Permissions Simulation Capability by iam:SimulatePrincipalPolicy
Permissions simulation capability is integrated into Fuzzing feature in Single-Principal IAM Enumeration mode only. If SkyEye detects that the user principal does not hold the iam:SimulatePrincipalPolicy permission, it will switch to traditional IAM fuzzing mode directly.
Permissions simulation capability will be performed by leveraging the iam:SimulatePrincipalPolicy permission. This permission will support the enumeration process by simulating how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role; and if a user is specified, then the simulation also includes all of the policies that are attached to groups that the user belongs to. This model will check if the user principal’s session is allowed to perform iam:SimulatePrincipalPolicy, if yes, the model will leverage this permission to simulate all AWS actions which are nearly 20,000 actions, to understand which actions the user principal can perform. Moreover, since iam:SimulatePrincipalPolicy can only simulate the user principal and inherited permissions from in-scope IAM groups that the user belongs to, it lacks the capability of simulating the inherited permissions from the in-scope IAM roles that the user could perform assumption directly or indirectly. The model will actively incorporate with the Transitive Cross-Role Enumeration Model (TCREM) - which is one of the core models of SkyEye and will be discussed in next section, to gain the understanding of in-scope IAM roles, and leverage iam:SimulatePrincipalPolicy to target those in-scope IAM roles to return a most complete result.
Last updated