Skip to content
Enumerate the permissions associated with AWS credential set
Branch: master
Clone or download
Latest commit 93c0828 Jun 28, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
enumerate_iam Adjusting max_attempts to 30 Jun 23, 2019
.gitignore Initial commit May 10, 2019
LICENSE Initial commit May 10, 2019 Initial commit May 10, 2019 Initial commit May 10, 2019
requirements.txt Initial commit May 10, 2019

Enumerate IAM permissions

Found a set of AWS credentials and have no idea which permissions it might have?

$ ./ --access-key AKIA... --secret-key StF0q...
2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
    "RoleDetailList": [
            "Tags": [], 
            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17", 
                "Statement": [
2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!

Now you do! tries to brute force all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed).


git clone
cd enumerate-iam/
pip install -r requirements.txt


This software was written to be easy to integrate with other tools, just import the main function and provide the required arguments:

from enumerate_iam.main import enumerate_iam


The output will contain all the enumerated permission information in a python dictionary.

Other tools

Before writing I tried a few that performed the same task. Decided to write my own because the others:

  • Did not check for all API calls
  • Where painfully slow when adding more API calls to the list
  • Did not return the permissions in a programmatic way

Updating the API calls

The API calls to be performed during permission enumeration are stored in enumerate_iam/, a Python dict() which is generated by enumerate_iam/ using the API documentation available in the aws-sdk-js library.

AWS releases new services every quarter, to make sure that this tool is finding all the existing permissions run:

cd enumerate_iam/
git clone
rm -rf aws-sdk-js

Related tools

This tool was released as part of the Internet-Scale Analysis of AWS Cognito Security research. During this research the cc-lambda tool was also used to extract information from the Common Crawl data.

Initial code

The initial code was released in this gist and improved in multiple ways:

  • Complete refactoring
  • Results returned in a programmatic way
  • Threads
  • Improved logging
  • Increased API call coverage
  • Export as a library
You can’t perform that action at this time.