AWSnap is an offensive security tool built for an AWS cloud engagement. It allows you to mount and browse AWS EBS Snapshots locally in minutes by downloading only the critical bits of data (Metadata & Inodes).
AWSnap was born from a simple realization: Traditional snapshot analysis is cumbersome. The standard "Attach-to-EC2" workflow requires:
- Creating a volume from a snapshot.
- Launching or identifying a target EC2 instance.
- Attaching the volume.
- Managing Linux mount points and permissions.
AWSnap bypasses the entire infrastructure layer. By utilizing the EBS Direct APIs, it treats the cloud snapshot like a local streaming device. This "Lazy-by-Design" approach isn't just about saving time—it’s about:
- Zero Infrastructure Footprint: No instances, no volume costs, no SSH management.
- Forensic Integrity: Read-only access by default without "touching" the AWS production environment.
- Speed-to-Data: Go from Snapshot ID to
ls -lain minutes.
| Feature | Pacu (ebs__download) |
AWSnap |
|---|---|---|
| Speed | 🐢 Slow | ⚡ Fast |
| Storage | Needs full disk space | Uses almost zero space |
| Method | Full Forensic Image | Smart Triage / Sampling |
| Best For | Deep Law Enforcement Work | Red Teaming & Secret Hunting |
We’ve made it simple for you. Just run the setup script to grab all the "hardware" and "software" tools you need.
# 1. Clone the repo
git clone [https://github.com/n1chr0x/AWSnap.git](https://github.com/n1chr0x/AWSnap.git)
cd AWSnap
# 2. Run the auto-setup (as root)
sudo chmod +x setup.sh
sudo ./setup.shLaunch the tool and provide your IAM Key & snapshot ID and AWSnap will start the "Smart Slurp."
Once the progress bar hits 100%, your snapshot is mounted! You can now browse the drive just like a normal folder on your computer.
Because this tool uses Sampling, very large files (like big databases or encrypted zip files) might be "holey." AWSnap is meant for finding SSH keys, config files, and credentials, not for full system backups.
Author: @n1chr0x
License: MIT