Not affiliated with AWS
← Back to Attack Library

Put Inline Role Policy

critical

Privilege Escalation

An attacker with iam:PutRolePolicy can add an inline policy with admin permissions to any role they can assume.

Required Permissions

iam:PutRolePolicy

Description

This technique uses iam:PutRolePolicy to add an inline policy directly to an IAM role. Unlike managed policies, inline policies are embedded directly in the role and can be created with any permissions.

The attacker creates an inline policy granting full access (Action: *, Resource: *) and attaches it to a role they can assume. After assuming the role, they have administrative access.

This technique is particularly dangerous because inline policies are less visible than managed policies in security audits and are often overlooked in permission reviews.

Impact

Administrative access via the targeted role. All resources accessible to the role become compromised.

Detection

Monitor CloudTrail for PutRolePolicy calls. Alert on inline policy documents containing wildcard actions or resources.

Mitigation

Restrict iam:PutRolePolicy to specific roles using resource ARN conditions. Use SCPs to deny inline policy creation on sensitive roles. Apply permission boundaries.

Related Techniques

Create IAM Policy Version

An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.

Attach Admin Policy

An attacker with iam:AttachUserPolicy or iam:AttachRolePolicy can attach the AdministratorAccess managed policy to their own identity.