AWS Privilege Escalation Paths
IAM action sequences enabling users with limited permissions to gain elevated access within AWS accounts through policy misconfigurations.
IAM action sequences enabling users with limited permissions to gain elevated access within AWS accounts through policy misconfigurations.
Continue your mission
AWS privilege escalation paths are sequences of IAM actions that allow a user or role with limited permissions to gain elevated access within an AWS account. These paths exploit the complex interaction between IAM policies, service roles, and resource-based policies to achieve unauthorized access to sensitive resources or administrative capabilities.
AWS privilege escalation exploits specific IAM permissions that enable self-elevation. Key escalation paths include: iam:CreatePolicyVersion allows modifying an existing policy to grant full admin access; iam:AttachUserPolicy enables attaching the AdministratorAccess policy to the current user; iam:PassRole combined with service creation permissions (like lambda:CreateFunction) allows creating resources that assume high-privilege roles; sts:AssumeRole with overly permissive trust policies enables accessing roles with greater permissions. Tools like Pacu automate the discovery and exploitation of these paths. Advanced techniques chain multiple permissions: creating a Lambda function with a privileged role, then invoking it to perform actions the original user could not directly execute.
IAM misconfiguration is the most common and impactful vulnerability in AWS environments. The combinatorial complexity of IAM policies means that individually reasonable permissions can create dangerous escalation paths when combined. Organizations with hundreds of IAM policies cannot manually assess all possible escalation combinations. Automated analysis and continuous monitoring of IAM configurations is essential.
CDA covers AWS privilege escalation within the IAT and VSD domains. Theater missions include hands-on IAM exploitation scenarios. Our approach emphasizes that cloud identity management requires continuous assessment rather than point-in-time reviews, aligning with CDA's operational philosophy of active defense.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.