IAM Privilege Escalation Paths

Description

Over‑permissive IAM policies enable users to escalate privileges in many ways: iam:PassRole to powerful roles and launch them on compute, sts:AssumeRole into admin roles, attaching AdministratorAccess to themselves, creating new policy versions with broader actions, updating a role’s trust policy to include self, or using CloudFormation/Glue/CodeBuild/SSM to pivot into higher privilege.

Examples

Identify Risky Permissions

aws iam list-attached-user-policies --user-name <user>
aws iam list-user-policies --user-name <user>
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::<acct>:user/<user> \
  --action-names iam:PassRole iam:AttachUserPolicy iam:CreateAccessKey sts:AssumeRole
aws accessanalyzer validate-policy --policy-document file://policy.json

Attempt Role Assumption / PassRole

aws sts assume-role --role-arn arn:aws:iam::<acct>:role/<role> --role-session-name test

If allowed, the principal can laterally escalate privileges.

Detect self‑management and policy version traps

aws iam list-policies --only-attached --query "Policies[?PolicyName=='AdministratorAccess']"
aws iam list-policy-versions --policy-arn <policy-arn>
aws iam get-role --role-name <role> --query 'Role.AssumeRolePolicyDocument'

Remediation

1. Apply least privilege; avoid wildcards on Action/Resource.
2. Restrict iam:PassRole to specific roles with conditions (e.g., iam:PassedToService).
3. Disallow self‑management of policies; enforce approvals and SCP guardrails.
4. Use permission boundaries and session controls
   • Apply permission boundaries to identities that create/modify roles; require MFA (aws:MultiFactorAuthPresent) and limit session duration/conditions in trust policies.
5. Detect and prevent
   • Enable AWS IAM Access Analyzer for external access findings; alert on CreatePolicyVersion, AttachUserPolicy, PassRole, and trust policy updates in CloudTrail.
6. Use Access Analyzer to detect external access and high‑risk permission paths.