Intro to AWS IAM Enumeration

StickySticky
4 min read

Attack Story

Sticky, an incident response (IR) commander, has been tasked with investigating a potential security incident at Huge Logistics, a global logistics company. Suspicious activity has been detected involving the IAM user dev01.

Objective

  • Enumerate the IAM user dev01

  • Map out potentially compromised resources

  • Evaluate IAM roles, policies, and permissions

  • Got the flag (Sensitive Information)

As part of the lab scenario, Sticky was provided with IAM credentials for dev01 to simulate access and conduct a structured investigation.

Using the AWS CLI, Sticky conducted active IAM enumeration and discovered that dev01 had read-only access to a specific S3 bucket. Further analysis revealed that dev01 could assume the BackendDev role, which granted elevated privileges, including access to EC2 metadata and SecretsManager demonstrating how seemingly limited permissions can still lead to serious data exposure if roles are not properly scope.

Incident

Sets up your local environment with Access Key, Secret Key, and default region/output format. No request is sent to AWS yet.

aws configure --profile s3

Perform a active enumeration. This sends a request to AWS via the Security Token Service (STS) and returns

aws sts get-caller-identity --profile s3

Collected more info about the current IAM user such as user creation date, path, ARN

aws iam get-user --profile s3

Further tried gathering more contextual information about the IAM user dev01

  • Discovered an inline policy named S3_Access attached directly to the user by running list-user-policies. Seems the user has custom policies related to S3 access

  • Identified two managed policies attached to dev01 AmazonGuardDutyReadOnlyAccess & dev01

  • confirmed the identity of the IAM user dev01 and retrieved basic user details using get-caller-identity and get-user.

  • Found that the IAM user is not member of any group "Groups":[]

  • Attempted to gather more security-related information by listing MFA devices and access keys using list-mfa-devices and list-access-keys, but both commands returned AccessDenied errors.

  • This indicates that dev01 does not have the necessary permissions to view MFA or key-related information, limiting visibility into the user’s credential and security configuration

Based on the above enumeration,

  • Discovered that the IAM user dev01 had a directly attached inline policy named S3_Access

  • Upon reviewing the policy document, it was evident that the user was granted only s3:ListBucket and s3:GetObject permissions on the hl-dev-artifacts S3 bucket.

  • This effectively gives dev01 read-only access, allowing them to view and download objects but not make any modifications or uploads.

aws iam get-user-policy --user-name dev01 --policy-name S3_Access --profile s3

  • Let's dig in to the policies

  • The latest version is v7. Issuing the command below for the policy dev01

  • Read the policy as well

aws iam list-policy-versions --policy-arn arn:aws:iam::794929857501:policy/dev01 --profile s3
aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7 --profile s3

The latest version is v4. Issuing the command below for the policy AmazonGuardDutyReadOnlyAccess

aws iam list-policy-versions --policy-arn 
arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --profile s3                 
aws iam get-policy-version --policy-arn 
arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --version-id v4 --profile s3

Collect the output as json file

 aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7 --profile s3 --output json > dev01-policy-v7.json
 aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --version-id v4 --profile s3 --output json > guardduty-readonly-v4.json

As we see there is BackendDev policy seems interesting let's see

aws iam list-attached-role-policies --role-name BackendDev --profile s3

{
    "AttachedPolicies": [
        {
            "PolicyName": "BackendDevPolicy",
            "PolicyArn": "arn:aws:iam::794929857501:policy/BackendDevPolicy"
        }
    ]
}

Now enumerating the IAM role BackendDev and its attached policy BackendDevPolicy to understand what permissions this role grants and who is allowed to assume it. Using the get-role action, retrieving the role's metadata and trust policy

aws iam get-role --role-name BackendDev --profile s3

The BackendDev role is designed for developers to assume, similar to using sudo on Linux. Its trust policy shows that only the IAM user dev01 is allowed to assume it, granting temporary elevated privileges tied to the role

aws iam get-policy --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy


aws iam get-policy-version --policy-arn 
arn:aws:iam::794929857501:policy/BackendDevPolicy --version-id v1

After confirming that the IAM user dev01 had an inline policy named S3_Access, I retrieved the policy document using get-user-policy. The policy granted s3:ListBucket and s3:GetObject permissions on the hl-dev-artifacts bucket, indicating read-only access. Acting on this, I attempted to access the contents of the bucket by directly downloading the flag.txt file using aws s3 cp

Yay... FLAG...

0
Subscribe to my newsletter

Read articles from Sticky directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSIAMIAM,MFA,Access key ID,Secret access key#enumeration

Written by

Sticky
Sticky

A cybersecurity specialist navigating the digital kill chain with precision, curiosity, and intent. Security isn’t just reactive - it’s investigative, predictive, and deeply human. Every artifact has context. Every log entry tells a story. Every alert is part of a larger narrative. I specialize in Threat & Adversary Hunting, Incident Response, Digital Forensics, and Malware Analysis - transforming scattered signals into intelligence, and intelligence into action.