Post

IAM

Posted Updated
Preview Image
By
5 min read
IAM

⛈️ IAM

IAM Stands for Identity and Access Management (IAM).It is a framework used in cloud computing to control and Manage.

  • Who can access: This includes users, applications, and services that require entry to the system.
  • What can be accessed: This pertains to resources, data, and applications that are available to authorized entities.
  • Under what conditions: This involves defining permissions, policies, and authentication methods to regulate access.

💡 Key Takeaway

  • Managed → Visible, Shared, Auditable = SAFE ✅
  • Inline → Hidden, Personal, Easy Miss = RISKY ⚠️

As a Pentester: Always check INLINE first! They hide the most dangerous permissions! 🎯

IAM ensures secure and controlled access to cloud resources.

1
2
3
4
5
6
7
8
9
10

# Put all details like Access key, Secret keys, Region and Formate.
aws configure
or
aws configure --profile <Profile Name>

# Your AWS "whoami" — always run this first
aws sts get-caller-identity 
 
# Full snapshot of ALL users, groups, roles, policies
aws iam get-account-authorization-details

Users

Users represent people or applications. They have long-term credentials like usernames, passwords, and access keys.

  • Types:
    • End Users: Typical users who access applications and services.
    • Service Accounts: Non-human accounts used by applications or services to interact with other services.

Important Checks..

1
2
3

For Users:
  aws iam list-user-policies            🔶  ← Inline
  aws iam list-attached-user-policies   🔷  ← Managed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

# List all users
aws iam list-users

# Get user metadata (includes permission boundaries)
aws iam get-user --user-name <username>

# Check if user can login to AWS Console
aws iam get-login-profile --user-name <username>

# List user's access keys
aws iam list-access-keys --user-name <username>

# See which groups the user belongs to
aws iam list-groups-for-user --user-name <username>

# 🔶 INLINE policies on a user
aws iam list-user-policies --user-name <username>
aws iam get-user-policy --user-name <username> --policy-name <policyname>

# 🔷 MANAGED policies on a user
aws iam list-attached-user-policies --user-name <username>

Groups

Groups are just a way to manage permissions for multiple users at once.

  • Example If I have five backend engineers at Hackers University who all need the same access, it’s a lot easier to stick them in a group and apply one policy to the group rather than duplicating it across five users.

Important Checks…

1
2
3

For Groups:
  aws iam list-group-policies           🔶 ← Inline
  aws iam list-attached-group-policies  🔷 ← Managed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# List all groups
aws iam list-groups

# check in which Group User Belong To
aws iam list-groups-for-user --user-name <User Name> --profile <Profile Name>

# List all Users in Groups
aws iam get-group --group-name <Group Name> --profile <Profile Name>

# 🔶 INLINE policies on a group
aws iam list-group-policies --group-name <groupname>
aws iam get-group-policy --group-name <groupname> --policy-name <policyname>

# 🔷 MANAGED policies on a group
aws iam list-attached-group-policies --group-name <groupname>

# Detail about Specific Group Policies
aws iam get-group-policy --group-name <Group Name> --policy-name <Policy Name> --profile <Profile Name>

Policies

  • Rules that define permissions for users and groups regarding access to resources.
  • Policies define what a user, group, or role can and can’t do. They’re written in JSON and attached to IAM entities. There are two kinds:-
    1. Managed Policies – Reusable across users and groups. These are easier to manage and scale.
    2. Inline Policies – Attached directly to one user or group. These are harder to track and often the source of privilege escalation bugs in real-world environments. In pentests, most of the misconfigurations, come down to sloppy or forgotten policies—especially inline ones.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

# list Attached Policies
aws iam list-user-policies --user-name <User Name>--profile <Profile Name>

# Get More Detail about Specific Policies
aws iam get-user-policy --user-name <User Name> policy-name <Policy Name> --profile <Profile Name>

# List all username and roles via cloudfox
cloudfox aws inventory
cloudfox aws principals --profile <profile>
# Get Attached User policies
aws iam list-attached-user-policies --user-name <username>

# Get Policies Version :- get-policy-version
aws iam get-policy-version  --policy-arn <policy_arn>  --version-id v1

# List Role Policies
cloudfox aws principles --profile <profile>
aws iam list-role-policies --role-name <Role_Name>

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


# List only customer-managed policies
aws iam list-policies --scope Local

# List only currently attached policies
aws iam list-policies --only-attached

# Get policy metadata (includes DefaultVersionId)
aws iam get-policy --policy-arn <arn>

# List all versions of a policy (v1, v2, v3...)
aws iam list-policy-versions --policy-arn <arn>

# Get full content of a specific policy version
aws iam get-policy-version --policy-arn <arn> --version-id <v1>

# See all users/groups/roles using this policy
aws iam list-entities-for-policy --policy-arn <arn>

Roles

Roles are like users but without long-term credentials. You assume a role temporarily, and AWS gives you credentials that expire after a set time.

  • Example:-
    • if I’m a security analyst investigating an incident, I might assume a role that gives me access to logs for a few hours and then loses access when I’m done. Roles help enforce the principle of least privilege.

Important Check..

1
2
3

For Roles:
  aws iam list-role-policies           🔶 ← Inline
  aws iam list-attached-role-policies  🔷 ← Managed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# List all roles
aws iam list-roles

# Query to Specific Role Names
aws iam list-roles --query "Roles[?RoleName=='Role Name']" --profile <Profile Name>

# Get role details + trust policy (who can assume it)
aws iam get-role --role-name <rolename>

# 🔶 INLINE policies on a role
aws iam list-role-policies --role-name <rolename>
aws iam get-role-policy --role-name <rolename> --policy-name <policyname>

# 🔷 MANAGED policies on a role
aws iam list-attached-role-policies --role-name <rolename>

# Get Detail About Policies
aws iam get-role-policy  --role-name <Role Name> --policy-name <Policy Name> --profile <Profile Name>

Final check list (what to watch for)

  • Users with excessive permissions.
  • Roles that can be assumed.
  • Policies that use wildcards (e.g., “Action”: “” or “Resource”: “”).
  • Services or Lambda functions with elevated permissions that you can potentially abuse.

Ai Automation Script

iam-enum.py, Ai Generated python based iam enumeration checks for iam permissions.

1
2
3

python3 iam-enum.py --profile default

<snip>...
iam iam enumeration
This post is licensed under CC BY 4.0 by the author.