Skip to content

IAM

IAM

Users:

aws iam list-users
aws iam create-user --user-name <USER_NAME>

Roles:

aws iam list-roles
aws iam list-roles --profile <PROFILE_NAME>

Groups:

aws iam list-groups
aws iam list-groups-for-user --user-name <USER_NAME>
aws iam list-groups-for-user --user-name <USER_NAME> --profile <PROFILE_NAME>
aws iam add-user-to-group --group-name <GROUP_NAME> --user-name <USER_NAME>

Policies:

aws iam list-policies --profile <PROFILE_NAME>
aws iam list-policies --scope Local --profile <PROFILE_NAME>
aws iam list-group-policies --group-name ...
aws iam list-group-policies --group-name ... --profile <PROFILE_NAME>
aws iam list-attached-user-policies --user-name <USER_NAME>
aws iam attach-user-policy --user-name <USER_NAME> --policy-arn <POLICY_ARN>
# e.g. <POLICY_ARN> = "arn:aws:iam::aws:policy/AdministratorAccess"
aws iam get-policy-version --policy-arn <POLICY_ARN> --version-id v1 --profile <PROFILE_NAME>
aws iam get-role-policy --role-name <ROLE_NAME> --policy-name <POLICY_NAME> --profile <PROFILE_NAME>

Login into web console:

aws iam create-login-profile --user-name <USER_NAME> --password <PASSWORD>

Create set of keys:

aws iam create-access-key --user-name <USER_NAME>

Generate a session token (usually lasts 12h):

aws sts get-session-token

List User Identity:

>>> aws --profile flawscloud sts get-caller-identity
975426262029    arn:aws:iam::975426262029:user/backup   AIDAJQ3H5DC3LEG2BKSLC

Mapping AWS Permissions with PMapper

Enumeration:

python pmapper.py --profile <PROFILE_NAME> graph

Pull info via query:

python pmapper.py --profile <PROFILE_NAME> query "who can do s3:GetObject with*"

Visualize permissions (it will create 2 file: output.dot, output.svg):
python pmapper.py --profile <PROFILE_NAME> visualize

Examples

Get Username of AWSID

aws --profile level6 iam get-user

List Policies of Username

>>> aws --profile level6 iam list-attached-user-policies --user-name Level6
{
    "AttachedPolicies": [
        {
            "PolicyName": "list_apigateways",
            "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
        },
        {
            "PolicyName": "MySecurityAudit",
            "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
        }
    ]
}

Get Policies by ID

>>>  aws --profile level6 iam get-policy-version  --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "apigateway:GET"
                    ],
                    "Effect": "Allow",
                    "Resource": "arn:aws:apigateway:us-west-2::/restapis/*"
                }
            ]
        },
        "VersionId": "v4",
        "IsDefaultVersion": true,
        "CreateDate": "2017-02-20T01:48:17Z"
    }
}