iam:AddUserToGroup Privilege Escalation
iam:AddUserToGroup lets a principal add an IAM user to any group. If a privileged group exists (for example one with AdministratorAccess attached), the attacker adds their own user to it and inherits the group’s permissions.
Permissions an attacker needs
iam:AddUserToGroupiam:ListGroups / iam:ListAttachedGroupPolicies (to enumerate)
How the escalation works
- The attacker enumerates groups and their attached policies to find a privileged group.
- They add their own user to that group.
- The user inherits the group’s permissions on the next call.
Example vulnerable policy
A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:AddUserToGroup",
"Resource": "*"
}
]
}Example exploitation
For illustration only — run against accounts you own or are authorized to test.
aws iam add-user-to-group --group-name admins --user-name attackerHow to detect and prevent it
- Scope iam:AddUserToGroup to specific, non-privileged groups via resource ARNs.
- Apply a permissions boundary so group-inherited permissions cannot exceed it.
- Review which groups carry AdministratorAccess and who can modify membership.
FAQ
Does removing admin groups help?
Reducing the number of highly privileged groups shrinks the blast radius, but the real fix is scoping the action and enforcing a permissions boundary so membership cannot grant more than intended.
Related escalation methods
Check your IAM policies for this — free
Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.