Original Research: Spencer Gietzen
Link to Tool: GitHub
Link to Pacu Module: GitHub

With just the account id of a target you can enumerate the names of IAM users and roles by abusing Resource-Based Policies.

There are a few ways to do this, for example, Pacu’s module will attempt to change the AssumeRole policy of a role in your account and specify a role in another account.

Another way would be to use S3 Bucket Policies. Take the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::123456789123:role/role_name"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::*bucket you own*"
        }
    ]
}

You would apply this policy to a bucket you own. By specifying a principal in the target account (123456789123), you can determine if that principals exists. If setting the bucket policy succeeds you know the role exists. If it fails you know the role does not.

To automate this process you can use the Pacu Module or this which will attempt to brute force it for you.

usage: main.py [-h] --id ID --my_bucket MY_BUCKET [--wordlist WORDLIST] (--role | --user)

Enumerate IAM/Users of an AWS account. You must provide your OWN AWS account and bucket

optional arguments:
  -h, --help            show this help message and exit
  --id ID               The account id of the target account
  --my_bucket MY_BUCKET
                        The bucket used for testing (belongs to you)
  --wordlist WORDLIST   Wordlist containers user/role names
  --role                Search for a IAM Role
  --user                Search for a IAM User