Original Research: Daniel Grzelak
Additional Reading: Rhino Security
Link to Tool: GitHub
Link to Pacu Module: GitHub
With just the account id of a target you can enumerate the names of IAM users and roles by abusing Resource-Based Policies.
There are a few ways to do this, for example, Pacu’s module will attempt to change the AssumeRole policy of a role in your account and specify a role in another account.
Another way would be to use S3 Bucket Policies. Take the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::123456789123:role/role_name"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*bucket you own*"
}
]
}
You would apply this policy to a bucket you own. By specifying a principal in the target account (123456789123), you can determine if that principals exists. If setting the bucket policy succeeds you know the role exists. If it fails you know the role does not.
To automate this process you can use the Pacu Module or this which will attempt to brute force it for you.
usage: main.py [-h] --id ID --my_bucket MY_BUCKET [--wordlist WORDLIST] (--role | --user)
Enumerate IAM/Users of an AWS account. You must provide your OWN AWS account and bucket
optional arguments:
-h, --help show this help message and exit
--id ID The account id of the target account
--my_bucket MY_BUCKET
The bucket used for testing (belongs to you)
--wordlist WORDLIST Wordlist containers user/role names
--role Search for a IAM Role
--user Search for a IAM User