# Enumerate (Unauthenticated) IAM Users and Roles

{% hint style="danger" %}
We need to know the AWS Account ID for this technique to work. Refer to [Enumerate AWS Account IDs](/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-account-ids.md) for methods on how to obtain this.
{% endhint %}

{% hint style="info" %}
Rhino Security Labs has a [great blog post](https://rhinosecuritylabs.com/aws/aws-role-enumeration-iam-p2/) detailing how this works
{% endhint %}

## Unauthenticated Enumeration of IAM Users and Roles

* Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error&#x20;
* The error is returned if the ARN of the identity does not exist

### Leveraging AWS Console

* First, create an IAM Role and then update its Trust Policy
* Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

<figure><img src="/files/WSC9o8wgeFhNRKsn09Ag" alt=""><figcaption><p>Trying to add a non-valid IAM User to an IAM Role Trust Policy</p></figcaption></figure>

***

### Leveraging AWS CLI

* Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid

{% tabs %}
{% tab title="1. Create IAM Role" %}
Create an IAM Role Policy with a valid principal

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/valid-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

Create the IAM Role

{% code overflow="wrap" %}

```bash
aws iam create-role --role-name myRole --assume-role-policy-document file://roletrustpolicy.json
```

{% endcode %}
{% endtab %}

{% tab title="2. Update Role Policy" %}
Update Policy with user/role to test

```python
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/bob"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

Update the Role with the new Policy

{% code overflow="wrap" %}

```bash
aws --profile lab iam update-assume-role-policy --role-name <MyRoleName> --policy-document file://roletrustpolicy.json

An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:user/bob"
```

{% endcode %}
{% endtab %}
{% endtabs %}

***

### Leveraging Pacu

* [Pacu](/cloud-security/tools/pacu.md) provides modules that automatically attempt to enumerate valid IAM Users and Roles in an AWS account using this method
* Pacu will also attempt to assume the role which will provide credentials for the role
* Default wordlists are used unless you specify your own&#x20;

{% tabs %}
{% tab title="Users" %}
{% code overflow="wrap" %}

```bash
run iam__enum_users --role-name <MyRoleName> --account-id 111111111111
```

{% endcode %}
{% endtab %}

{% tab title="Roles" %}
{% code overflow="wrap" %}

```bash
run iam__enum_roles --role-name <MyRoleName> --account-id 111111111111
```

{% endcode %}
{% endtab %}

{% tab title="Custom Wordlist" %}
{% code overflow="wrap" %}

```bash
run iam__enum_users --role-name <MyRoleName> --account-id 111111111111 --word-list <myUser/RoleList>
```

{% endcode %}
{% endtab %}
{% endtabs %}

***

### Leveraging S3

* Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid

{% tabs %}
{% tab title="1. Create S3 Bucket" %}
{% code overflow="wrap" %}

```bash
aws s3api create-bucket --bucket <bucketName> 
```

{% endcode %}
{% endtab %}

{% tab title="2. Create Bucket Policy" %}
{% code overflow="wrap" %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<targetAccountId>:user/bob"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucketName>"
        }
    ]
}
```

{% endcode %}
{% endtab %}

{% tab title="3. Update Bucket Policy" %}
{% code overflow="wrap" %}

```bash
aws s3api put-bucket-policy --bucket <bucketName> --policy file://s3bucketpolicy.json

An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy
```

{% endcode %}
{% endtab %}
{% endtabs %}

***

### Leveraging Lambda

* Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid

{% tabs %}
{% tab title="1. Create Lambda Role" %}
Create Trust Policy for IAM Role

{% code overflow="wrap" %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

{% endcode %}

Create IAM Role

{% code overflow="wrap" %}

```bash
aws iam create-role --role-name lambda-role --assume-role-policy-document file://lambdapolicy.json 
```

{% endcode %}
{% endtab %}

{% tab title="2. Create Lambda Function" %}
Create Function Code

```python
def lambda_handler(event, context):
    print(event)
    return 'Hello from Lambda!'
```

Zip the Function Code

{% code overflow="wrap" fullWidth="false" %}

```bash
zip functioncode.zip functioncode.py
```

{% endcode %}

Create the Function

{% code overflow="wrap" %}

```bash
aws lambda create-function --function-name tylertestiamprincipals --runtime python3.9 --zip-file fileb://functioncode.zip --handler hello.lambda-handler --role arn:aws:iam::111111111111:role/lambda-role
```

{% endcode %}
{% endtab %}

{% tab title="3. Update Lambda Policy" %}
{% code overflow="wrap" %}

```bash
aws lambda add-permission --function-name tylertestiamprincipals --action lambda:ListFunctions --statement-id tylertestiamprincipals2 --principal "arn:aws:iam::111111111111:role/sally"

An error occurred (InvalidParameterValueException) when calling the AddPermission operation: The provided principal was invalid. Please check the principal and try again.
```

{% endcode %}
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-unauthenticated-iam-users-and-roles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.