Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

AWS IAM Enumeration

Max room.

Learn enumerating IAM Principals and implemented services.

medium

60 min

247

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Prerequisites

Before starting this room, it is beneficial to have an introductory knowledge of Identity and Access Management () in and should understand how an AssumeRoleTrust policy works. If you are unfamiliar with this topic, please visit the room for more information.

Learning Objectives

Knowing how to get information about resources without authenticating is an important skill for vulnerability assessments and penetration testing. In this room, you will learn how to perform Principal enumeration and partial service enumeration for environments. You will learn:

  • How resource policies can be abused to identify valid principals
  • How to use open source tools to efficiently enumerate valid principals in a given account
  • How to footprint potential services, including security services, enabled for an account

Remember, these Principals form the backbone of access in - without them, there is almost nothing you can do. By being able to identify what valid principals exist in another account - you form a basis of information to perform more well-informed attacks that are more likely to succeed.

It is possible to get information about principals from a target account and other insider information about an account while remaining unauthenticated to that account - this is referred to as unauthenticated enumeration. enumeration is a reconnaissance exercise that can be leveraged to attack an cloud environment, and by using this technique, an attacker can gain a better understanding of the landscape within an account without having access to it. pen testers and red teamers commonly use this gathered “insider knowledge” to gain information about resources residing within an environment in order to perform attacks against the target account.

Answer the questions below
Can you get information about an AWS account, including its IAM principals - without authenticating?