• Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
  • Gain actionable insights into AWS IAM policies and roles, using hands on approach.


  • Basic understanding of AWS services and architecture
  • Familiarity with cloud security concepts
  • Experience using the AWS Management Console or AWS CLI.
  • For hands on lab create account on killercoda.com

Scenario Covered:

  • Basics of IAM in AWS
  • Implementing IAM Policies with Least Privilege to Manage S3 Bucket
    • Objective: Create an S3 bucket with least privilege IAM policy and validate access.
    • Steps:
      • Create S3 bucket.
      • Attach least privilege policy to IAM user.
      • Validate access.
  • Exploiting IAM PassRole Misconfiguration -Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
    • Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
    • Steps:
      • Allow user to pass IAM role to EC2.
      • Exploit misconfiguration for unauthorized access.
      • Access sensitive resources.
  • Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
    • An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
    • Objective: Show how overly permissive IAM roles can lead to privilege escalation.
    • Steps:
      • Create role with administrative privileges.
      • Allow user to assume the role.
      • Perform administrative actions.
  • Differentiation between PassRole vs AssumeRole

Try at killercoda.com


Divyanshu shukla

Senior cloud security engineer with more than 7 years of experience in Infra Security Review, Cloud Security Pentest, DevSecops, Web Application Pentesting, Mobile Pentesting, Automation. He has reported multiple vulnerabilities to companies like AWS,Airbnb, Google, Microsoft, Apple, Amazon, Samsung, Zomato, Xiaomi, Alibaba, Opera, Protonmail, Mobikwik, etc, and received CVE-2019-8727 CVE-2019-16918, CVE-2019-12278, CVE-2019-14962 for reporting issues. Author Burp-o-mation and a very-vulnerable-serverless application. Also part of AWS Community Builder for security and Defcon Cloud Village crew member in year 2020/2021/2022. He has also given training and talks in events like Nullcon Hyderabad, Blackhat Arsenal, C0c0n, Nullcon Goa, Bsides Bangalore 2023, Parsec IIT Dharwad, and Null community.


Starts at Saturday June 15 2024, 11:10 AM. The sessions runs for about 1 hour.