IAM Privilege Escalation
A technique where an attacker with limited AWS IAM permissions exploits misconfigurations to gain higher-level access, often reaching administrative privileges.
IAM privilege escalation occurs when an attacker leverages overly permissive IAM policies, misconfigured trust relationships, or dangerous permission combinations to elevate their access level within an AWS account.
Common privilege escalation vectors include:
- **iam:CreatePolicyVersion** — Creating a new policy version with admin permissions and setting it as default - **iam:AttachUserPolicy / iam:AttachRolePolicy** — Attaching a managed admin policy to the attacker's user or role - **iam:PutUserPolicy / iam:PutRolePolicy** — Adding an inline policy granting full access - **iam:CreateLoginProfile / iam:UpdateLoginProfile** — Creating or changing console credentials for another user - **iam:CreateAccessKey** — Creating access keys for a more privileged user - **iam:PassRole + lambda:CreateFunction** — Passing a privileged role to a new Lambda function and invoking it - **iam:PassRole + ec2:RunInstances** — Launching an EC2 instance with a privileged instance profile - **sts:AssumeRole** — Assuming a cross-account or same-account role with higher privileges
The blast radius of a single privilege escalation path can be enormous. A user with just two or three seemingly innocuous permissions can sometimes chain them to reach full administrative access.
Detecting these paths requires understanding the full graph of IAM relationships — which is exactly what hackaws.cloud automates.