# Enumerate AWS IAM Users

## What is the risk of exposed AWS IAM Usernames?

* Exposing an AWS IAM username is not a direct threat but simplifies attackers' efforts to access an AWS account. With this information, they can initiate phishing campaigns or password-spraying attacks, potentially obtaining valid credentials and accessing the account

***

## Methods to Enumerate AWS IAM Usernames

### Using AWS Access Key ID

{% hint style="danger" %}
You <mark style="color:red;">must have valid access keys configured in the target account</mark> for this to work (`aws configure`)
{% endhint %}

{% code overflow="wrap" %}

```bash
aws --profile dev iam get-access-key-last-used --access-key-id AKIAxxxxxxxx

{
    "UserName": "admin",
    "AccessKeyLastUsed": {
        "LastUsedDate": "2024-12-08T03:42:00+00:00",
        "ServiceName": "ec2",
        "Region": "us-east-1"
    }
}
```

{% endcode %}

***

### Using Bedrock API Keys

* This works for the Long-Term API Keys but Short-term API Keys don't seem to provide this info

{% code overflow="wrap" %}

```zsh
echo $AWS_BEARER_TOKEN_BEDROCK | base64 -d
```

{% endcode %}

<figure><img src="/files/zDxlyQO0vWS5njgDHi88" alt=""><figcaption></figcaption></figure>

***

### Using Valid Credentials (Authenticated)

* With valid credentials and access to the target AWS account, we can enumerate all IAM Users in the account

{% code overflow="wrap" %}

```bash
aws iam list-users

{
    "Users": [
        {
            "Path": "/",
            "UserName": "dev_user",
            "UserId": "AIDAxxxxxx",
            "Arn": "arn:aws:iam::111111111111:user/dev_user",
            "CreateDate": "2022-05-18T23:38:48+00:00",
            "PasswordLastUsed": "2025-11-02T21:52:33+00:00"
        }
    ]
}
```

{% endcode %}

***

### Using Error Messages

* With valid credentials we can attempt certain commands that provide the identity's name in the output if the identity is not allowed to perform the task

{% code overflow="wrap" %}

```bash
aws --profile tyler ec2 describe-instances

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. User: arn:aws:iam::111111111111:user/tyler is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
```

{% endcode %}

***

### Brute Forcing (Unauthenticated)

* There are additional ways to enumerate IAM Users and Roles, see [Enumerate (Unauthenticated) IAM Users and Roles](/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-unauthenticated-iam-users-and-roles.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-iam-users.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.