# Nonproduction API Endpoints

## Overview

When interacting with AWS services, there is an API Endpoint you hit e.g., 

{% code overflow="wrap" %}

```bash
aws iam list-users
```

{% endcode %}

The **IAM** commands hit the service endpoint `iam.amazonaws.com` over HTTPS. Every service and region has different endpoints with some supporting both HTTP and HTTPS. You can add `--debug` to your AWS CLI commands and view the endpoint in the output e.g., 

{% code overflow="wrap" %}

```bash
aws iam list-users --debug

[SNIP]
2025-08-02 14:47:29,094 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): iam.amazonaws.com:443
2025-08-02 14:47:29,426 - MainThread - urllib3.connectionpool - DEBUG - https://iam.amazonaws.com:443 "POST / HTTP/1.1" 200 619
[SNIP]
```

{% endcode %}

You can also specify alternative endpoints like so, 

{% hint style="info" %}
Notice the EC2 service endpoint supports HTTP so the data sent/received is unencrypted
{% endhint %}

{% code overflow="wrap" %}

```bash
aws ec2 describe-instances --region us-east-1 --endpoint http://ec2.us-east-1.amazonaws.com
```

{% endcode %}

***

## Using Nonproduction API Endpoints

{% hint style="warning" %}
It's rare to find a nonproduction endpoint that does not log to CloudTrail and also returns production data. 
{% endhint %}

{% embed url="<https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/>" %}

DataDog has published a tool [undocumented-aws-api-hunter](https://github.com/DataDog/undocumented-aws-api-hunter/) to discover nonproduction API endpoints that are created and used by the team at AWS for different purposes and which are regularly recycled.&#x20;

From an attacker's perspective, these endpoints are interesting for a number of reasons:

* they may or may not return production data (i.e., data in your account — provided you have permissions to view this)&#x20;
* they may or may not log the API call to CloudTrail&#x20;
* even if they don't return production data (and even better if it's not logged to CloudTrail), it's a useful way to identify what permissions you have in the account
* even if they log to CloudTrail, it may show up as a non-standard Event Source which may not get picked up by detection rules / tooling&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-defense-evasion/nonproduction-api-endpoints.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.