# Enumerate (Unauthenticated) IAM Users and Roles
{% hint style="danger" %}
We need to know the AWS Account ID for this technique to work. Refer to [enumerate-aws-account-ids](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-account-ids "mention") for methods on how to obtain this.
{% endhint %}
{% hint style="info" %}
Rhino Security Labs has a [great blog post](https://rhinosecuritylabs.com/aws/aws-role-enumeration-iam-p2/) detailing how this works
{% endhint %}
## Unauthenticated Enumeration of IAM Users and Roles
* Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error
* The error is returned if the ARN of the identity does not exist
### Leveraging AWS Console
* First, create an IAM Role and then update its Trust Policy
* Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
Trying to add a non-valid IAM User to an IAM Role Trust Policy
***
### Leveraging AWS CLI
* Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
{% tabs %}
{% tab title="1. Create IAM Role" %}
Create an IAM Role Policy with a valid principal
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/valid-user"
},
"Action": "sts:AssumeRole"
}
]
}
```
Create the IAM Role
{% code overflow="wrap" %}
```bash
aws iam create-role --role-name myRole --assume-role-policy-document file://roletrustpolicy.json
```
{% endcode %}
{% endtab %}
{% tab title="2. Update Role Policy" %}
Update Policy with user/role to test
```python
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/bob"
},
"Action": "sts:AssumeRole"
}
]
}
```
Update the Role with the new Policy
{% code overflow="wrap" %}
```bash
aws --profile lab iam update-assume-role-policy --role-name --policy-document file://roletrustpolicy.json
An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:user/bob"
```
{% endcode %}
{% endtab %}
{% endtabs %}
***
### Leveraging Pacu
* [Pacu](https://www.techwithtyler.dev/cloud-security/tools/pacu) provides modules that automatically attempt to enumerate valid IAM Users and Roles in an AWS account using this method
* Pacu will also attempt to assume the role which will provide credentials for the role
* Default wordlists are used unless you specify your own
{% tabs %}
{% tab title="Users" %}
{% code overflow="wrap" %}
```bash
run iam__enum_users --role-name --account-id 111111111111
```
{% endcode %}
{% endtab %}
{% tab title="Roles" %}
{% code overflow="wrap" %}
```bash
run iam__enum_roles --role-name --account-id 111111111111
```
{% endcode %}
{% endtab %}
{% tab title="Custom Wordlist" %}
{% code overflow="wrap" %}
```bash
run iam__enum_users --role-name --account-id 111111111111 --word-list
```
{% endcode %}
{% endtab %}
{% endtabs %}
***
### Leveraging S3
* Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid
{% tabs %}
{% tab title="1. Create S3 Bucket" %}
{% code overflow="wrap" %}
```bash
aws s3api create-bucket --bucket
```
{% endcode %}
{% endtab %}
{% tab title="2. Create Bucket Policy" %}
{% code overflow="wrap" %}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/bob"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::"
}
]
}
```
{% endcode %}
{% endtab %}
{% tab title="3. Update Bucket Policy" %}
{% code overflow="wrap" %}
```bash
aws s3api put-bucket-policy --bucket --policy file://s3bucketpolicy.json
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy
```
{% endcode %}
{% endtab %}
{% endtabs %}
***
### Leveraging Lambda
* Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid
{% tabs %}
{% tab title="1. Create Lambda Role" %}
Create Trust Policy for IAM Role
{% code overflow="wrap" %}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
{% endcode %}
Create IAM Role
{% code overflow="wrap" %}
```bash
aws iam create-role --role-name lambda-role --assume-role-policy-document file://lambdapolicy.json
```
{% endcode %}
{% endtab %}
{% tab title="2. Create Lambda Function" %}
Create Function Code
```python
def lambda_handler(event, context):
print(event)
return 'Hello from Lambda!'
```
Zip the Function Code
{% code overflow="wrap" fullWidth="false" %}
```bash
zip functioncode.zip functioncode.py
```
{% endcode %}
Create the Function
{% code overflow="wrap" %}
```bash
aws lambda create-function --function-name tylertestiamprincipals --runtime python3.9 --zip-file fileb://functioncode.zip --handler hello.lambda-handler --role arn:aws:iam::111111111111:role/lambda-role
```
{% endcode %}
{% endtab %}
{% tab title="3. Update Lambda Policy" %}
{% code overflow="wrap" %}
```bash
aws lambda add-permission --function-name tylertestiamprincipals --action lambda:ListFunctions --statement-id tylertestiamprincipals2 --principal "arn:aws:iam::111111111111:role/sally"
An error occurred (InvalidParameterValueException) when calling the AddPermission operation: The provided principal was invalid. Please check the principal and try again.
```
{% endcode %}
{% endtab %}
{% endtabs %}
