DEV Community

Shieldly
Shieldly

Posted on • Originally published at shieldly.io

9 AWS IAM Privilege Escalation Methods You Can Check in 5 Minutes

Most AWS IAM breaches do not start with a zero-day. They start with a policy that
granted one permission too many — and that single permission turned out to be a path to
administrator. Here are nine real privilege-escalation methods, what each one needs, and
how to close it. Each links to a deeper write-up with an example vulnerable policy and the
exploit command.

Self-service to admin

These need nothing but a permission on your own identity:

  • iam:AttachUserPolicy — attach AdministratorAccess to your own user.
  • iam:PutUserPolicy — write an inline "Action": "*" policy on yourself.
  • iam:UpdateLoginProfile — reset the console password of a more-privileged user and sign in as them (unless they have MFA).
  • iam:AttachGroupPolicy / iam:PutGroupPolicy — attach or inline admin onto a group you belong to; every member inherits it.

Role-based, if you can assume the role

PassRole + a compute service

iam:PassRole is the most abused permission on AWS because it is the bridge between
"I can configure a service" and "that service runs as a privileged role":

  • ECS — register a task definition whose task role is privileged, run it, read the credentials from the task metadata endpoint.
  • Lambda event source mapping — create a function with a privileged execution role and trigger it from a stream, no lambda:InvokeFunction required.

Already on the box

  • ssm:SendCommand — run commands on an EC2 instance that already holds a privileged instance-profile role, and use its credentials off-box. No iam:PassRole needed.

The common fix

Across all of these the pattern is the same: scope iam:PassRole with an
iam:PassedToService condition and a role allowlist, restrict the policy/role-management
actions to administrators, and apply a permissions boundary so an attached admin policy
can never exceed the boundary.

You can paste a policy into Shieldly and get AI-Powered
analysis of exactly which of these paths it opens and the conditioned fix — free, no signup.
The full reference of escalation methods is at
shieldly.io/iam.

Disclosure: I help build Shieldly.

Top comments (0)