Skip to main content

IAM

Enumerating a Users IAM Policies

Listing IAM Policies for a User

Amazon and customer managed policies Note: Customer managed polcies will contain the account ID in the ARN while Amazon will just say aws

aws iam list-attached-user-policies --user-name [name]

Inline policies

aws iam list-user-policies --user-name [name]

LIsting IAM policies for a role

Amazon and customer managed policies Note: Customer managed polcies will contain the account ID in the ARN while Amazon will just say aws

aws iam list-attached-role-policies --role-name [role]

Inline policies

aws iam list-role-policies --role-name [role]

Getting Policy Details

Amazon managed policies

aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonS2FullAccess

Customer managed policies

aws iam list-policy-versions --policy-arn arn:aws:iam::[accountId]:policy/[policyName]

aws iam get-policy-version --policy-arn arn:aws:iam::[accountId]:policy/[policyName] --version-id v2

Inline Policies

aws iam get-user-policy --user-name [user] --policy-name [policy]

Brute Force Enumeration

If an account does not have permissions to list policies, use aws-enumerator to brute force the IAM permissions. Note: This is very noisy.

Setup AWS Enumerator

./aws-enumerator cred -aws_region [region] -aws_access_key_id [accessKey] -aws_secret_access_key [secretKey]

List Services

./aws-enumerator enum -services all

Dump Permissions for a Service

./aws-enumerator dump -services lambda

Dangerous IAM Permissions

iam:AttachUserPolicy - Attach AdministratorAccess policy to an owned user
iam:UpdateLoginProfile - Change password of a target user
iam:CreateAccessKey - Create access keys for a target user
iam:PutRolePolicy - Create privileged policy for a role that a user can assume
iam:AddUserToGroup - Add owned user to a privileged group
iam:UpdateAssumeRolePolicy - Allow owned user to assume a privileged role
iam:CreatePolicyVersion - Create a new policy to allow all actions on all resources

Identify roles with vulnerable OIDC trust

git clone https://github.com/Rezonate-io/github-oidc-checker
cd github-oidc-checker
python3 aws-oidc-tester.py