AWS Pentesting – IAM (Part 2)

In AWS cloud environments, Identity and Access Management (IAM) is the cornerstone of security. Enumerating IAM entities (users, groups, roles, and policies) is a critical skill during security assessments, penetration tests, incident response, and compliance audits.

This blog provides all the essential AWS CLI commands you need to map out IAM permissions effectively. These commands will help you build a complete picture of who can do what in an AWS account.

Why IAM Enumeration Matters

Overly permissive IAM configurations are one of the leading causes of cloud breaches as discussed in AWS Pentesting – Initial Access and AWS Pentesting – IAM (Part 1). By systematically enumerating IAM resources, you can:

  • Identify excessive permissions
  • Discover privilege escalation paths
  • Map attack surfaces
  • Support least-privilege remediation efforts
  • Meet compliance and auditing requirements

Note: Most of these commands require iam:List*, iam:Get*, and iam:Describe* permissions assigned to the user you are using credentials of. Run them with an appropriately privileged IAM role or user when practicing.

1. List IAM Users

aws iam list-users

This command returns a list of all IAM users in the account, including usernames, user IDs, ARNs, and creation dates.

2. Get User Permissions

a. List Attached Managed Policies

aws iam list-attached-user-policies --user-name <user-name>

b. List Inline Policies

aws iam list-user-policies --user-name <user-name>

c. Get Inline Policy Details

aws iam get-user-policy --user-name <user-name> --policy-name <policy-name>

3. List IAM Groups and Their Permissions

a. List Groups for a Specific User

aws iam list-groups-for-user --user-name <user-name>

b. List Group Policies

aws iam list-attached-group-policies --group-name <group-name>
aws iam list-group-policies --group-name <group-name>

c. Get Inline Group Policy Details

aws iam get-group-policy --group-name <group-name> --policy-name <policy-name>

4. List IAM Roles and Permissions

a. List All Roles

aws iam list-roles

b. Get Role Details (including Trust Policy)

aws iam get-role --role-name <role-name>

The trust policy is especially important as it shows which principals can assume the role.

c. List Attached Managed Policies

aws iam list-attached-role-policies --role-name <role-name>

d. List Inline Policies

aws iam list-role-policies --role-name <role-name>

e. Get Inline Role Policy Details

aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>

5. Get and Decode Policy Documents

a. Get Managed Policy Details

aws iam get-policy --policy-arn <policy-arn>

b. Get Specific Policy Version Document

aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

A better way to view the same information would be running the command and passing the output to jq command for better readability of the policy:

aws iam get-policy-version --policy-arn <policy-arn> --version-id v1 --query 'PolicyVersion.Document' --output json | jq '.' > policy.json

6. Full IAM Snapshot (Most Powerful Command)

aws iam get-account-authorization-details

This single command dumps a comprehensive view of the entire account’s IAM configuration, including:

  • All users, groups, and roles
  • All policies (managed and inline)
  • Policy documents
  • Permissions boundaries

You can filter the output to focus on specific resources by using filter flag as shown below:

aws iam get-account-authorization-details --filter user
aws iam get-account-authorization-details --filter role
aws iam get-account-authorization-details --filter group
aws iam get-account-authorization-details --filter local-managed-policy

Automation & Best Practices

  • Scripting: Combine these commands into a Bash or Python script to generate HTML/Markdown reports automatically. It is only recommended when practicing and during penetration testing. During red team engagement running this commands back to back or in small amount of time can hurt your OPSEC but that’s a conversation for another day.
  • Output Formats: Use --output json or --output table depending on your needs.
  • Pagination: For large accounts, use --max-items and handle pagination tokens.
  • Security: Never run these commands with more permissions than necessary. Use read-only roles for audits.
  • Tools: Consider tools like Pacu or custom scripts built around these commands.

Final Tips

Always document your findings clearly. Focus not just on what permissions exist, but on risky combinations such as:

  • iam:CreateAccessKey + iam:AttachUserPolicy
  • iam:PassRole combined with powerful services (lambda, ec2, glue, etc.)
  • AdministratorAccess or PowerUserAccess policies
  • Overly broad wildcards (*) in actions or resources

Save this page and bookmark it if you would like to use it during engagements.

Post Views: 6