Skip to content

IAM Privilege Escalation Detection

cloud-audit detects 25 IAM privilege escalation methods across 6 categories. This goes beyond static policy analysis -- it resolves actual escalation paths by combining IAM policies, trust relationships, and resource permissions.

How It Works

  1. Calls GetAccountAuthorizationDetails to pull all IAM policies, roles, users, and groups
  2. Resolves effective permissions per principal (inline + attached + group policies)
  3. Walks escalation paths: can this principal reach admin through any sequence of allowed actions?
  4. Reports each path with the specific escalation method and affected principal

No additional permissions beyond iam:GetAccountAuthorizationDetails and iam:SimulatePrincipalPolicy are required. The check is read-only.

Categories

1. IAM Self-Mutation (8 methods)

The principal can modify its own permissions to grant itself admin access.

  • iam:CreatePolicyVersion - create new version of an attached policy
  • iam:SetDefaultPolicyVersion - set a different policy version as default
  • iam:AttachUserPolicy - attach managed policy to self
  • iam:AttachRolePolicy - attach managed policy to a role
  • iam:AttachGroupPolicy - attach managed policy to own group
  • iam:PutUserPolicy - attach inline policy to self
  • iam:PutGroupPolicy - modify group the principal belongs to
  • iam:PutRolePolicy - attach inline policy to a role

2. Credential Access (4 methods)

The principal can obtain credentials for a more privileged identity.

  • iam:CreateAccessKey - create access keys for another user
  • iam:CreateLoginProfile - set console password for another user
  • iam:UpdateLoginProfile - reset another user's password
  • iam:AddUserToGroup - add self to a more privileged group

3. PassRole + Service (6 methods)

The principal can pass a privileged role to an AWS service that executes code.

  • PassRole + Lambda (lambda:CreateFunction + lambda:InvokeFunction)
  • PassRole + EC2 (ec2:RunInstances)
  • PassRole + ECS (ecs:RegisterTaskDefinition + ecs:RunTask)
  • PassRole + Glue (glue:CreateJob)
  • PassRole + CloudFormation (cloudformation:CreateStack)
  • PassRole + DataPipeline (datapipeline:CreatePipeline)

4. Lambda Code Modification (2 methods)

The principal can modify existing Lambda function code to inject commands.

  • lambda:UpdateFunctionCode - replace function code directly
  • lambda:UpdateFunctionConfiguration + layers - inject via Lambda layer

5. Trust Policy Abuse (1 method)

The principal can modify role trust policies to allow itself to assume privileged roles.

  • iam:UpdateAssumeRolePolicy - rewrite the trust policy

6. Permission Boundary Bypass (4 methods)

The principal can remove or modify permission boundaries that restrict its effective permissions.

  • iam:DeleteRolePermissionsBoundary - remove boundary from an assumed role
  • iam:DeleteUserPermissionsBoundary - remove own boundary
  • iam:PutRolePermissionsBoundary - replace role boundary with a permissive one
  • iam:PutUserPermissionsBoundary - replace own boundary with a permissive one

Attack Chain Integration

Escalation paths feed into three attack chains:

Chain Description
AC-34 PassRole Escalation to Admin
AC-35 Self-Escalation via IAM Policy Modification
AC-36 External Escalation via OIDC + Privilege Escalation

When an escalation path is detected, it is reported as check aws-iam-018 and also triggers the relevant attack chain if the prerequisite conditions are met.

CLI

cloud-audit scan                          # includes escalation detection
cloud-audit list-checks --id aws-iam-018  # show check details

Escalation findings include the principal ARN, the escalation method, and the target privilege level in the finding details.