IAM

IAM is not about who has permissions — it’s about who can become someone else.

When you’re reviewing IAM permissions, here are things you should always check:

• Users with excessive permissions (admin-like access, broad iam:*, or permissions not aligned with their role)

• Roles that can be assumed (misconfigured trust policies, overly broad principals, weak or missing conditions)

• Policies that use wildcards such as "Action": "*", "iam:*", or "Resource": "*"

• Permissions that allow privilege escalation (iam:PassRole, iam:AttachRolePolicy, iam:PutRolePolicy, iam:CreatePolicyVersion)

• Users or roles with write access to IAM resources (ability to modify users, groups, roles, or policies)

• Services or Lambda functions with elevated IAM permissions that can be abused indirectly

• Roles attached to compute services (EC2, Lambda, ECS, CodeBuild) with more permissions than required

• Cross-account trust relationships that allow lateral movement between AWS accounts

• Use of inline policies (harder to track and often less reviewed than managed policies)

• Old or unused roles and policies that may still have powerful permissions

• Permissions boundaries and SCPs that may restrict or unintentionally allow escalation paths

# AWS IAM Enumeration Cheat Sheet (Pentesting)

# 1. List IAM Users
aws iam list-users

# 2. Get User Permissions

## a. List attached managed policies
aws iam list-attached-user-policies --user-name <user-name>

## b. List inline policies
aws iam list-user-policies --user-name <user-name>

## c. Get inline policy details
aws iam get-user-policy --user-name <user-name> --policy-name <policy-name>

# 3. List IAM Groups and Permissions

## a. List groups for a user
aws iam list-groups-for-user --user-name <user-name>

## b. List group policies
# Attached managed policies
aws iam list-attached-group-policies --group-name <group-name>

# Inline policies
aws iam list-group-policies --group-name <group-name>

## c. Get inline group policy details
aws iam get-group-policy --group-name <group-name> --policy-name <policy-name>

# 4. List IAM Roles and Permissions

## a. List all roles
aws iam list-roles

## b. Get role details (trust policy)
aws iam get-role --role-name <role-name>

## c. List attached managed policies
aws iam list-attached-role-policies --role-name <role-name>

## d. List inline policies
aws iam list-role-policies --role-name <role-name>

## e. Get inline role policy details
aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>

# 5. Get and Decode Policy Documents

## a. Get a managed policy (metadata)
aws iam get-policy --policy-arn <policy-arn>

## b. Get a specific policy version (actual document)
aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

# 6. View Full IAM Snapshot

## Dump all IAM authorization details (users, groups, roles, policies)
aws iam get-account-authorization-details

# Tip:
# Use --filter User|Role|Group|LocalManagedPolicy|AWSManagedPolicy
# to scope the output and build a full IAM permissions map.