IAM
About IAM¶
Coming soon
AWS IAM Enumeration CLI commands¶
Retrieves general account information about including IAM users, groups, roles, and policies, and their relationships to one another.
These are meant to be non-destructive enumeration commands. They only retrieve information, they do not modify resources (unless otherwise specified). Official AWS Documentation
Note: most of these commands have many more options than are shown, but they are optional and left out because they're not that useful most of the time and only required for special use cases. Refer to the docs above for more details.
Legend:
- Each line that starts with
aws
is the command - The word immediately following
aws
denotes the service (ie:aws sts
is calling the STS service,aws iam
is calling the IAM service)
General commands¶
Get-caller-identity¶
Example output
:user/
tells us this is a user identity and not a role, which would instead be:role/
The "whoami" in AWS.
Returns details about the IAM user or role whose credentials are used to call the operation. While not an IAM command (it's an STS command), this is often the first command that gets used for IAM enumeration which is why it's included here.
No policy can deny issuing this command since it gives the same information when access is denied. More on that here.
Get-access-key-info¶
Provide the AWS account ID for the given access key ID. Only provide the access key ID, not the secret access key.
Note: if an access key ID starts with AKIA
, then it means it's a long-term credential. If it starts with ASIA
, then it means they are temporary creentials that were created by STS operations
Get-account-authorization-details¶
General IAM account information
Gives a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) and their relationships in your account.
User Enumeration¶
List-users¶
List users in the AWS account.
List-Service-specific-credentials¶
Get service-specific credentials associated with the IAM user.
Get-user¶
Get user's metadata. Includes permissions boundaries!
List-access-keys¶
List existing access keys for a specific user (your current user being the default if no value is specified)
List-user-policies¶
Get inline policies for a user.
Get-user-policy¶
Get details about an inline policy.
List-attached-user-policies¶
Get attached (managed) policies (instead of inline policies). These can be either AWS-managed or Customer-managed policies.
Get-login-profile¶
Checks to see if the user has a login profile (password to log into the AWS Console). Returns the UserName and CreatedDate, which reflects the creation date of the password
Groups Enumeration¶
List-groups¶
Get a list of groups in the AWS account.
List-groups-for-user¶
Get groups related to a user.
Get-group¶
Get a group's details.
List-group-policies¶
Get inline policies of a group.
Get-group-policy¶
Get inline policies of a group. (The difference between inline and managed policies)
List-attached-group-policies¶
Get attached (managed) policies for a group (instead of inline policies). These can be either AWS-managed or Customer-managed policies. (Inline vs. managed, and AWS-managed vs. Customer-managed policies)
Enumerate Roles¶
List-roles¶
Get roles in the AWS account.
Get-role¶
Get details about a specific role.
List-role-policies¶
Get inline policies of a role. (Inline vs. managed policies)
Get-role-policy¶
Get inline policy details.
List-attached-role-policies¶
Get attached (managed) policies for a role (instead of inline policies). These can be either AWS-managed or Customer-managed policies
Enumerate policies¶
List-policies¶
List policies [--only-attached] is optional and will list policies only if they're attached to an IAM user/group/role
[--scope local]is optional and will only list policies that are Customer-managed, not AWS-managed.
--scope` AWS would be the opposite
List-policies¶
Get list of policies that a user/group/role can use to access a specific service.
Example: aws iam list-policies-granting-service-access --arn arn:aws:iam::123456789012:user/UserName --service-namespaces eks
for EKS
Get-policy¶
Get details for a specific policy.
List-policy-versions¶
Returns information about policy versions for a specific managed policy, including which one is the current default version.
Get-policy-version¶
Get details for a specific policy version since policies can have multiple versions.
List-entities-for-policy¶
Lists all the IAM users/groups/roles that the managed policy is attached to.
MFA¶
List-mfa-devices¶
Get list of all MFA devices for a specific user. If no user is provided, AWS auto determines the user based on the access key ID.
List-virtual-mfa-devices¶
Get list of all MFA devices in the AWS account
Can use optional --assignment-status
to filter by Assigned, Unassigned, or Any (the default)
Learn how to enumerate IAM Hands-On¶
Helpful tools¶
- Enumerate-IAM - Enumerate the permissions associated with AWS credential set