Cheatsheet - AWS - Scenario - IAM enumeration
Overview
- Service/Tool: IAM, aws cli
- Use Case: enumerate and evaluate IAM roles, policies, and permissions.
- Prerequisites: Valid AWS access key and secret.
Table of Contents
- Setup AWS access keys in aws cli
- Display basic information about the IAM user or role
- Alternate: Display basic information about the IAM user or role
- List user groups
- List attached user policies
- List inline policies
- Examining policy contents
- View policies attached to a role
- Display information on a role
- Examining inline user policy
- Assume a role
- Notes and References
Attack Workflow
Setup AWS access keys in aws cli
Objective: Conifgure AWS CLI to use AWS access keys.
Command/Method:
apt install awscli aws configure set aws_session_token
We need to authenticate. Do to this we need use an Access Key ID and a Secret Access Key . There are multiple types of access keys, however, two most common are:
AKIA- Long term access keyASIA- Temporary (AWS STS) keys
We can set the keys with AWS CLI command aws configure
In the event we receive temporary access keys/session keys for an assumed role, we can set the access key/secret via aws configure, then set the session key via the following: aws configure set aws_session_token
Display basic information about the IAM user or role
Objective: Displays information about the IAM user or role whose credentials are used to call the operation.
Command/Method:
aws sts get-caller-identity
$ aws sts get-caller-identity
{
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Account": "794929857501",
"Arn": "arn:aws:iam::794929857501:user/dev01"
}
Alternate: Display basic information about the IAM user or role
Objective: Displays information about the specified IAM user, including the user’s creation date, path, unique path and ARN.
Command/Method:
aws iam get-user
$ aws iam get-user
{
"User": {
"Path": "/",
"UserName": "dev01",
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Arn": "arn:aws:iam::794929857501:user/dev01",
"CreateDate": "2023-09-28T21:56:31+00:00",
"PasswordLastUsed": "2024-12-11T03:32:59+00:00",
"Tags": [
{
"Key": "AKIA3SFMDAPOWC2NR5LO",
"Value": "dev01"
}
]
}
}
List user groups
Objective: Lists the IAM groups that the specified IAM user belongs to. An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users.
Command/Method:
aws iam list-groups-for-user --user-name dev01
{
"Groups": []
}
List attached user policies
Objective: Lists all managed policies for the given user. The user may also have inline policies embedded with it, which this command will not display.
Command/Method:
aws iam list-attached-user-policies --user-name dev01
{
"AttachedPolicies": [
{
"PolicyName": "AmazonGuardDutyReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
},
{
"PolicyName": "dev01",
"PolicyArn": "arn:aws:iam::794929857501:policy/dev01"
}
]
}
By way of example, the output above shows that:
- We have permissions to enumerate the policies on the account,
- There is an AWS managed policy named
AmazonGuardDutyReadOnlyAccessattached to the user, - There is a customer created
dev01policy attached to the user.
The PolicyArn refers to the Amazon Resource Name, which is a combination of the AWS account ID, resource type and resource name.
List inline policies
Objective: Lists the names of the inline policies embedded in the specified IAM user.
Command/Method:
aws iam list-user-policies --user-name dev01
{
"PolicyNames": [
"S3_Access"
]
}
Examining policy contents
Objective: View specific policy version information and the contents of a policy.
Command/Method:
We can get the current policy version via the following:
aws iam get-policy --policy-arn <arn>
{
"Policy": {
"PolicyName": "PublicSnapper",
"PolicyId": "ANPARQVIRZ4UD6B2PNSLD",
"Arn": "arn:aws:iam::104506445608:policy/PublicSnapper",
"Path": "/",
"DefaultVersionId": "v9",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-06-10T22:33:41+00:00",
"UpdateDate": "2024-01-15T23:47:11+00:00",
"Tags": []
}
}
Alternatively, we must list the versions of the IAM policy. Amazon and customer managed policies can have multiple versions, embedded policies cannot:
aws iam list-policy-versions --policy-arn arn:aws:iam::794929857501:policy/dev01
{
"Versions": [
{
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2023-10-11T19:59:08+00:00"
},
{
"VersionId": "v6",
"IsDefaultVersion": false,
"CreateDate": "2023-10-11T19:47:41+00:00"
},
{
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2023-10-07T22:48:28+00:00"
},
{
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2023-10-02T20:38:35+00:00"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2023-10-02T20:29:52+00:00"
}
]
}
Next, we can view the policy at that specific version:
aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::794929857501:user/dev01",
"arn:aws:iam::794929857501:role/BackendDev",
"arn:aws:iam::794929857501:policy/BackendDevPolicy",
"arn:aws:iam::794929857501:policy/dev01",
"arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
]
}
]
},
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2023-10-11T19:59:08+00:00"
}
}
View policies attached to a role
Objective:
Lists all managed policies that are attached to the specified IAM role.
Command/Method:
aws iam list-attached-role-policies --role-name BackendDev
{
"AttachedPolicies": [
{
"PolicyName": "BackendDevPolicy",
"PolicyArn": "arn:aws:iam::794929857501:policy/BackendDevPolicy"
}
]
}
Display information on a role
Objective:
Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role
Command/Method:
aws iam get-role --role-name BackendDev
{
"Role": {
"Path": "/",
"RoleName": "BackendDev",
"RoleId": "AROA3SFMDAPO2RZ36QVN6",
"Arn": "arn:aws:iam::794929857501:role/BackendDev",
"CreateDate": "2023-09-29T12:30:29+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::794929857501:user/dev01"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Grant permissions to backend developers",
"MaxSessionDuration": 3600,
"RoleLastUsed": {
"LastUsedDate": "2024-12-11T00:42:25+00:00",
"Region": "us-east-1"
}
}
}
Examining inline user policy
Objective:
Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role
Command/Method:
aws iam get-user-policy --user-name dev01 --policy-name S3_Access
{
"UserName": "dev01",
"PolicyName": "S3_Access",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::hl-dev-artifacts",
"arn:aws:s3:::hl-dev-artifacts/*"
]
}
]
}
}
Assume a role
Objective:
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources.
Command/Method:
aws sts assume-role --role-arn --role-session-name AWSCLI
Then, set the following using the output:
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
then verify that the role has been assumed correctly:
aws sts get-caller-identity
Notes and References
Personal Notes:
IAM users can be members of IAM groups. Groups can have policies attached to them to allow the users in the group to perform actions.
IAM users can also have policies attached to them directly, or via inline policies.
IAM roles can also have policies attached to them, and a user or service can assume the role in order to perform an operation. Doing so will provide the user or service with a temporary access key.
There are two main types of policies:
- Identity based policies - Identity based policies grant permissions to an identity, such as a group, user, or role).
- Resource based policies - Resource based policies grant permissions to the principal that is specified in the policy. These are applied to resources, such as S3.
Links:
- https://pwnedlabs.io/labs/intro-to-aws-iam-enumeration
- https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
