DEV Community

Cover image for Essential AWS IAM Enumeration Commands
Afshan Naqvi
Afshan Naqvi

Posted on

Essential AWS IAM Enumeration Commands

Hey everyone,

I hope you all are doing well.

Today, I would like to share some AWS CLI commands that I've found incredibly useful in my cloud security projects. As AWS is our primary cloud provider, having a good grasp of AWS CLI is essential. In this post, I'll be focusing on IAM (Identity and Access Management) enumeration through the command line.

Note: I've compiled these commands for my own quick reference. As I discover more valuable commands, I'll keep adding them here in the future.

Let's get started!

To begin, it's crucial to learn how to configure AWS keys via the CLI. This skill is essential because many clients entrust you with programmatic keys to assess potential vulnerabilities.

1. Configure AWS Credentials:
You can configure the AWS keys using the following command:

aws configure
Enter fullscreen mode Exit fullscreen mode

You will be prompted to enter your AWS Access Key ID, AWS Secret Access Key, default region, and default output format.

Example:
Image description

2. WhoAmI:
To check the identity associated with your AWS CLI session, you can use the sts get-caller-identity command, commonly referred to as "whoami":

aws sts get-caller-identity
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

3. List IAM Users:
IAM users are commonly used for representing individuals, employees, or applications that require access to your AWS environment. Use the following command to list IAM users in your AWS account:

aws iam list-users
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

4. List IAM Groups:
IAM Groups are collections of users who share similar access requirements. You can use the following command to list IAM groups in your AWS account:

aws iam list-groups
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

5. List IAM Roles:
In short, IAM roles are associated with specific job functions or responsibilities within an organization. Use the following command to list IAM roles in your AWS account:

aws iam list-roles
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

6.List Attached Policies for a User/Group/Role:
A policy is a set of rules or guidelines that define what actions are allowed or denied in a specific context. Most policies are stored in AWS as JSON documents.

To list the attached policies for an IAM user, group, or role, please replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:

aws iam list-attached-user-policies --user-name USER_NAME
aws iam list-attached-group-policies --group-name GROUP_NAME
aws iam list-attached-role-policies --role-name ROLE_NAME
Enter fullscreen mode Exit fullscreen mode

List Attached policy for an IAM user:

Image description

List Attached policy for an IAM group:

Image description

List Attached policy for an IAM role:

Image description

7. List Inline Policies for a User/Group/Role:
To list inline policies for an IAM user, group, or role, replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:

aws iam list-user-policies --user-name USER_NAME
aws iam list-group-policies --group-name GROUP_NAME
aws iam list-role-policies --role-name ROLE_NAME
Enter fullscreen mode Exit fullscreen mode

8. List Managed Policies:
To list managed policies in your AWS Identity and Access Management (IAM) environment. When you run this command, it retrieves and displays a list of IAM policies that are available in your AWS account.

aws iam list-policies
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

9. List Policy Versions:
To list all versions of a managed policy, specify the policy ARN (Amazon Resource Name):

aws iam list-policy-versions --policy-arn POLICY_ARN
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

10. Get Policy Document:
To view the policy document for a specific policy version, use the get-policy-version command with the version ID and policy ARN:

aws iam get-policy-version --policy-arn POLICY_ARN --version-id VERSION_ID
Enter fullscreen mode Exit fullscreen mode

Example:

Image description

11. Assuming an IAM Role:
Assuming a role in AWS is like temporarily wearing a permission hat to access resources securely. You can assume a role using the following command:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyNewRole --role-session-name MySession
Enter fullscreen mode Exit fullscreen mode

Example:

Image description

After assuming a role, you can obtain temporary credentials, and you can export them into your environment variables as follows:

export AWS_ACCESS_KEY_ID=your_access_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_access_key
export AWS_SESSION_TOKEN=your_session_token
Enter fullscreen mode Exit fullscreen mode

Make sure to replace your_access_key_id, your_secret_access_key, and your_session_token with the actual values you received when assuming the role.

12. List Instance Profiles:
IAM instance profile is used to link an IAM role to an EC2 instance, allowing the instance to assume the role and obtain temporary credentials to access AWS services and resources based on the role's permissions. Use the following command to list IAM instance profiles in your AWS account:

aws iam list-instance-profiles
Enter fullscreen mode Exit fullscreen mode

Example:

Image description

13. List SSH Public Keys:
To list SSH public keys associated with IAM users:

aws iam list-ssh-public-keys --user-name USER_NAME
Enter fullscreen mode Exit fullscreen mode

Example:

Image description

14. List MFA Devices:
MFA in AWS is a security feature that requires users to provide two or more factors of authentication (typically something they know and something they have) to access their AWS account, enhancing security and reducing the risk of unauthorized access.

You can list multi-factor authentication (MFA) devices associated with IAM users by using the following command.

aws iam list-mfa-devices --user-name USER_NAME
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

15. List Service-Specific Credentials:
Service-specific credentials in AWS are temporary and limited-scope security credentials designed for use by AWS services and third-party applications. Use the following command to list AWS service-specific credentials for an IAM user.

aws iam list-service-specific-credentials --user-name USER_NAME
Enter fullscreen mode Exit fullscreen mode

Example:

Image description

16. Creating an IAM User:
You can create an IAM user using the create-user command:

aws iam create-user --user-name MyNewUser
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

17. Creating an IAM Group:
You can create an IAM group using the create-group command:

aws iam create-group --group-name MyNewGroup
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

18. Attaching a Policy to a User or Group:
You can attach an existing IAM policy to a user or group using the attach-user-policy or attach-group-policy command:

aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --user-name MyNewUser
Enter fullscreen mode Exit fullscreen mode
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name MyNewGroup
Enter fullscreen mode Exit fullscreen mode

Example:
Image description

19. List Server Certificates:
A server certificate refers to a digital certificate used to secure network communication between clients and your server or service. These certificates are primarily used for enabling secure, encrypted connections using protocols like HTTPS, which is crucial for protecting data in transit.

aws iam list-server-certificates
Enter fullscreen mode Exit fullscreen mode

When you run this command, it will return a list of server certificates associated with your AWS account, including information such as the certificate name, the Amazon Resource Name (ARN), the expiration date, and the path.

Example:
Image description

20. Generating AWS Credential Reports
AWS Credential Reports provide valuable insights into the security of your AWS account by detailing IAM user access and activity. To generate a credential report using the AWS Command Line Interface (CLI), follow these steps:

1. Generate the Report: Use the generate-credential-report command to initiate the report generation process. This command doesn't provide immediate access to the report but triggers its creation.

aws iam generate-credential-report
Enter fullscreen mode Exit fullscreen mode

2. Wait for Completion: Credential reports typically take a few hours to generate. Check the status using the get-credential-report command. Repeat this step until the report is marked as "Ready."

aws iam get-credential-report
Enter fullscreen mode Exit fullscreen mode

Image description

3. Retrieve the Report: Once the report is ready, use the get-credential-report command to retrieve and save the report in a CSV file for analysis.

aws iam get-credential-report --query 'Content' --output text | base64 -d > credential-report.csv
Enter fullscreen mode Exit fullscreen mode

Image description

Well, folks, that's a wrap for this post.If you're into cloud penetration testing, feel free to dive into my Pwned Labs lab-solving playlist.

Cloud Pentesting Playlist

Thanks for stopping by, and take care!

Top comments (0)