Retrieval of Attached Managed Policies for In-Scope IAM Groups

The Retrieval of In-scope IAM Groups' Attached Managed Policies

Equivalent to user principals, IAM groups may also have attached managed policies. These can range from AWS-supplied offerings, typically used to facilitate administrative tasks (e.g., service-level read/write access), to organization-managed sets of permissions that envelop departmental or project-based roles. Enumerating these managed policy attachments for in-scope IAM groups begins with identifying the relevant groups, using iam:ListGroupsForUser or the pair iam:ListGroups and iam:GetGroup, as discussed in previous section. The next action in the chain is `iam:ListAttachedGroupPolicies`, which reveals the ARNs of the managed policies attached to the identified groups.

After enumerating these ARNs, the same concluding steps seen in user principal’s attached managed policy analysis apply: either gather the current active policy version by using iam:ListPolicyVersions or retrieve through the policy details via iam:GetPolicy, then leverage iam:GetPolicyVersion to retrieve the corresponding policy document of the current active version This final step completes the chain by disclosing the complete IAM vision context across the permissions and resources that inherited indirectly from the groups that the user principal belongs to.

As an alternative solution, as discussed in previous sections, to resolve the specific case that both the permissions iam:ListPolicyVersions and iam:GetPolicy are not permitted, resulting in the lack of understanding about the current active version of customer-managed policies. SkyEye introduces the Version Fuzzing Algorithms which will support the fuzzing capabilities throughout the policy versions of targeting customer-managed policy ARNs, if only iam:GetPolicyVersion is permitted.