iam:CreateAccessKey Privilege Escalation

iam:CreateAccessKey on Resource "*" lets a principal mint long-lived access keys for any IAM user, including more privileged ones. The attacker creates a key for a powerful user and then operates with that user’s permissions.

Permissions an attacker needs

• iam:CreateAccessKey

How the escalation works

• The attacker enumerates users to find one with broad permissions.
• They create a new access key for that user (each user can hold up to two).
• They authenticate with the new key and inherit the target user’s permissions.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:CreateAccessKey",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam create-access-key --user-name privileged-user

How to detect and prevent it

• Scope iam:CreateAccessKey to the calling user only, using a condition like aws:username matching the principal, or remove it entirely in favor of short-lived role credentials.
• Prefer IAM roles and STS over long-lived user access keys wherever possible.
• Alert on CreateAccessKey where the target user differs from the caller.

FAQ

Related escalation methods

• iam:CreateLoginProfile and UpdateLoginProfile Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.