Retrieval of Attached Managed Policies for User Principals

The Retrieval of User Principal's Attached Managed Policies

While inline policies are user-specific, attached managed policies represent a more scalable approach to permission administration within AWS. Enumerating these policies for a particular user involves initiating iam:ListAttachedUserPolicies, an action that returns an array of managed policy ARNs attached directly to the user. In typical organizations, these managed policies might be official AWS-managed policies (e.g., AdministratorAccess or AmazonS3ReadOnlyAccess) or custom organizational policies intended for role-based access control paradigms.

Most managed policies maintain one or more versions. Hence, after capturing the policy ARNs via iam:ListAttachedUserPolicies, it is crucial to delve deeper using either iam:ListPolicyVersions or iam:GetPolicy in conjunction with iam:GetPolicyVersion. Each Policy ARN retrieved by iam:ListAttachedUserPolicies, is then processed via either iam:ListPolicyVersions or iam:GetPolicy to determine the policy’s versioning state and to identify the default active version of the customer-managed policy. Subsequently, iam:GetPolicyVersion provides the structured JSON policy document of a default active version. This final step completes the chain by disclosing the complete IAM vision context across the permissions and resources that the user could perform.

As an alternative solution to resolve the specific case that both the permissions iam:ListPolicyVersions and iam:GetPolicy are not permitted, resulting in the lack of understanding about the current active version of customer-managed policies. SkyEye introduces the Version Fuzzing Algorithms which will support the fuzzing capabilities throughout the policy versions of targeting customer-managed policy ARNs, if only iam:GetPolicyVersion is permitted.