iam:AttachGroupPolicy Privilege Escalation

iam:AttachGroupPolicy attaches any managed policy to an IAM group. An attacker attaches AdministratorAccess to a group they belong to, and every member — including their own user — inherits administrator permissions.

Permissions an attacker needs

• iam:AttachGroupPolicy

How the escalation works

• The attacker confirms which group their IAM user is a member of.
• They attach the AWS-managed AdministratorAccess policy to that group.
• Their user inherits administrator permissions on the next API call.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:AttachGroupPolicy",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam attach-group-policy \
  --group-name developers \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

How to detect and prevent it

• Scope iam:AttachGroupPolicy to specific groups and add an iam:PolicyARN condition allowing only approved policies.
• Apply permissions boundaries so policies attached to a group cannot grant more than the boundary permits.
• Treat group-policy management as an administrator-equivalent capability and restrict it accordingly.

FAQ

Related escalation methods

• iam:AddUserToGroup Privilege Escalation
• iam:PutGroupPolicy Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.