added details on IAM enumeration

Enumeration/AWS.md

@@ -447,6 +447,45 @@ Trufflehog](https://github.com/trufflesecurity/trufflehog).
 Other repositories, like package repository for programming, are also prone to
 contain credentials unintentionally.
 
+Credentials can be found in environment variables like `AWS_SESSION_TOKEN`,
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, shared credential files inside
+home directories like `~/.aws/credentials`, assumed roles cached in
+`~/.aws/cli/cached`, aws cli configuration file `~/.aws/configuration`, Boto2
+and Boto3 or via the [IMDS](#Metadata-Service) on EC2 instances.
+
+You can get the account name through the STS service using the access-key
+
+```sh
+aws sts get-access-key-info --access-key-id <AKIA-key>
+```
+
+Identify AccountId, IAM Roles and users as valid principals in an account by
+creating a resourced based policy. Create the resource which is in need of a
+resource based policy and update it for the principal you want to enumerate.
+There are two outcomes
+
+* The principal exists, the policy will be updated/created
+* The principal does not exist and there is an error message returned
+
+Use [Righteousgambit's Quiet
+Riot](https://github.com/righteousgambit/quiet-riot) to enumerate AWS, Azure
+,GCP principals. A userlist is needed for enumeration of an AccountId.
+ACL can contain email addresses of root users. These addresses can be found by
+quiet riot as well. AWS Service Footprinting and roles can be done by quiet
+riot, too.
+
+These different scans are parameters for the `--scan` argument. AWs scans
+contain the following numbers.
+
+```sh
+1. AWS Account IDs
+2. AWS Services Footprinting
+4. AWS Root User E-mail Address
+5. AWS IAM Principals
+  4.1. IAM Roles
+  4.2. IAM Users
+```
+
 #### Gain Access through CloudFormation
 
 It is possible to phish credentials through url manipulation and sending it to
@@ -726,20 +765,13 @@ Now the VPC and EC2 is accessible through the internet.
 
 ### Metadata Service
 
+#### Metdata Service on EC2
+
 The instance (Openstack) Metadata service can be found under 169.254.169.254.
 It can be used
 to gain information about the EC2 via a GET request to
 `http://169.254.169.254/latest/meta-data`.
 
-The task metadata service can be found at 169.254.170.2 and is used for the
-[Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)
-
-From inside a container curl can be used to get the credentials
-
-```sh
-curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
-```
-
 The instance metadata service has been used for information disclosure of
 security credentials before.
 [Alexander
@@ -780,6 +812,24 @@ aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY
 aws_session_token = TQijaZw==
 ```
 
+#### Metadata Service on ECS
+
+This task metadata service can be found at 169.254.170.2 and is used for the
+[Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)
+
+Elastic Container Service is using the version 2 of IMDS. The URL for the
+metadata service is the following.
+
+```http
+http://169.254.170.2/v2/metadata
+```
+
+From inside a container curl can be used to get the credentials
+
+```sh
+curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+```
+
 ### Simple Storage Service (S3)
 
 [S3](https://aws.amazon.com/s3/) is an object storage without volume limits.