Open in app

Sign in

Write

Sign in

AWS Pentesting: IAM Enumeration

@ro0taddict
9 min readJan 5, 2025

--

Introduction

During AWS penetration testing, there are common IAM commands that I frequently run when conducting recon on IAM. I am compiling these commands into a blog post to serve as a personal reference, ensuring I have them handy for future tests. I also hope this resource will be helpful to others. We will use Cybr’s Introduction to AWS IAM Enumeration lab for this blog.

My general approach for IAM is to recon for Users, Groups, Roles and check their respective policies.

Users

Running the command below configures the profile for the AWS Access keys. In this blog, I named it as “IAMEnum”. You can choose any arbitrary name.

aws configure --profile <profile name>
aws configure --profile IAMEnum

The very next command I would use is the “sts get-caller-identity”. This is like the “whoami” command in Linux. The permission to run this command is always available to all IAM users.

aws sts get-caller-identity --profile <profile name>
aws sts get-caller-identity --profile IAMEnum

The output of the command shows that we have a user named “ introduction-to-aws-iam-enumeration-1736055973337-Joel ” with an ARN of arn:aws:iam::014498641623:user/introduction-to-aws-iam-enumeration-1736055973337-Joel. An Amazon Resource Name or ARN is a file naming convention used to identify a particular resource in the Amazon Web Services. ARNs uniquely identify AWS resources.

I would then run “get-account-authorization-details” to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account. The required permission is iam:GetAccountAuthorizationDetails.

The image below shows that our IAM user has no permission.

aws iam get-account-authorization-details --profile <profile name>
aws iam get-account-authorization-details --profile IAMEnum

We can use “list-users” to check all the users. If there are a lot of users in the target organization, we can filter it like getting the “UserName” value only.

aws iam list-users --profile <profile name>
aws iam list-users --profile IAMEnum

We would then use “list-user-policies” to list the the “inline policies” embedded directly within a specified IAM user. “Inline Policies” are policies that are created and managed directly on a user. They are unique to the user and not shared with other users or roles.

aws iam list-user-policies --user-name <user name> --profile <profile name> 
aws iam list-user-policies --user-name introduction-to-aws-iam-enumeration-1736055973337-Joel --profile IAMEnum

The output above shows that there is an inline policy named “ AllowEnumerateRoles “ attached to the Joel user.

We can then use “get-user-policy” to retrieve the policy document using the command below.

aws iam get-user-policy --user-name <user name> --policy-name <policy name> --profile <profile name> 
aws iam get-user-policy --user-name introduction-to-aws-iam-enumeration-1736055973337-Joel --policy-name AllowEnumerateRoles --profile IAMEnum

We can then use “list-attached-user-policies” to list the “managed policies” that are attached to a specified IAM user. “Managed Policies” are standalone policies that can be attached to multiple users, groups, or roles. Managed policies can be AWS-managed or customer-managed.

aws iam list-attached-user-policies --user-name <user name> --profile <profile name> 
aws iam list-attached-user-policies --user-name introduction-to-aws-iam-enumeration-1736055973337-Joel --profile IAMEnum

The image above shows that there is no managed policies attached to Joel IAM user.

Groups

We can run “list-groups” to list all the IAM groups.

The image below shows that there are two groups configured in the target organization.

aws iam list-groups --profile <profile name> 
aws iam list-groups --profile IAMEnum

We would then run “list-groups-for-user” to filter for groups which our IAM use is a member.

The output below shows that our IAM user is member of a group named “ introduction-to-aws-iam-enumeration-1736055973337-Developers

aws iam list-groups-for-user --user-name <user name> --profile <profile name>
aws iam list-groups-for-user --user-name introduction-to-aws-iam-enumeration-1736055973337-Joel --profile IAMEnum

We can run “list-group-policies” to list for inline policies attached to the group.

aws iam list-group-policies --group-name <group name> --profile <profile name> 
aws iam list-group-policies --group-name introduction-to-aws-iam-enumeration-1736055973337-Developers --profile IAMEnum

The image above shows that there is a policy for the group named ” introduction-to-aws-iam-enumeration-1736055973337-devs-policy

We can run “list-attached-group-policies” to list for managed policies attached to the group.

aws iam list-attached-group-policies --group-name <group name> --profile <profile name> 
aws iam list-attached-group-policies --group-name introduction-to-aws-iam-enumeration-1736055973337-Developers --profile IAMEnum

The image above shows that there is no managed policies attached to this group.

We would then run “get-group-policy” command to retrieve the policy document.

aws iam get-group-policy --group-name <group name> --policy-name <policy name> --profile <profile name> 
aws iam get-group-policy --group-name introduction-to-aws-iam-enumeration-1736055973337-Developers --policy-name introduction-to-aws-iam-enumeration-1736055973337-devs-policy --profile IAMEnum

Roles

We can use “list-roles” to get all the roles configured in the IAM.

aws iam list-roles --profile <profile name>
aws iam list-roles --profile IAMEnum

We may encounter organization that has a lot of roles. It is best to filter it. For example, if we know the role name, we can run a command that is shown below.

aws iam list-roles --query "Roles[?RoleName=='SupportRole']"  --profile <profile name>
aws iam list-roles --query "Roles[?RoleName=='SupportRole']"  --profile IAMEnum

Running “list-role-policies” will give us any inline policies attached to the IAM roles.

In the image below, there is an inline policy named “Allows3FullAccessForRole” attached to the role named “SupportRole

aws iam list-role-policies --role-name <role name> --profile <profile name> 
aws iam list-role-policies --role-name SupportRole  --profile IAMEnum

We can use “get-role-policy” to retrieve the policy document.

aws iam get-role-policy --role-name SupportRole --policy-name <policy name> --profile <profile name> 
aws iam get-role-policy --role-name SupportRole --policy-name AllowS3FullAccessForRole --profile IAMEnum

Policy Boundary

Policy boundaries in AWS, often referred to as permissions boundaries, are advanced feature of AWS Identity and Access Management (IAM) that defines the maximum permissions an IAM entity (user or role) can have. They act as an upper limit on the permissions that can be granted to the entity, even if other policies (such as inline or attached managed policies) grant broader permissions. Basically permission boundary can override the configured inline or managed policies attached to IAM users or roles.

We can list for permission boundary configured for the IAM user by running “get-user” aws cli command.

aws iam get-user --user-name <username>
aws iam get-user --user-name introduction-to-aws-iam-enumeration-1736055973337-Joel --profile IAMEnum

The image above shows that there is no permission boundary configured for the IAM user named Joel.

If a permission boundary were implemented, the result would contain an additional “PermissionsBoundary” section, like the one shown below.

"PermissionsBoundary": {
    "PermissionsBoundaryType": "Policy",
    "PermissionsBoundaryArn": "arn:aws:iam::014498641733:policy/BoundaryPolicy"
}

We can list for permission boundary configured for the IAM role by running “get-role” aws cli command.

aws iam get-role --role-name <role-name> --profile <profile name> 
aws iam get-role --role-name SupportRole --profile IAMEnum

The image above shows that there is a permission boundary configured for the “SuportRole” IAM role.

We can list for permission boundary configured for the IAM group by running “get-group” aws cli command.

aws iam get-group --group-name <group-name> <policy-arn> --profile <profile name> 
aws iam get-group --group-name introduction-to-aws-iam-enumeration-1736055973337-Developers --profile IAMEnum

Access Keys

aws iam list-access-keys --profile <profile name> 
aws iam list-access-keys --profile IAMEnum

If ever you need to list access keys associated with our user, we can run the command below, or we can also cross check it in the .aws/credentials file.

I want to demo a scenario where there are multiple versions of the policy applied to an IAM users, group, or roles. For this use case, I use the Cybr’s lab below.

https://cybr.com/hands-on-labs/lab/privilege-escalation-via-iam-versions/

I named the profile with “IAMEnum2”.

The images below show there is an inline policy named “policyfoexploitableuser” attached to the “privesc-via-iam-version-rollback-1736059716050-user” user. We will also see the policy ARN in the output.

aws iam list-attached-user-policies --user-name privesc-via-iam-version-rollback-1736059716050-user --profile IAMEnum2
aws iam list-attached-user-policies --user-name <user-name> --profile IAMEnum2

We can run “list-policy-versions” to check how many versions has been configured for this policy.

aws iam list-policy-versions --policy-arn <PolicyArn> --profile <profile name> 
aws iam list-policy-versions --policy-arn arn:aws:iam::875496488523:policy/policyforexploitableuser --profile IAMEnum2

The image above shows there are 4 versions available for this policy.

We can then use “get-policy” to check what policy version is set by default. The image below shows that our IAM user is not allowed to run “get-policy

aws iam get-policy --policy-arn <policy-arn> --profile <profile name> 
aws iam get-policy --policy-arn arn:aws:iam::955666041615:policy/introduction-to-aws-iam-enumeration-1736057806341-AllowEnumerateRoles --profile IAMEnum2

Another option is to manually view all versions and check which is the one the is currently used by default. The image below shows the version 4 is not configured or used by default.

aws iam get-policy-version --policy-arn <PolicyArn> --version-id <VersionId> --profile <profile name> 
aws iam get-policy-version --policy-arn arn:aws:iam::875496488523:policy/policyforexploitableuser --version-id v4 --profile IAMEnum2

The image below shows that version 1 is configured or used by default.

Conclusion

In this blog we cover the most common commands that I would normally run when performing manual enum on IAM. For automation, I would run CloudFox to enumerate for User, Roles, and Group.

References:

https://cybr.com/hands-on-labs/lab/introduction-to-aws-iam-enumeration/
https://cybr.com/hands-on-labs/lab/privilege-escalation-via-iam-versions/
https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html

--

--

@ro0taddict
@ro0taddict

Written by @ro0taddict

58 Followers
58 Following

InfoSec enthusiast; Lifelong learner

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams