Enumerate AWS IAM Users
Exposure of AWS IAM Usernames can further aid attackers efforts to access an AWS account. Exposure leaves users vulnerable to attacks such as phishing and password-spraying.
What is the risk of exposed AWS IAM Usernames?
Exposing an AWS IAM username is not a direct threat but simplifies attackers' efforts to access an AWS account. With this information, they can initiate phishing campaigns or password-spraying attacks, potentially obtaining valid credentials and accessing the account
Methods to Enumerate AWS IAM Usernames
Using AWS Access Key ID
You must have valid access keys configured in the target account for this to work (aws configure)
aws --profile dev iam get-access-key-last-used --access-key-id AKIAxxxxxxxx
{
"UserName": "admin",
"AccessKeyLastUsed": {
"LastUsedDate": "2024-12-08T03:42:00+00:00",
"ServiceName": "ec2",
"Region": "us-east-1"
}
}Using Valid Credentials (Authenticated)
With valid credentials and access to the target AWS account, we can enumerate all IAM Users in the account
aws iam list-users
{
"Users": [
{
"Path": "/",
"UserName": "dev_user",
"UserId": "AIDAxxxxxx",
"Arn": "arn:aws:iam::111111111111:user/dev_user",
"CreateDate": "2022-05-18T23:38:48+00:00",
"PasswordLastUsed": "2025-11-02T21:52:33+00:00"
}
]
}Using Error Messages
With valid credentials we can attempt certain commands that provide the identity's name in the output if the identity is not allowed to perform the task
aws --profile tyler ec2 describe-instances
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. User: arn:aws:iam::111111111111:user/tyler is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances actionBrute Forcing (Unauthenticated)
There are additional ways to enumerate IAM Users and Roles, see Enumerate (Unauthenticated) IAM Users and Roles
Last updated
Was this helpful?