Retrieval of Inline Policies for In-Scope IAM Groups

The Retrieval of In-scope IAM Groups' Inline Policies

Beyond user-centric investigations, robust IAM enumeration necessarily extends to group-level analysis. Within AWS, group memberships can significantly change an individual’s effective permission set. Consequently, the first step in enumerating in-scope IAM groups which is defined as the groups that a particular user principal belongs to, often begins with either iam:ListGroupsForUser or a combination of iam:ListGroups followed by iam:GetGroup to retrieve the situational awareness about the in-scope IAM groups. The direct approach iam:ListGroupsForUser yields the list of groups to which the user belongs. Alternatively, if iam:ListGroupsForUser is not permitted to perform, SkyEye will switch to invoke iam:ListGroups and iam:GetGroup systematically to enumerate all existing groups and confirms membership based on the targeting user principals.

Once the in-scope groups have been identified, the chain proceeds to iam:ListGroupPolicies for each group. This action enumerates the names of inline policies residing at the group level. Next, for each policy name discovered, the call iam:GetGroupPolicy retrieves the underlying policy document. This chain ensures that every inline policy statement nested within group membership is processed, providing the full scope of relevant permissions. It is critical in multi-account or multi-group scenarios where ephemeral group memberships might be leveraged, intentionally or inadvertently, to circumvent standard user-level constraints. By detailing the chain from group identification to policy retrieval, SkyEye ensures the complete IAM vision context across the permissions inherited from in-scope IAM groups, supporting the overall situational awareness of current IAM context assigned to the targeting user principals.