Nikos Mantas
TL;DR: OrangeCon is over, but testing and learning never ends. To accompany our OrangeCon workshop “AWS enumeration for purple teams”, we will be sharing our thoughts on detecting the abuse of cloud-native services and release a nice new FalconFriday rule in our GitHub. This FalconFriday is closely connected with our earlier blog on dAWShund.
AWS access management challenges
When working with AWS, access management often boils down to properly configuring IAM policies. However, for threat actors these same policies provide an opportunity: by simulating them, they can explore the boundaries of their access and identify escalation paths. Cloud services were designed to help administrators and defenders to reduce the attack surface of their infrastructure, but unfortunately also provide convenient (and abusable) ways to perform reconnaissance.
In this FalconFriday, we’ll dive into how AWS’ IAM Policy Simulator can be abused, what information can be harvested, how we can detect these activities, and how adversaries may further enrich their enumeration using AWS native tools like Credential Report and Access Analyzer.
IAM Policy Simulator abuse
The IAM Policy Simulator was built to help administrators validate and troubleshoot IAM policies. Threat actors however can also leverage it to better understand their effective permissions in a compromised environment. This activity helps them enumerate which actions and resources they can access, building a roadmap for lateral movement or privilege escalation.
Policy simulation can be performed in two ways:
- Via the IAM policy simulator (console)
Web console of Policy Simulator
Accessible at https://policysim.aws.amazon.com/
- An attacker with leaked credentials can log in and manually test actions of specific policies against the target live environment.
- It’s slow and less scalable, but still effective for targeted exploration.
2. Via the Policy Simulation APIs
AWS provides two APIs to simulate permissions:
- With stolen access keys, attackers can programmatically query effective permissions.
- This is highly efficient, since automation can be used to map out permissions at scale.
- To demonstrate this in practice, we’ve created dAWShund — a framework designed to automate enumeration of IAM permissions using the Policy Simulator APIs and quickly map over-privileged accounts and potential attack paths.
Detecting abuse
The use of the IAM Policy Simulator leaves behind some subtle but unique footprints in CloudTrail logs. The use of the IAM Policy Simulator leaves behind some subtle but unique footprints in CloudTrail logs. Our detection is broken into 2 parts to detect both Web Console and API abuse.
To avoid unnecessary pagination, the simulator calls ListUsers with a maxItems value of 50, and the rest of the List* operations with a limit of 1000. We use this pattern in our detection to differentiate simulator activity from standard console or SDK usage.
That said, enumeration in AWS is notoriously difficult to detect. Blue teams typically rely on volumetric signals such as bursts of API calls, which stand out more clearly than single requests. Still, careful research into the unique footprints left by tools and frameworks can occasionally provide a glimpse into attacker behavior. These indicators, however, should be classified lower on the Pyramid of Pain since they are useful for context.
The real power of enumeration lies in policy validation. With SimulatePrincipalPolicy and SimulateCustomPolicy, attackers don’t need to guess: they can query AWS directly whether a specific action is allowed under current policies. This drastically reduces noise and speeds up reconnaissance.
From a defender’s perspective, this is valuable intelligence. These API calls are rarely used in day-to-day operations. When they appear in CloudTrail, they either indicate administrative troubleshooting or malicious attempt to simulate fetched policies, thus evaluating the effective permissions described on the Actions statement of the AWS Policy document. When correlated with other unusual automation patterns (e.g., dawshund-like bulk of requests), you can confidently flag suspicious behavior.
A taste of our own medicine: enrichment of enumeration with AWS-native tools
Once attackers have enumerated permissions, they can pivot to AWS-native tools designed for governance and attack surface reduction. These tools provide valuable insights to defenders — but unfortunately, also to adversaries. While it doesn’t justify standalone detection, it provides excellent context during threat hunting.
Credential report
- Generates a report of all IAM users, their credentials, MFA status, and password age.
- Useful for administrators to assess hygiene — and for attackers to identify dormant accounts, missing MFA, or weak credential practices. An error will be triggered if there is no recent report to download, so it creates a good opportunity to catch careless attackers.
Hunting query (KQL — CloudTrail logs):
AWSCloudTrail
| where EventName =~ "GetCredentialReport"
| where ErrorCode =~ "CredentialReportNotPresentException"
Access Analyzer
- Identifies resources shared with external principals (e.g., S3 buckets accessible to another account or public).
- Great for reducing attack surface by highlighting unintended exposures.
- For attackers, this is an intelligence goldmine: they can quickly map externally accessible resources.
Hunting query (KQL — CloudTrail logs):
AWSCloudTrail
| where EventName in~ ("CreateAccessAnalyzer","ValidatePolicy","ListAnalyzers")
| summarize count() by EventTime, UserIdentityArn, SourceIpAddress
Wrapping up
Enumeration in AWS is about mapping the boundaries of access. Threat actors begin with listing principals, policies, and resources, then pivot into policy validation to uncover real opportunities. The IAM Policy Simulator — whether via console or API — provides a powerful way to achieve this, and tools like dAWShund make this process efficient and scalable.
Detection hinges on recognizing subtle simulator footprints and the rare use of simulation APIs. While volumetrics remain the most reliable approach, researching tool-specific behaviors can occasionally reveal attacker presence, albeit at the lower levels of the Pyramid of Pain. We hope the publicly available detection content in this blog will further assist blue teams in their endeavors. Enrichment with Credential Reports and Access Analyzer further demonstrates how AWS-native tools, intended for security, can also be abused for reconnaissance. We strongly recommend to limit their usage to absolute operational needs and frequently clean up or archive the findings after auditing access.
Want to have access to our repository with over 600 advanced detections? Please have a look at our commercial offering and reach out via [email protected].
Knowledge center
Other articles
How data science can boost your detection engineering maintenance and keep you from herding sheep
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Microsoft Defender for Endpoint Internal 0x06 – Custom Collection
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Why is no one talking about maintenance in detection engineering?
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.
Energieweg 3
3542 DZ Utrecht
The Netherlands
FalconForce B.V.
[email protected]
(+31) 85 044 93 34
KVK 76682307
BTW NL860745314B01