Not affiliated with AWS
← Back to Attack Library

Attach Admin Policy

critical

Privilege Escalation

An attacker with iam:AttachUserPolicy or iam:AttachRolePolicy can attach the AdministratorAccess managed policy to their own identity.

Required Permissions

iam:AttachUserPolicyiam:AttachRolePolicy

Description

This technique uses iam:AttachUserPolicy or iam:AttachRolePolicy to attach a highly privileged managed policy (such as arn:aws:iam::aws:policy/AdministratorAccess) to the attacker's user or role.

The attack is straightforward: call AttachUserPolicy with the target user ARN and the AdministratorAccess policy ARN. The permissions take effect immediately.

This is commonly seen when developers are granted permission to manage policies for automation purposes but the permission is not scoped to specific policies.

Impact

Full administrative access. All resources in the account become accessible.

Detection

Monitor CloudTrail for AttachUserPolicy and AttachRolePolicy calls. Alert when AdministratorAccess or other high-privilege policies are attached.

Mitigation

Scope iam:AttachUserPolicy and iam:AttachRolePolicy to specific policy ARNs using conditions. Use permission boundaries. Apply SCPs to prevent attaching admin policies.

Related Techniques

Create IAM Policy Version

An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.

Put Inline Role Policy

An attacker with iam:PutRolePolicy can add an inline policy with admin permissions to any role they can assume.