iam:AttachUserPolicy Privilege Escalation

iam:AttachUserPolicy lets a principal attach any managed policy to an IAM user. If the attacker can target their own user, they simply attach AdministratorAccess to themselves and gain full control of the account.

Permissions an attacker needs

iam:AttachUserPolicy

How the escalation works

The attacker confirms which IAM user their credentials map to.
They attach the AWS-managed AdministratorAccess policy to that user.
On the next API call the user has administrator permissions.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:AttachUserPolicy",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam attach-user-policy \
  --user-name attacker \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

How to detect and prevent it

Restrict iam:AttachUserPolicy to specific users and add a condition limiting which policy ARNs can be attached (iam:PolicyARN).
Apply a permissions boundary so an attached admin policy cannot exceed the boundary.
Treat any self-service permission-granting capability as administrator-equivalent and gate it accordingly.

FAQ

Can I limit which policies can be attached?

Yes. Use the iam:PolicyARN condition key to allow only an approved list of policy ARNs, which prevents attaching AdministratorAccess.

Related escalation methods

Check your IAM policies for this — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.