Inverse Enumeration Model for Attached Managed Policy
While forward enumeration (beginning with the principal and progressing to its policies) reveals the most direct route to discovering an entity’s privileges, it inherently risks overlooking configurations if any references to the in-scope principals and entities were not retrievable due to insufficient authorization in earlier steps. Moreover, an extensive set of customer-managed and AWS-managed policies across multiple accounts can introduce complex permission inheritance pathways. In such cases, an inverse enumeration strategy - starting from the policy and mapping back to the principals - can demonstrate superior strengths.
The principal mechanism for this inverse enumeration approach is iam:ListEntitiesForPolicy, which enumerates all IAM users, groups, and roles attached to a specified policy. When combined with the chain logic from earlier enumerations, this approach can help capture any missing elements in the earlier IAM enumeration result. Specifically, if an assessment by SkyEye uncovers references to attached managed policies that have not yet been sufficient from the overall analysis, SkyEye will try invoking iam:ListPolicies with the parameters: Scope='All', OnlyAttached=True, PolicyUsageFilter ='PermissionsPolicy' (provided if user principal hold sufficient privilege to invoke) and transfer those returned attached managed policies to iam:ListEntitiesForPolicy, to actively compare the iam:ListEntitiesForPolicy result of their corresponding principal attachments by the identified insufficient components to complement to them. If SkyEye was failed to invoke iam:ListPolicies due to insufficient authorization, SkyEye will revisit all publicly AWS-managed policy ARNs or previously-discovered customer-managed policy ARNs and transfer those into iam:ListEntitiesForPolicy call, to complement to the identified insufficient components in a limited scope.
Technically, iam:ListEntitiesForPolicy acts as the inverse of commands like iam:ListAttachedUserPolicies, iam:ListAttachedGroupPolicies, and iam:ListAttachedRolePolicies. Instead of iterating over each user, group, or role to find its respective policy attachments, the inverse approach enumerates entities from the standpoint of each policy. In large-scale AWS accounts, the synergy between forward and inverse enumeration techniques ensures that SkyEye captures all relationships, even those formed through less conventional resource configurations. This is essential for producing a complete IAM graph, minimizing the possibility of overlooking powerful role or user relationships, or lacking forward enumeration privileges. Combined with advanced analytics on these enumerations, the inverse approach fortifies the capacity to detect, analyze, and mitigate privilege-based vulnerabilities before they evolve into exploitable security weaknesses.
Last updated