An important point to note is that this script will fail if the user does not have the iam:GetAccountAuthorization permission, because they will not be able to gather the list of users, groups, roles, and policies. To potentially solve this problem, we can refer to the beginning of this section, where it was noted that sometimes there is more than one way to do something through the AWS API, and those different ways require different sets of permissions.

In the case where our user does not have the iam:GetAccountAuthorizationDetails permission, but they do have other IAM read permissions, it might still be possible to enumerate our list of permissions. We will not be running through and creating a script that does this, but here is a general guide if you should like to try it out:

1. Check if we have the iam:GetAccountAuthorizationDetails permission
2. If so, run the script that we just created
3. If not, go to step 2
4. Use the iam:GetUser API to determine what user we are (note that this won't work for roles!)
5. Use the iam:ListUserPolicies API to fetch the list of inline policies that are attached to our user
6. Use the iam:GetUserPolicy API to fetch the documents for each inline policy
7. Use the iam:ListAttachedUserPolicies API to fetch the list of managed policies that are attached to our user
8. Use the iam:GetPolicy API to determine the default version for each managed policy that is attached to our user
9. Use the iam:GetPolicyVersion API to fetch the policy document for each managed policy that is attached to our user
10. Use the iam:ListGroupsForUser API to find out what groups our user is a part of
11. Use the iam:ListGroupPolicies API to list the inline policies that are attached to each group
12. Use the iam:GetGroupPolicy API to get the document for each inline policy that is attached to each group

13. Use the iam:ListAttahedGroupPolicies API to list the managed policies that are attached to each group
14. Use the iam:GetPolicy API to determine the default version for each managed policy that is attached to each group
15. Use the iam:GetPolicyVersion API to fetch the policy document for each managed policy that is attached to each group

As you can probably tell, this method of permission enumeration requires far more API calls to AWS, and it will likely be a lot louder to a listening defender than our first method. However, it might be the right choice if you don't have the iam:GetAccountAuthorizationDetails permission but you do have the permissions required to follow all the steps that are listed.