AWS IAM Privilege Escalation: Methods, Examples, and Fixes

Privilege escalation in AWS IAM happens when a principal has just enough permission to grant itself more. The paths below are the most common ones — each turns a narrowly-scoped permission into administrator-level access. Every method has a dedicated page with an example vulnerable policy, an illustration of the attack, and the fix.

Want to know if your policies contain any of these? Paste a policy into the free AI-Powered IAM analyzer — no signup, no AWS credentials.

New to the terminology? The AWS IAM glossary defines trust policies, permissions boundaries, condition keys, and the other concepts these escalations rely on.

Escalation methods

iam:CreatePolicyVersionCritical

iam:CreatePolicyVersion Privilege Escalation

iam:SetDefaultPolicyVersionHigh

iam:SetDefaultPolicyVersion Privilege Escalation

iam:AttachUserPolicyCritical

iam:AttachUserPolicy Privilege Escalation

iam:PutUserPolicyCritical

iam:PutUserPolicy Privilege Escalation

iam:AddUserToGroupHigh

iam:AddUserToGroup Privilege Escalation

iam:CreateAccessKeyHigh

iam:CreateAccessKey Privilege Escalation

iam:CreateLoginProfile / iam:UpdateLoginProfileHigh

iam:CreateLoginProfile and UpdateLoginProfile Privilege Escalation

iam:PassRole + lambda:CreateFunctionCritical

iam:PassRole + Lambda Privilege Escalation

iam:PassRole + ec2:RunInstancesCritical

iam:PassRole + EC2 RunInstances Privilege Escalation

iam:UpdateAssumeRolePolicy + sts:AssumeRoleCritical

iam:UpdateAssumeRolePolicy Privilege Escalation

Scan your IAM policies free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.