Amazon Web Services — Extraction Guide

Data Extraction Guide
for Amazon Web Services

Step-by-step instructions for your IT or Cloud team to extract AWS security configuration data as CSV files for the AuditCore cloud security assessment. Uses the AWS CLI — no live API access granted to AuditCore.

13Data Files
7Domains
41+Checks
~20 minEst. Time
All Guides
0 Before You Begin
Automated extraction recommended. AuditCore provides Extract-AuditCoreAWS.ps1 which uses the AWS CLI to extract all 13 files automatically. Requires PowerShell 5.1+ and AWS CLI v2 installed on Windows.
Read-only — no changes to your AWS account. All operations use read-only API calls (Describe*, List*, Get*). AuditCore never modifies any AWS resource. The IAM policy below grants exactly the permissions needed — nothing more.
RequirementDetailsNotes
AWS CLI v2Installed and configured with aws configureDownload: aws.amazon.com/cli
IAM User / RoleAttach AuditCore_ReadOnly policy (see Section 3)Or use SecurityAudit AWS managed policy as alternative
PowerShellPowerShell 5.1+ (built into Windows 10/11)Required for Extract-AuditCoreAWS.ps1
AWS RegionPrimary region where workloads runIAM and S3 exports are global regardless of region
PermissionsSee IAM policy in Section 3Minimum: ReadOnlyAccess + iam:GenerateCredentialReport
1 Required Files (13 total)

All files are CSV format. The PowerShell script produces these exact filenames.

Identity & Access
iam_credential_report.csvIdentity

IAM Credential Report

All IAM users: MFA status, access key age, password last used, root account key status. Generated by AWS.

iam_users.csvIdentity

IAM Users & Groups

All IAM users with their group memberships and directly attached policies.

iam_policies.csvIdentity

IAM Policies (Customer-Managed)

Customer-created IAM policies with policy document summaries for wildcard action/resource analysis.

iam_roles.csvIdentity

IAM Roles & Trust Policies

All IAM roles with trust policy principals and attached policies for cross-account/wildcard trust analysis.

Data Security
s3_buckets.csvData Sec

S3 Bucket Inventory

All S3 buckets: public access block settings, versioning, encryption, logging, and MFA delete status.

Network Security
security_groups.csvNetwork

EC2 Security Groups

All security group inbound rules: port ranges, protocols, and CIDR ranges. Identifies open SSH/RDP.

vpc_config.csvNetwork

VPC & Flow Logs Config

All VPCs with flow log status, internet gateway attachment, and default VPC identification.

ec2_instances.csvNetwork

EC2 Instances

Running EC2 instances: public IPs, IAM role attachment, security groups, EBS volume encryption status.

Audit & Logging
cloudtrail_trails.csvAudit

CloudTrail Trails

All CloudTrail trails: multi-region status, global service events, log validation, CloudWatch integration.

config_rules.csvAudit

AWS Config Compliance Rules

AWS Config rule compliance status — identifies non-compliant resources against CIS/security benchmarks.

Encryption & Compliance
kms_keys.csvEncryption

KMS Keys & Rotation

Customer-managed KMS keys: key state, automatic rotation status, and alias names.

rds_instances.csvEncryption

RDS Instances

All RDS instances: encryption at rest, public accessibility, backup retention, deletion protection.

account_settings.csvCompliance

Account Password Policy & Root Config

IAM password policy settings and root account MFA/access key status.

2 Automated Extraction (Recommended)
Fastest path. Extract-AuditCoreAWS.ps1 uses the AWS CLI to query all 13 data sources and output CSV files. Works on any Windows machine with PowerShell 5.1+ and AWS CLI v2 installed.

Step-by-step

  1. 1Install AWS CLI v2 if not already present: aws.amazon.com/cli. Verify with aws --version.
  2. 2Create a dedicated IAM user for the audit (see Section 3). Attach the AuditCore_ReadOnly policy. Generate an Access Key and Secret Key.
  3. 3Configure the AWS CLI profile:
    aws configure --profile auditcore # Enter Access Key ID, Secret Access Key, Region (e.g. us-east-1), Output format: json
  4. 4Download Extract-AuditCoreAWS.ps1 and run in PowerShell:
    # Basic usage — uses "auditcore" profile, us-east-1 region .\Extract-AuditCoreAWS.ps1 -Profile "auditcore" -Region "us-east-1" # Custom output folder .\Extract-AuditCoreAWS.ps1 -Profile "auditcore" -Region "eu-west-1" ` -OutputFolder "C:\Audit\AWS"
  5. 5All 13 CSV files will be saved to C:\AuditCore\AWS\ (or your custom folder).
  6. 6Upload to AuditCore → New Project → Amazon Web Services (AWS) → upload the CSV files.
  7. 7After assessment: Delete the IAM user or deactivate its access keys in the AWS Console.
3 IAM Policy (Minimum Permissions)
Create a new IAM policy named AuditCore_ReadOnly in your AWS console (IAM → Policies → Create Policy → JSON) and paste the policy below. Attach it to the IAM user or role used for extraction.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GenerateCredentialReport", "iam:GetCredentialReport", "iam:ListUsers", "iam:ListGroups", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListPolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListRoles", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "s3:ListAllMyBuckets", "s3:GetBucketPublicAccessBlock", "s3:GetBucketVersioning", "s3:GetBucketEncryption", "s3:GetBucketLogging", "s3:GetBucketLocation", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeFlowLogs", "ec2:DescribeInternetGateways", "ec2:DescribeInstances", "ec2:DescribeVolumes", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "config:DescribeConfigRules", "config:DescribeComplianceByConfigRule", "kms:ListKeys", "kms:DescribeKey", "kms:GetKeyRotationStatus", "kms:ListAliases", "rds:DescribeDBInstances", "sts:GetCallerIdentity" ], "Resource": "*" } ] }
Security best practice. Create a dedicated IAM user named auditcore-extractor for this audit. Deactivate or delete its access keys immediately after uploading the CSV files. Never use root account credentials or an existing admin user.
4 Manual Extraction Reference

Use these AWS CLI commands if the PowerShell script is not permitted in your environment.

FileAWS CLI CommandNotes
iam_credential_report.csvaws iam generate-credential-report then aws iam get-credential-reportWait ~30s for generation
iam_users.csvaws iam list-users --output jsonThen per-user: list-attached-user-policies, list-groups-for-user
s3_buckets.csvaws s3api list-buckets then per-bucket callsget-public-access-block, get-bucket-versioning, get-bucket-encryption
security_groups.csvaws ec2 describe-security-groups --output jsonExport IpPermissions inbound rules
cloudtrail_trails.csvaws cloudtrail describe-trails then get-trail-statusRun in each region for complete coverage
rds_instances.csvaws rds describe-db-instances --output jsonRun in each region
account_settings.csvaws iam get-account-password-policy + aws iam get-account-summaryAccountMFAEnabled=1 means root MFA active
5 What AuditCore Checks
DomainKey ChecksFrameworks
Identity & AccessRoot access keys, MFA gaps, stale accounts, access key age, wildcard policiesCIS AWS v1.5, NIST AC-2, SOX ITGC
Data SecurityS3 public access, missing encryption, versioning gaps, access loggingCIS 2.x, NIST SC-28, ISO 27001 A.8.24
Network SecurityOpen SSH/RDP, unrestricted security groups, VPC flow logs, EC2 encryptionCIS 5.x, NIST SC-7, ISO 27001 A.8.20
Audit & LoggingCloudTrail multi-region, log validation, CloudWatch integration, Config complianceCIS 3.x, NIST AU-2, SOX ITGC
EncryptionRDS encryption, KMS key rotation, EBS volume encryptionCIS 2.x/3.x, NIST SC-28, PCI DSS 3.5
Access ControlFull admin policies, wildcard trust policies, iam:PassRole abuse, over-privileged rolesCIS 1.x, NIST AC-6, ISO 27001 A.5.15
ComplianceRoot MFA, password policy strength, account contacts, Config rule complianceCIS 1.x, SOC 2 CC6, NIST IA-5