AWS CloudTrail bypass for specific IAM actions

Through an undocumented API service called 'iamadmin', attackers could invoke any of 13 read-only IAM actions without the activity being being logged to CloudTrail.
These actions included listing group policies (iam:ListGroupPolicies), listing access keys (iam:ListAccessKeys), retrieving information about a role (iam:GetRole), and more.
This could have enabled adversaries to perform enumeration and reconnaissance activity undetected after gaining a foothold in a victim AWS environment.

access access keys actions adversaries api attackers aws aws cloudtrail bypass called cloudtrail enumeration environment group policies iam information keys listing policies reconnaissance role service undetected victim