search
LinkedInGitHubYouTube

Enumerate AWS IAM Users

Exposure of AWS IAM Usernames can further aid attackers efforts to access an AWS account. Exposure leaves users vulnerable to attacks such as phishing and password-spraying.

hashtag
What is the risk of exposed AWS IAM Usernames?

  • Exposing an AWS IAM username is not a direct threat but simplifies attackers' efforts to access an AWS account. With this information, they can initiate phishing campaigns or password-spraying attacks, potentially obtaining valid credentials and accessing the account

hashtag
Methods to Enumerate AWS IAM Usernames

hashtag
Using AWS Access Key ID

triangle-exclamation

You must have valid access keys configured in the target account for this to work (aws configure)

aws --profile dev iam get-access-key-last-used --access-key-id AKIAxxxxxxxx

{
    "UserName": "admin",
    "AccessKeyLastUsed": {
        "LastUsedDate": "2024-12-08T03:42:00+00:00",
        "ServiceName": "ec2",
        "Region": "us-east-1"
    }
}

hashtag
Using Bedrock API Keys

  • This works for the Long-Term API Keys but Short-term API Keys don't seem to provide this info

hashtag
Using Valid Credentials (Authenticated)

  • With valid credentials and access to the target AWS account, we can enumerate all IAM Users in the account

hashtag
Using Error Messages

  • With valid credentials we can attempt certain commands that provide the identity's name in the output if the identity is not allowed to perform the task

hashtag
Brute Forcing (Unauthenticated)

PreviousEnumerate AWS Account IDsNextEnumerate (Unauthenticated) IAM Users and Roles

Last updated