My First Step Towards AWS Security — [IAM Enumeration]
“Today [April 20th ] I noticed a mail from Pentester Academy describing that they are conducting a spring challenge, The mail was having the details to access the blog explaining the Spring Challenge, so i just thought of trying it out and just open the lab of IAM Enumeration. I have chosen IAM enumeration because [ April 18th ] 2days before i came to know About IAM and I was working on creating a document IAM, and also i was using this in my company not the AWS one — it’s an internal platform , so i thought there will be some similarities and i will be able to understand and catch up things in much easier way. 🍀 Anyway let’s get started , Here I was following the Lab Guide provided by Pentester Academy so the story will be containing the same things in material provided by them .. ah !!! much more in my words anyway“
Note: For Those Who don't have an idea what an IAM is, Like Me !!!( 2 days before I was having no Idea what an IAM is and how it works !!! LoL its cool )
IAM stands for Identity and Access Management
IAM ensures that the right people and job roles in your organization can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator. Identity and access management systems enable your organization to manage a range of identities including people, software, and hardware like robotics and IoT devices.
IAM Performs Actions like:
-> Manage user Identities
-> Provisioning and de-provisioning users
-> Authenticating Users
-> Authorizing Users
-> Reporting
-> Single Sign-OnWeb Console Based Enumeration
So Let’ s get begin with IAM Enumeration in AWS web console :
After starting the lab you will be able to get a lab link which holds the door 🚪and key 🔑to the web console.
“ Objective of PT Academy Lab : Using the access credentials, enumerate users, roles, and policies on the AWS account.”
So, What’s this AWS IAM console all about ?
— AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.
Now Login to the console using the credentials from the lab. After successful login we will be able to see a nice and clean dashboard of the console.
Since we are going for IAM enumeration, the next step is we have to search for the IAM feature, from the search bar on the top search for IAM, and you will be able to get the path to the IAM features.
From there we will be able to access bunch of options like User Groups, Users, Roles, Policies, Identity Provides and Account Settings beneath the Access Management menu and Access Analyzer, Archive Rules, Analyzers, Settings, credential Report, Organization Activity, Service Control policies (SCPs) beneath the Access Reports Menu — these are the items that we going to walk around to enumerate things from the IAM.
At first, we will be looking at the Users Option in the Access Management Menu, after entering the User option We will be able see our dashboard loading a bunch of Usernames, to start enumerating the username click on any one of the usernames displayed
Now in order to enumerate each user one by one click on any of the user name and from the corresponding User’s Dashboard, we will be able to see the permissions and policies associated with that user.
Now let’s take look at the Groups of the user, click on the Groups tab and we will be able to see the groups associated with that user.
At the Security Credentials tab, we will be able to generate the access keys and ssh keys for AWS-CLI access and all.
Similarly, we can enumerate all the User relate policies and groups associated with every user from each user’s dashboard
Now let’s move onto the User groups option in Access Management menu on left panel.
Here we will be able to see a bunch of stuffs like all the existing user groups, create new group, to enumerate/view each group related data click on the group name. after entering a particular group dashboard, we will be able to see all the Users comes under that group, permission bind to that group and the in the access advisor tab we will be able to view the services that can be accessed by the group members.
From the Policies tab in the Access Management menu, we will be able to view/enumerate all the available permission that’s associated will all the users. We can also create new policies from that dashboard.
By clicking on each policy name, we will be able to understand the services, version and other details associated with that AWS policy.
Now let’s move on to the roles tab, from there we will be able to create and view all the roles available in the AWS IAM console, roles can be defined as an identity which follows a bunch of permissions with credentials that are valid for short duration. We can enumerate each role by clicking on the role name, from there we will be able to see the permissions, access advisors, trust relationships etc that’s associated to that role.
CLI Based Enumeration
AWS cli application can be used to perform the similar action actions, at first, we need to configure the AWS cli using the credentials obtained from the lab link. Installation and update details of AWS-CLI can be found on the AWS docs page ( https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html )
Now let’s move on to the configuring part, after successful installation of AWS-CLI we can use the AWS-CLI binary from terminal/powershell. For configuring AWS-CLI use the cmd
"aws configure" and use the necessary data from the lab link.To enumerate all the available users in the IAM dashboard use:
aws iam list-usersWe will be able to see all the available users in a JSON format as shown in the output.
Groups for each user can be enumerated using the command
aws iam list-groups-for-user –-user-name <username>
Policies attached to a particular user can be obtained using the command
aws iam list-attached-user-policies — user-name <username>
Similarly, we can enumerate each detail of User Groups, Roles, Users, Policies etc using the AWS-CLI application
I think there is no use of showing the same things again and how to guide you to use a CLI application that you already knows its better to mess up with the application and find out.
To View the full power of AWS-CLI application use the commands:
aws help😶 AWS-CLI app have a many feature and since we are enumerating the IAM feature we can view the help for IAM feature using
aws iam help the results can be sorted again for each options using command help with each option like:
aws iam [option] help“ I will be continuing the AWS IAM related here ….. like there are more labs i need to finish i have just completed the enumeration part“
