Automating IAM Enumeration in AWS Using Pacu

This guide introduces everyone to automating AWS IAM enumeration with Pacu and defending against such attacks, offering clear steps for a structured learning experience.

1. Introduction

Identity and Access Management (IAM) forms the backbone of AWS security, managing access to cloud resources. Misconfigured IAM policies can lead to unauthorized access or data breaches, making regular audits critical.

Manually enumerating IAM users, roles, groups, and policies is time-consuming and error-prone. Pacu, an open-source AWS exploitation framework by Rhino Security Labs, automates this process, helping penetration testers and red teamers identify weak configurations and privilege relationships.

2. Why Automate IAM Enumeration?

Automating IAM enumeration with Pacu saves time and reduces errors. It allows you to:

• 🧭 Map the IAM Landscape
• 🔐 Detect Misconfigurations
• 🧪 Support Security Testing

Pacu’s modular design and database storage simplify data collection and analysis, even in complex AWS environments.

3. Setting Up Pacu

3.1 Prerequisites

Install these tools:

• Python 3.7+
• pipx (for Pacu installation)
• AWS CLI

Install AWS CLI:

pip install awscli

Ensure your IAM user has these permissions:

{
  "Effect": "Allow",
  "Action": [
    "iam:ListUsers",
    "iam:ListRoles",
    "iam:ListGroups",
    "iam:ListPolicies",
    "iam:GetPolicy",
    "iam:GetPolicyVersion"
  ],
  "Resource": "*"
}

3.2 Install Pacu

Install using pipx:

pipx install git+https://github.com/RhinoSecurityLabs/pacu.git

Verify installation:

pacu

Expected output:

Welcome to Pacu!
Type 'help' to see available commands.

4. Configure AWS Credentials

Set up AWS CLI profile:

aws configure --profile cybr

Enter:

• Access Key ID
• Secret Access Key
• Region (e.g., us-east-1)
• Output format (json)

5. Launch Pacu

Run Pacu:

pacu

When prompted, enter session name:

cybr

Session DB location:

~/.local/share/pacu/sessions/cybr/pacu.db

6. Import AWS Keys into Pacu

import_keys cybr

Verify:

whoami

Example output:

{
  "UserId": "AID1234567890EXAMPLE",
  "Arn": "arn:aws:iam::123456789012:user/Tester",
  "Account": "123456789012"
}

7. Run IAM Enumeration Module

run iam__enum_users_roles_policies_groups

This retrieves:

• IAM Users
• IAM Roles
• IAM Groups
• IAM Policies

If errors occur (e.g., [!] No policies found.), verify IAM permissions.

8. View Collected IAM Data

Use these commands:

data IAM Users
data IAM Roles
data IAM Groups
data IAM Policies

Or view the SQLite DB:

sqlite3 ~/.local/share/pacu/sessions/cybr/pacu.db

Example query:

SELECT * FROM iam_users;

Look for:

• Dormant users
• Over-permissive roles
• Misconfigured trust relationships

9. Defending Against IAM Enumeration Attacks

9.1 Key Defensive Strategies

Enforce Least Privilege:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/*",
        "arn:aws:s3:::example-bucket"
      ]
    }
  ]
}

Monitor IAM Activity:

aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-cloudtrail-bucket
aws cloudtrail start-logging --name MyTrail

Audit Policies Regularly: Use AWS IAM Access Analyzer.

Require MFA: Enforce MFA for IAM users.

9.2 Best Practices

• Disable inactive users
• Rotate access keys every 90 days
• Use AWS Config for IAM change tracking

10. Conclusion

Pacu streamlines IAM enumeration:

• ✅ Map IAM assets
• ✅ Detect misconfigurations
• ✅ Automate audits

This guide covered setup, module execution, data review, and defenses.

Next Steps:

• Explore iam__enum_permissions
• Automate tasks with scripts
• Contribute to Pacu on GitHub

11. Acknowledgments

Special thanks to Tyler Ramsey for introducing me to Pacu and inspiring the creation of this guide. His mentorship and insights were invaluable in helping me learn AWS penetration testing.

12. Disclaimer

Educational use only. Obtain permission before testing AWS environments.