AWS privilege escalation paths are sequences of IAM actions that allow a user or role with limited permissions to gain elevated access within an AWS account. These paths exploit the complex interaction between IAM policies, service roles, and resource-based policies to achieve unauthorized access to sensitive resources or administrative capabilities.
AWS privilege escalation exploits specific IAM permissions that enable self-elevation. Key escalation paths include: iam:CreatePolicyVersion allows modifying an existing policy to grant full admin access; iam:AttachUserPolicy enables attaching the AdministratorAccess policy to the current user; iam:PassRole combined with service creation permissions (like lambda:CreateFunction) allows creating resources that assume high-privilege roles; sts:AssumeRole with overly permissive trust policies enables accessing roles with greater permissions. Tools like Pacu automate the discovery and exploitation of these paths. Advanced techniques chain multiple permissions: creating a Lambda function with a privileged role, then invoking it to perform actions the original user could not directly execute.
IAM misconfiguration is the most common and impactful vulnerability in AWS environments. The combinatorial complexity of IAM policies means that individually reasonable permissions can create dangerous escalation paths when combined. Organizations with hundreds of IAM policies cannot manually assess all possible escalation combinations. Automated analysis and continuous monitoring of IAM configurations is essential.
CDA covers AWS privilege escalation within the IAT and VSD domains. Theater missions include hands-on IAM exploitation scenarios. Our approach emphasizes that cloud identity management requires continuous assessment rather than point-in-time reviews, aligning with CDA's operational philosophy of active defense.