# Level 2 In level 1, we were able to access the S3 bucket unauthenticated. However, for level 2, we will need to use our own AWS account. If you do not have an AWS account, you can create a free tier account [here.](https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank\&all-free-tier.sort-order=asc\&awsf.Free%20Tier%20Types=*all\&awsf.Free%20Tier%20Categories=*all) In the AWS console, navigate to IAM -> Security Credentials -> Access Keys Create an access key. There will be an Access Key and a Secret Access Key that will be used to create a profile. ``` aws configure --profile ```

Just for fun, let’s try to list the contents of the bucket without using our credentials. We can see that we get the same error from level 1. *Note: the URL not need “http” since we are working with an S3 bucket directly* ``` aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/ ```

Now, let's use the profile that we created in the earlier step. We can see that it allowed us to access the bucket contents using an authenticated profile. ``` aws s3 –profile flaws ls s3:// level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/ ```

We found the secret file for Level 2! After appending it to the URL (), we have successfully passed this level.

**Lessons Learned** This S3 bucket had permissions set to "Any Authenticated AWS User". This misconfiguration violates the principle of least privilege by granting permissions to unnecessary identities. *Note from flaws.cloud: "This setting can no longer be set in the webconsole, but the SDK and third-party tools sometimes allow it."*