Retrieval of Inline Policies for In-Scope IAM Roles
While users and groups serve as foundational identity constructs within AWS, roles offer a pivotal mechanism by which users, services, or other roles can assume delegated privileges. For an IAM security audit, the scope of roles that a particular user can assume - directly or indirectly - becomes critical, as it potentially augments the user’s effective permissions. Identifying such roles includes determining trusted entity relationships and session token parameters that could extend privileges beyond the user’s nominal baseline. Once these roles are deemed “in-scope”, SkyEye will investigate any inline policies that may confer additional capabilities only found at the role level.
The operational chain typically commences with an enumeration of all roles using iam:ListRoles. Although this action returns every role in the account, it is imperative to filter them to identify only those roles that the user principal can assume directly or indirectly, as discussed in the Transitive Cross-Role Enumeration Model (TCREM). Such filtering might rely on analyzing trust policies or gleaning contextual information from the environment (e.g., previously discovered assume-role statements). Once the relevant IAM roles are discovered, the next steps involve retrieving the inline policies of those in-scope IAM roles. The invocation of iam:ListRolePolicies yields the set of inline policy names for each role, followed by `iam:GetRolePolicy` to obtain the policy documents themselves.
Role-based inline policies are paid particular attention by SkyEye framework, as these often grant specialized privileges for tightly scoped runtime scenarios (e.g., a role used by a specific application). If a user principal can assume any such role, that user effectively inherits these permissions. Thus, enumerating these inline policies is crucial for constructing the overarching permission graph. By adopting this systematic chain, no potential extension of privilege remains uncharted.
Last updated