Rapid7 Vulnerability & Exploit Database

Amazon Web Services EC2 SSM enumeration

Back to Search

Amazon Web Services EC2 SSM enumeration



Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all SSM-enabled EC2 instances accessible to the account. Once enumerated as SSM-enabled, the instances can be controlled using out-of-band WebSocket sessions provided by the AWS API (nominally, privileged out of the box). This module provides not only the API enumeration identifying EC2 instances accessible via SSM with given credentials, but enables session initiation for all identified targets (without requiring target-level credentials) using the CreateSession mixin option. The module also provides an EC2 ID filter and a limiting throttle to prevent session stampedes or expensive messes.


  • RageLtMan <rageltman@sempervictus>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/cloud/aws/enum_ssm
msf auxiliary(enum_ssm) > show actions
msf auxiliary(enum_ssm) > set ACTION < action-name >
msf auxiliary(enum_ssm) > show options
    ...show and set options...
msf auxiliary(enum_ssm) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security