Enumeration

Finding Permissions

As an authenticated user, you can perform a brute force attack to find permissions granted to you. This can be achieved using a tool like aws-enumerator or with the framework Pacu. Make sure to check for permissions in all regions!

./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF
./aws-enumerator enum -services all
./aws-enumerator dump -services all

run iam__bruteforce_permissions --region [REGION NAME]

Keep in mind that these permissions are AWS functions, and not necessarily fine-grained. You may be able to access an S3 bucket or other specific resource, but that won't be revealed to you from brute-forcing functions.

IAM

The AWS CLI allows you to query privilege and user information. Please note that you will need the correct permissions to view IAM policies, either inline or managed.

aws iam get-user # Whoami
aws iam list-access-keys # Keys on account
aws iam list-users # All users
aws iam list-attached-user-policies --user-name [username] # Managed policies
aws iam list-user-policies --user-name [username] # Inline policies
aws iam get-user-policy --user-name [username] --policy-name [policyname] # Policy details

PreviousInitial Access and Authentication NextIAM and Resource Attacks

Last updated 1 month ago