library to enumerate unauthenticated S3 buckets and download files from them. In this lesson, we will use the Python library, Boto3, to authenticate to the AWS service and not only download files, but also make queries to the IAM, STS, and SecretsManager services.
Lab prerequisites
To generate a programmatic solution for the lesson, we need the following tools:
Burp Suite (Community edition works fine here)
AWS CLI installed
Visual Studio Code with Python and Python Debugger extensions installed - see VS Code installation instructionshere
Have previously completed the “Create Custom Tooling to Explore AWS” lesson
Real-world context
When building infrastructure in AWS, running audits and creating incident response playbooks, and assessing the security of AWS environments, there are times when existing tools don't doexactlywhat we need. For these situations, being able to create your own tools and scripts will help you build, defend and attack more effectively.
