Retrieval of Attached Managed Policies for In-Scope IAM Roles

The Retrieval of In-scope IAM Roles' Attached Managed Policies

In addition to uncovering inline policies, attached managed policies at the role level must also be accounted for. Managed policies, whether AWS-managed or customer-managed, are frequently used to simplify the administration of privileges across multiple roles. Hence, a single managed policy can simultaneously grant extensive permissions to various roles, resulting in potential lateral movement opportunities for an adversary within a compromised account.

Mirroring the approach used for users and groups, SkyEye framework first establishes the list of relevant in-scope IAM roles via iam:ListRoles, as discussed in the previous section and in Transitive Cross-Role Enumeration Model (TCREM). The next step in the chain focuses on determining which version is currently active. For each policy ARN retrieved from iam:ListAttachedRolePolicies, SkyEye either invokes iam:ListPolicyVersions or iam:GetPolicy to pinpoint the default active version of the policy. Finally, a call to iam:GetPolicyVersion yields the structured JSON policy document for the identified active version of the managed policies. By completing these chains, SkyEye reveals a comprehensive view of the permissions the role confers, ensuring that no hidden privileges or policy misconfigurations are overlooked.

As an alternative solution, as discussed in previous sections, to resolve the specific case that both the permissions iam:ListPolicyVersions and iam:GetPolicy are not permitted, resulting in the lack of understanding about the current active version of customer-managed policies. SkyEye introduces the Version Fuzzing Algorithms which will support the fuzzing capabilities throughout the policy versions of targeting customer-managed policy ARNs, if only iam:GetPolicyVersion is permitted.