0.2.2.1. AWS - Search for Creds

Service	Credential Type	Location	Extraction Method
Instance Metadata Service (IMDSv2)	Temporary IAM Tokens	`http://169.254.169.254/latest/meta-data/`	`curl` with token header
Secrets Manager	API Keys, Secrets	AWS-managed secret store	`aws secretsmanager get-secret-value`
Lambda Functions	Environment Variables	Function settings/config	`aws lambda get-function-configuration`
Elastic Beanstalk	App Environment Variables	Configuration files and environments	`aws elasticbeanstalk describe-environments`
CodeBuild/CodePipeline	Hardcoded Secrets	BuildSpec, artifacts	Review buildspec or logs
CodeCommit	Hardcoded API Keys	Git Repositories	`git grep`, manual code inspection
S3 Buckets	Config Files, Tokens	Terraform, CloudFormation templates	`aws s3 cp`, check bucket policies
CloudWatch Logs	Sensitive Log Data	Application logs, event logs	Query logs for secrets
ECS Task Definitions	API Keys, Env Variables	Container definitions	`aws ecs describe-task-definition`

Service	Default Exposure	Public Endpoint Example	Notes
S3 (Simple Storage)	Optional	`https://<bucket>.s3.amazonaws.com/<object>`	Can be made public via bucket policy or ACL.
EC2 Instances	Optional	`<public-ip>:22` (SSH), `<public-ip>:3389` (RDP)	Exposed via Security Groups and public IP.
Lambda (via API GW)	Optional	`https://<api-id>.execute-api.<region>.amazonaws.com/<stage>`	Public if API Gateway is public.
API Gateway	Public (default)	`https://<api-id>.execute-api.<region>.amazonaws.com/`	Protect with usage plans, IAM, or Lambda authorizers.
Elastic Load Balancer	Public (optional)	`http://<elb-dns>`	Public if configured as internet-facing.
CloudFront	Public	`https://<distro>.cloudfront.net/`	CDN service meant for public delivery.
EKS (Kubernetes)	Optional	Public API via ELB	Can be public unless restricted with endpoint access config.
Lightsail Instances	Public (default)	Public IP assigned	Like EC2, but simplified; exposed unless firewall adjusted.