
Jump to

Stay tuned for
more insights

During an AWS Penetration Test its common for the team to request an administrative read-only access token. This is used to review AWS assets and identify misconfigurations affecting them.

This may also be used for common pentesting tools such as ScoutSuite and our purpleleaf pentesting platform.

Below is a step-by-step guide to create these tokens:

1. Navigate to IAM

AWS IAM Console

2. Click Users


3. Click Add User

IAM Add User

4. Create a name and select ‘Access key’

AWS User Access Token

5. Add SecurityAudit and ReadOnlyAccess policies

Under ‘Set permissions’ select Attach policies directly.

Set Permissions

Then, from the ‘Filter by type’ dropdown select AWS managed - job function. Select two policies: ReadOnlyAccess and SecurityAudit.

Set permissions

Lastly, clear the search field and ensure both policies are selected.

Show attached policies

6. Create User

Create user

7. Create Access Token and Secret

Now, select the user and navigate to Security Credentials.

Scroll down to ‘Access keys’ and Create access key.

Create access key

For ‘Access key best practices’, select ‘Other’, click next, and complete.

Access key best practices

Congrats you’re done! Always remember to keep this token in a secure location and remove the user when no longer used.