iam:AttachRolePolicy Privilege Escalation

iam:AttachRolePolicy attaches any managed policy to an IAM role. If the attacker can assume the target role (directly via sts:AssumeRole or through a service they control), they attach AdministratorAccess to it and then operate with full permissions.

Permissions an attacker needs

• iam:AttachRolePolicy
• sts:AssumeRole

How the escalation works

• The attacker identifies a role they can assume — or one used by a service they can trigger.
• They attach the AWS-managed AdministratorAccess policy to that role.
• They assume the role (or invoke the service) and act as an administrator.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:AttachRolePolicy",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam attach-role-policy \
  --role-name assumable-role \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/assumable-role --role-session-name esc

How to detect and prevent it

• Restrict iam:AttachRolePolicy to specific roles and add an iam:PolicyARN condition limiting which policies can be attached.
• Apply a permissions boundary to every role so an attached admin policy cannot exceed the boundary.
• Tighten role trust policies — escalation requires the ability to assume the role, so a narrow trust policy reduces the blast radius.

FAQ

Related escalation methods

• iam:PutRolePolicy Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation
• iam:UpdateAssumeRolePolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.