HackTricks CloudAWS - Permissions for a Pentest
Reading time: 2 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools:
- The default policy arn:aws:iam::aws:policy/ReadOnlyAccess
- To run aws_iam_review you also need the permissions:
- access-analyzer:List*
- access-analyzer:Get*
- iam:CreateServiceLinkedRole
- access-analyzer:CreateAnalyzer
- Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission)
- access-analyzer:DeleteAnalyzer
- Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.