IAM enumeration

Objective: Using the access credentials, enumerate users, roles, and policies on the AWS account

Console Based Enumeration

  1. Click on the lab link button to get access to the AWS lab credentials.

  2. Sign-in into the AWS console.

  3. Search for the IAM dashboard and navigate to it.

  4. Click on Users.

  5. To enumerate a user click on the username. Check user Permissions and policies.

IAM User permissions

  1. Check Groups for the user.

  2. Check the user’s Security credentials.

  3. Similarly check for other user’s permissions.

  4. Check Groups and Security credentials for the user.

  5. Check the user’s access keys and ssh keys.

  6. Click on Groups on the left panel to enumerate groups.

  7. Click on the group name to open group details. Check for the users that are part of the group.

  8. Check the for the group attached policies.

  9. Similarly check for the other groups.

  10. Click on Policies in the left pane to enumerate policies.

IAM Policies

  1. Check Customer-managed and AWS managed policies.

  2. Click on the policy name to enumerate the policy.

  3. Check policy document, policy usages and policy permissions.

  4. Similarly enumerate other AWS managed policies.

  5. Click on Roles on the left panel to enumerate roles.

IAM Roles

  1. Click on role name to enumerate roles for the AWS account.

  2. Check the role trust policy.

  3. Check role’s Trusted entities.

IAM Trusted entities of a role

  1. Check the role’s inline policies.

  2. Check the role’s Trusted entities.

IAM Role Trusted entities

  1. Similarly enumerate other roles.

CLI Based Enumeration

  1. Click on the lab link button to get access to the AWS lab credentials.

  2. Configure AWS CLI to use the provided credentials.

aws configure
  1. Get a list of the users on the AWS account. Briefly check UserName, UserId and Arns.

aws iam list-users
  1. Check groups for users.

aws iam list-groups-for-user --user-name ad-adminson
  1. Check policies attached to the user.

aws iam list-attached-user-policies --user-name ad-user
  1. Check for any signing certificates for the user.

aws iam list-signing-certificates --user-name ad-user
  1. Check for any public ssh keys for the user.

aws iam list-ssh-public-keys --user-name ad-user
  1. Get ssh key details.

aws iam get-ssh-public-key --user-name ad-user --encoding PEM --ssh-public-key-id APKAUAWOPGE5M47NZEIT
  1. Check for MFA devices for users.

aws iam list-virtual-mfa-devices
  1. Check for user login profile.

aws iam get-login-profile --user-name ad-user
  1. Enumerate groups for the AWS account.

aws iam list-groups
  1. Check which policies are attached to the group to enumerate permissions.

aws iam list-group-policies --group-name ad-admin
aws iam list-attached-group-policies --group-name ad-admin
  1. Enumerate policies for the AWS account. Without any filter the command will return all the IAM managed policies (AWS Managed Policy + Customer Managed Policies).

aws iam list-policies

Without any filter the command will return all the IAM managed policies (AWS Managed Policy + Customer Managed Policies)

  1. Search for customer managed policies.

aws iam list-policies --scope Local | grep -A2 PolicyName

The command aws iam list-policies –scope Local will return the customer managed policies. grep -A2 PolicyName> is used to search for the PolicyName string and the next two lines after the string match.

  1. Check for policy details of ad-customer-managed-policy.

aws iam get-policy --policy-arn arn:aws:iam::276384657722:policy/ad-customer-managed-policy
  1. Get the policy version document to check permissions that the policy grants.

aws iam get-policy-version --policy-arn arn:aws:iam::276384657722:policy/ad-customer-managed-policy --version-id v1
  1. Enumerate roles on the AWS account.

aws iam list-roles
  1. Check details for roles.

aws iam get-role --role-name ad-loggingrole

This role can be assumed by any AWS resource.

  1. Check for policies attached to roles.

aws iam list-attached-role-policies --role-name ad-loggingrole
aws iam list-role-policies --role-name ad-loggingrole

Resources