IAM - Documentation

Link to this headingIAM

Users:

aws iam list-users aws iam create-user --user-name <USER_NAME>

Roles:

aws iam list-roles aws iam list-roles --profile <PROFILE_NAME>

Groups:

aws iam list-groups aws iam list-groups-for-user --user-name <USER_NAME> aws iam list-groups-for-user --user-name <USER_NAME> --profile <PROFILE_NAME> aws iam add-user-to-group --group-name <GROUP_NAME> --user-name <USER_NAME>

Policies:

aws iam list-policies --profile <PROFILE_NAME> aws iam list-policies --scope Local --profile <PROFILE_NAME> aws iam list-group-policies --group-name ... aws iam list-group-policies --group-name ... --profile <PROFILE_NAME> aws iam list-attached-user-policies --user-name <USER_NAME> aws iam attach-user-policy --user-name <USER_NAME> --policy-arn <POLICY_ARN> # e.g. <POLICY_ARN> = "arn:aws:iam::aws:policy/AdministratorAccess" aws iam get-policy-version --policy-arn <POLICY_ARN> --version-id v1 --profile <PROFILE_NAME> aws iam get-role-policy --role-name <ROLE_NAME> --policy-name <POLICY_NAME> --profile <PROFILE_NAME>

Login into web console:

aws iam create-login-profile --user-name <USER_NAME> --password <PASSWORD>

Create set of keys:

aws iam create-access-key --user-name <USER_NAME>

Generate a session token (usually lasts 12h):

aws sts get-session-token

List User Identity:

>>> aws --profile flawscloud sts get-caller-identity 975426262029 arn:aws:iam::975426262029:user/backup AIDAJQ3H5DC3LEG2BKSLC

Link to this headingMapping AWS Permissions with PMapper

Enumeration:

python pmapper.py --profile <PROFILE_NAME> graph

Pull info via query:

python pmapper.py --profile <PROFILE_NAME> query "who can do s3:GetObject with*"

Visualize permissions (it will create 2 file: output.dot, output.svg):

python pmapper.py --profile <PROFILE_NAME> visualize

Link to this headingExamples

Link to this headingGet Username of AWSID

aws --profile level6 iam get-user

Link to this headingList Policies of Username

>>> aws --profile level6 iam list-attached-user-policies --user-name Level6 { "AttachedPolicies": [ { "PolicyName": "list_apigateways", "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways" }, { "PolicyName": "MySecurityAudit", "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit" } ] }

Link to this headingGet Policies by ID

>>> aws --profile level6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4 { "PolicyVersion": { "Document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "apigateway:GET" ], "Effect": "Allow", "Resource": "arn:aws:apigateway:us-west-2::/restapis/*" } ] }, "VersionId": "v4", "IsDefaultVersion": true, "CreateDate": "2017-02-20T01:48:17Z" } }