This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777
.
First, create a role that we can use for this demo. This role is in your own account.
aws iam create-role --role-name test-enumeration \
--assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'
aws iam update-assume-role-policy --role-name test-enumeration \
--policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::999988887777:user/invalid"},"Action": "sts:AssumeRole"}]}'
Let's use New Relic's well-known account ID for this test.
aws iam update-assume-role-policy --role-name test-enumeration \
--policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/invalid"},"Action": "sts:AssumeRole"}]}'
Let's use New Relic's well-known account ID (754728514883
) and role name (NewRelicInfrastructure-Integrations
) for this test.
aws iam update-assume-role-policy --role-name test-enumeration \
--policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/NewRelicInfrastructure-Integrations"},"Action": "sts:AssumeRole"}]}'
New Relic Account ID and role name details were found here: