Transitive Cross-Role Enumeration Model (TCREM)

Each user principal might have the permission to assume some specific roles and retrieve the temporary session tokens to act on behalf of those roles. Each role principal might also have the permission to assume the other roles, and to act on behalf of those roles through temporary session tokens.

The term In-scope IAM Roles in Transitive Cross-Role Enumeration Model (TCREM) is defined by:

• The roles that can be assumed directly by provided AWS credentials:

  • User A → Role A

  • User A → Role B

• The roles that can be assumed indirectly by the roles that can be assumed by provided AWS credentials:

  • User A → Role A

    • Role A → Role E

      • Role E → Role F

        • Role F → Role I

    • Role A → Role G

      • Role G → Role H

  • User A → Role B

→ In-Scope IAM Roles: Role A, Role B, Role E, Role F, Role I, Role G, Role H

Core of SkyEye - Transitive Cross-Role Enumeration Model (TCREM)

Transitive Cross-Role Enumeration Model (TCREM) is proposed and developed with the capability of gathering in-scope IAM roles, performing the direct assumption from user principal, or indirect assumption from the roles that can be assumed by the user principal, to act on behalf of in-scope IAM roles, and simultaneously complementing to the entire scanning output, subsequently contributing to the reduction of false negatives, and improving the overall accuracy of the IAMs output. Each role is an independent principal with associated permissions assigned to, which can be leveraged in complementing to the overall enumeration of IAM users, groups, roles, policies that have a strong bond to the targeting AWS credentials.

Transitive Cross-Role Enumeration Model will be integrated into:

• Single-Principal IAM Enumeration Model (SiPIEM): In-scope IAM roles will only involve complementing single user principal’s IAM vision context

• Separate-Principal IAM Enumeration Model (SePIEM): In-scope IAM roles will only involve complementing each user principal’s IAM vision context separately

• Cross-Principal IAM Enumeration Model (CPIEM): In-scope IAM roles come from each user principal, will involve in complementing not only original user principal’s IAM vision context, but also other user principals’ IAM vision context

During run-time, if iam:GetAccountAuthorizationDetails permission is detected to be executable by at least one role’s session from similar AWS Account Id, the model will immediately terminate all the session come from that AWS Account Id, and utilize the iam:GetAccountAuthorizationDetails permission to retrieve full IAM vision context of that AWS Account Id, and distribute the correspondent result to the user principal that involved in the IAM enumeration for that AWS Account Id. This approach will reduce significantly 95% of the entire scanning process, and result in a most sufficient IAM output for each involved user principals while not producing redundant API invocation, potentially leading to detectable traces in logging.

The operational advantages of the TCREM model are most effectively illuminated through the analysis of a representative scenario that encapsulates advanced IAM enumeration techniques within a contemporary AWS environment. In this context, let us consider User_A, an identity equipped with the capability to assume a set of in-scope IAM roles: Role_A, Role_E, and Role_F, either through direct or via transitive trust relationships. Each principal, whether user or role, is endowed with a distinct and non-overlapping subset of IAM permissions, delineated as follows:

• User_A: Possesses capabilities such as iam:ListRoles and iam:ListGroupsForUser, enabling enumeration of associations with in-scope IAM roles and in-scope IAM groups

• Role_A: Authorized to enumerate policy associations across roles, users, and groups through permissions including iam:ListRolePolicies, iam:ListAttachedRolePolicies, iam:ListUserPolicies, iam:ListAttachedUserPolicies, iam:ListGroupPolicies, and iam:ListAttachedGroupPolicies

• Role_E: Holds advanced policy retrieval permissions including iam:GetUserPolicy, iam:GetGroupPolicy, iam:GetRolePolicy, iam:GetPolicy, and iam:ListPolicyVersions

• Role_F: Entitled to retrieve specific policy document by the versions via iam:GetPolicyVersion

Traditionally, in penetration testing or red team operations, enumeration efforts are often constrained to the context of a single identity session. While User_A is able to enumerate certain role and group metadata, their view remains incomplete, as the permissions and policy insights granted to Role_A, Role_E, and Role_F are inaccessible unless those roles are actively assumed and enumerated. This approach prevents the correlation and aggregation of permissions across assumed roles, thereby hindering the construction of a comprehensive, system-wide IAM topology. Such limitations can lead to an incomplete understanding of privilege boundaries, trust relationships, and potential privilege escalation vectors within the AWS environment.

Transitive Cross-Role Enumeration Model - Example Scenario

The TCREM model fundamentally advances this paradigm by operationalizing simultaneously transitive cross-role enumeration. When integrated, the model leverages User_A’s privileges to discover in-scope IAM roles, and autonomously assume each in-scope IAM role and instantiates temporary sessions for Role_A, Role_E, and Role_F concurrently alongside the primary User_A session. These parallel enumeration processes enable the synthesis of permissions and policy data across both the originating user principal and all assumable roles, therefore, constructing an integrated and multidimensional view of the IAM environment.

Crucially, this approach not only augments the IAM visibility for User_A by aggregating permissions and policy insights from the assumed roles, but also enables the integration with cross-principal IAM enumeration model (CPIEM). In scenarios involving multiple user principals, each with discrete trust relationships and role assumption capabilities, the TCREM model orchestrates enumeration sessions for all user identities and their respective assumable roles. This cooperative enumeration methodology empowers a holistic assessment of the IAM landscape, facilitating the discovery of complex privilege chains, indirect privilege escalation pathways, and latent policy misconfigurations that would otherwise remain undetected under a single-principal enumeration model.

The Interconnection between Users in CPIEM and Roles in TCREM

In summary, the TCREM represents a significant advancement in IAM enumeration methodology, enabling security practitioners and penetration testers to transcend the inherent limitations of isolated principal analysis. Through its support for concurrent and transitive enumeration, the model fosters a more precise and exhaustive understanding of access control dynamics, privilege escalation relationships, and the overall security posture of AWS IAM deployments. This makes SkyEye as an indispensable framework for both offensive security assessments and defensive IAM governance within complex cloud environments.