Alternative Comprehensive Retrieval by iam:GetAccountAuthorizationDetails

Though prior sections detail explicit chains for enumerating the inline and managed policies of user principals, groups, and roles, SkyEye can also adopt a more holistic strategy using iam:GetAccountAuthorizationDetails. This API call returns a wide range of authorization details encompassing users, groups, roles, and their corresponding inline and attached managed policies in a single output. It thus enables SkyEye to capture a near-comprehensive overview of the account’s IAM configuration without chaining multiple discrete calls.

Resource filtering is an essential step once the raw data is received from iam:GetAccountAuthorizationDetails. A large AWS environment might contain hundreds of IAM entities, making it impractical to sift through all permissions manually. Consequently, best practices dictate programmatically narrowing the output to only the relevant targeting user principals, in-scope IAM groups, and in-scope IAM roles (i.e., those that the user principal can assume directly or indirectly).

iam:GetAccountAuthorizationDetails integrated into CPIEM and TCREM

As discussed in the Cross-Principal IAM Enumeration Model (CPIEM) and Transitive Cross-Role Enumeration Model (TCREM), during the enumeration process, if the iam:GetAccountAuthorizationDetails permission is detected in run-time at any enumeration stage, to be executable by at least one user principal’s session or role’s session from similar AWS Account Id, the model will immediately terminate all other session come from that AWS Account Id, and utilize the iam:GetAccountAuthorizationDetails permission to retrieve full IAM context of that AWS Account Id, and distribute the correspondent result to the user principal that involved in the IAM enumeration for that AWS Account Id.

The benefit of iam:GetAccountAuthorizationDetails is unimaginable. Firstly, it reduces the overhead typically associated with enumerating each principal or policy independently. Secondly, this approach will reduce significantly 95% of the entire scanning process, and result in a most sufficient IAM outcome for the model while not producing redundant API invocation, potentially leading to detectable traces in logging. Thirdly, its consolidated perspective enables a more robust comparison across multiple policy layers, thereby identifying hidden conflicts and permission redundancies that might otherwise be missed when analyzing each entity in isolation due to insufficient authorization.