Cloud providers encourage the use of metadata tags to manage, categorise, and bill resources. What most organisations overlook is that tags can also leak sensitive context about infrastructure design, ownership, and relationships between assets.TagNabIt is an offensive security toolkit designed to exploit this blind spot by enumerating cloud resources using their tags.
For red teamers and penetration testers, this is a valuable reconnaissance vector. Instead of scanning networks or brute forcing services, TagNabIt leverages metadata that administrators themselves have attached, often with descriptive or predictable names.
Features
TagNabIt provides the following key capabilities:
- Enumerate resources using
tag:GetResources - Bruteforce IAM Resources using tag related calls
- Bruteforce other resources using
*:ListTagsForResourceor*:ListTagsForResources - Search CloudTrail Logs for occurrences of tag based enumeration
Installation
TagNabIt is built in Python and can be installed easily:
gpython3 -m venv ./venv<br>source venv/bin/activate<br>python3 -m pip install -r requirements.txt |
Ensure that you have valid credentials for your target cloud provider configured in your environment. TagNabIt does not bypass authentication — it leverages valid sessions to enumerate resources.
Usage
Running TagNabIt with the --help flag shows its options and modules:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ python3 TagNabIt.py -h usage: TagNabIt [-h] {BRUTEFORCEIAM,BRUTEFORCERESOURCES,CHECKUSAGE,ENUMERATERESOURCES} ... TagNabIt is a tool designed to find which identities can enumerate and Bruteforce Cloud Resources using AWS Tags. positional arguments: {BRUTEFORCEIAM,BRUTEFORCERESOURCES,CHECKUSAGE,ENUMERATERESOURCES} Select command to work with. BRUTEFORCEIAM Bruteforce account IAM Resources using tags BRUTEFORCERESOURCES Bruteforce account Resources using service specific tag API calls CHECKUSAGE Check if any identity has executed tag enumerate/bruteforce on the Account and dump it. ENUMERATERESOURCES Enumerate account using API request that do not require input options: -h, --help show this help message and exit |
Operators can focus on specific tags (e.g., “env=prod” or “owner=finance”) to identify critical systems more efficiently than through brute-force service enumeration.
Attack Scenario
A red team engagement against an enterprise AWS environment demonstrates the power of TagNabIt:
- The operator authenticates with low-privileged cloud credentials, gained through phishing or credential stuffing.
- Instead of probing for active services, TagNabIt is run to list all tags in the environment.
- Among generic labels like “test” and “dev,” a tag value of “db-prod” reveals critical production database resources.
- By filtering on this tag, the operator quickly identifies high-value targets without noisy network scans.
This illustrates how something intended for convenience can become an attacker’s shortcut to sensitive systems.
Red Team Relevance
TagNabIt highlights a common oversight in cloud security: metadata can be as sensitive as credentials. While defenders often focus on firewalls and IAM (Identity and Access Management) policies, descriptive tags such as “PCI-scope,” “finance,” or “restricted” can silently expose the attack surface.
For offensive operators, TagNabIt is a way to turn internal practices against the target. For defenders, it is a reminder to review and sanitise tag usage just as carefully as other configuration elements.
Conclusion
Cloud migrations introduce new attack surfaces, and metadata tagging is a prime example of a feature that can both enhance and expose vulnerabilities. TagNabIt transforms benign operational data into actionable reconnaissance for adversaries. By embracing tools like this, red teams can test how exposed an organisation is, while defenders can better understand why “harmless” metadata may need stricter governance.
You can read more or download TagNabIt here: https://github.com/gl4ssesbo1/TagNabIt