iam:ListPolicies, iam:GetPolicy and iam:GetPolicyVersion
iam:ListRoles
iam:ListUsers
iam:ListGroups
iam:ListGroupsForUser
iam:ListAttachedUserPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedGroupPolicies
iam:ListUserPolicies and iam:GetUserPolicy
iam:ListGroupPolicies and iam:GetGroupPolicy
iam:ListRolePolicies and iam:GetRolePolicy
# All IAMs## Retrieves information about all IAM users, groups, roles, and policies## in your Amazon Web Services account, including their relationships to## one another. Use this operation to obtain a snapshot of the configura-## tion of IAM permissions (users, groups, roles, and policies) in your## account.awsiamget-account-authorization-details# List usersawsiamget-user#Get current user informationawsiamlist-usersawsiamlist-ssh-public-keys#User keys for CodeCommitawsiamget-ssh-public-key--user-name<username>--ssh-public-key-id<id>--encodingSSH#Get public key with metadataawsiamlist-service-specific-credentials#Get special permissions of the IAM user over specific servicesawsiamget-user--user-name<username>#Get metadata of user, included permissions boundariesawsiamlist-access-keys#List created access keys## inline policiesawsiamlist-user-policies--user-name<username>#Get inline policies of the userawsiamget-user-policy--user-name<username>--policy-name<policyname>#Get inline policy details## attached policiesawsiamlist-attached-user-policies--user-name<username>#Get policies of user, it doesn't get inline policies# List groupsawsiamlist-groups#Get groupsawsiamlist-groups-for-user--user-name<username>#Get groups of a userawsiamget-group--group-name<name>#Get group name info## inline policiesawsiamlist-group-policies--group-name<username>#Get inline policies of the groupawsiamget-group-policy--group-name<username>--policy-name<policyname>#Get an inline policy info## attached policiesawsiamlist-attached-group-policies--group-name<name>#Get policies of group, it doesn't get inline policies# List rolesawsiamlist-roles#Get rolesawsiamget-role--role-name<role-name>#Get role## inline policiesawsiamlist-role-policies--role-name<name>#Get inline policies of a roleawsiamget-role-policy--role-name<name>--policy-name<name>#Get inline policy details## attached policiesawsiamlist-attached-role-policies--role-name<role-name>#Get policies of role, it doesn't get inline policies# List policiesawsiamlist-policies [--only-attached] [--scope Local]awsiamlist-policies-granting-service-access--arn<identity>--service-namespaces<svc># Get list of policies that give access to the user to the service## Get policy contentawsiamget-policy--policy-arn<policy_arn>awsiamlist-policy-versions--policy-arn<arn>awsiamget-policy-version--policy-arn<arn:aws:iam::975426262029:policy/list_apigateways>--version-id<VERSION_X># Enumerate providersawsiamlist-saml-providersawsiamget-saml-provider--saml-provider-arn<ARN>awsiamlist-open-id-connect-providersawsiamget-open-id-connect-provider--open-id-connect-provider-arn<ARN># Password Policyawsiamget-account-password-policy# MFAawsiamlist-mfa-devicesawsiamlist-virtual-mfa-devices
Permissions Brute Force
If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
bf-aws-permissions
The tool bf-aws-permissions is just a bash script that will run using the indicated profile all the list*, describe*, get* actions it can find using aws cli help messages and return the successful executions.
The tool bf-aws-perms-simulate can find your current permission (or the ones of other principals) if you have the permission iam:SimulatePrincipalPolicy
# Ask for permissionspython3aws_permissions_checker.py--profile<AWS_PROFILE> [--arn <USER_ARN>]
Perms2ManagedPolicies
If you found some permissions your user has, and you think that they are being granted by a managed AWS role (and not by a custom one). You can use the tool aws-Perms2ManagedRoles to check all the AWS managed roles that grants the permissions you discovered that you have.
# Run example with my profilepython3aws-Perms2ManagedPolicies.py--profilemyadmin--permissions-fileexample-permissions.txt
It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that you have permissions over services that aren't used for example.
Cloudtrail2IAM
CloudTrail2IAM is a Python tool that analyses AWS CloudTrail logs to extract and summarize actions done by everyone or just an specific user or role. The tool will parse every cloudtrail log from the indicated bucket.
If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
enumerate-iam
To use the tool https://github.com/andresriancho/enumerate-iam you first need to download all the API AWS endpoints, from those the script generate_bruteforce_tests.py will get all the "list_", "describe_", and "get_" endpoints. And finally, it will try to access them with the given credentials and indicate if it worked.
(In my experience the tool hangs at some point, checkout this fix to try to fix that).
In my experience this tool is like the previous one but working worse and checking less permissions
You could also use the tool weirdAAL. This tool will check several common operations on several common services (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
# Installgitclonehttps://github.com/carnal0wnage/weirdAAL.gitcdweirdAALpython3-mvenvweirdAALsourceweirdAAL/bin/activatepip3install-rrequirements.txt# Create a .env file with aws credentials such as[default]aws_access_key_id=<insertkeyid>aws_secret_access_key=<insertsecretkey># Setup DBpython3create_dbs.py# Invoke itpython3weirdAAL.py-mec2_describe_instances-tec2test# Just some ec2 testspython3weirdAAL.py-mrecon_all-tMyTarget# Check all permissions# You will see output such as:# [+] elbv2 Actions allowed are [+]# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
# https://github.com/turbot/steampipe-mod-aws-insightssteampipecheckall--export=json# https://github.com/turbot/steampipe-mod-aws-perimeter# In this case you cannot output to JSON, so heck it in the dashboardsteampipedashboard
<YourTool>
Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
# Connect with sso via CLI aws configure ssoawsconfiguresso[profile profile_name]sso_start_url=https://subdomain.awsapps.com/start/sso_account_id=<account_numbre>sso_role_name=AdministratorAccesssso_region=us-east-1
Enumeration
The main elements of the Identity Center are:
Users and groups
Permission Sets: Have policies attached
AWS Accounts
Then, relationships are created so users/groups have Permission Sets over AWS Account.
Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
# Check if IAM Identity Center is usedawssso-adminlist-instances# Get Permissions sets. These are the policies that can be assignedawssso-adminlist-permission-sets--instance-arn<instance-arn>awssso-admindescribe-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get managed policies of a permission setawssso-adminlist-managed-policies-in-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get inline policies of a permission setawssso-adminget-inline-policy-for-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get customer managed policies of a permission setawssso-adminlist-customer-managed-policy-references-in-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get boundaries of a permission setawssso-adminget-permissions-boundary-for-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## List accounts a permission set is affectingawssso-adminlist-accounts-for-provisioned-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## List principals given a permission set in an accountawssso-adminlist-account-assignments--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>--account-id<account_id># Get permissions sets affecting an accountawssso-adminlist-permission-sets-provisioned-to-account--instance-arn<instance-arn>--account-id<account_id># List users & groups from the identity storeawsidentitystorelist-users--identity-store-id<store-id>awsidentitystorelist-groups--identity-store-id<store-id>## Get members of groupsawsidentitystorelist-group-memberships--identity-store-id<store-id>--group-id<group-id>## Get memberships or a user or a groupawsidentitystorelist-group-memberships-for-member--identity-store-id<store-id>--member-id<member-id>
Local Enumeration
It's possible to create inside the folder $HOME/.aws the file config to configure profiles that are accessible via SSO, for example:
# Login in ms-sso-profileawsssologin--profilemy-sso-profile# Use dependent-profileawss3ls--profiledependent-profile
When a profile from SSO is used to access some information, the credentials are cached in a file inside the folder $HOME/.aws/sso/cache. Therefore they can be read and used from there.
Moreover, more credentials can be stored in the folder $HOME/.aws/cli/cache. This cache directory is primarily used when you are working with AWS CLI profiles that use IAM user credentials or assume roles through IAM (without SSO). Config example:
# Create user identitystore:CreateUserawsidentitystorecreate-user--identity-store-id<store-id>--user-nameprivesc--display-nameprivesc--emailsValue=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True--nameFormatted=privesc,FamilyName=privesc,GivenName=privesc## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
Create a group and assign it permissions and set on it a controlled user
Give extra permissions to a controlled user or group
By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform management activities.