Discovering AWS IAM accounts
Posted: Thu, 7 October 2021 | permalink | No comments
Let’s say you’re someone who happens to discover an AWS account number, and would like to take a stab at guessing what IAM users might be valid in that account. Tricky problem, right? Not with this One Weird Trick!
In your own AWS account, create a KMS key and try to reference an ARN
representing an IAM user in the other account as the principal. If the policy
is accepted by PutKeyPolicy, then that IAM account exists, and if the error
says “Policy contains a statement with one or more invalid principals” then the
user doesn’t exist.
As an example, say you want to guess at IAM users in AWS account 111111111111.
Then make sure this statement is in your key policy:
{
"Sid": "Test existence of user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/bob"
},
"Action": "kms:DescribeKey",
"Resource": "*"
}
If that policy is accepted, then the account has an IAM user named bob.
Otherwise, the user doesn’t exist. Scripting this is left as an exercise for
the reader.
Sadly, wildcards aren’t accepted in the username portion of the ARN, otherwise
you could do some funky searching with ...:user/a*, ...:user/b*, etc. You
can’t have everything; where would you put it all?
I did mention this to AWS as an account enumeration risk. They’re of the opinion that it’s a good thing you can know what users exist in random other AWS accounts. I guess that means this is a technique you can put in your toolbox safe in the knowledge it’ll work forever.
Given this is intended behaviour, I assume you don’t need to use a key policy for this, but that’s where I stumbled over it. Also, you can probably use it to enumerate roles and anything else that can be a principal, but since I don’t see as much use for that, I didn’t bother exploring it.
There you are, then. If you ever need to guess at IAM users in another AWS account, now you can!
Post a comment
All comments are held for moderation; markdown formatting accepted.