iam:CreateLoginProfile and UpdateLoginProfile Privilege Escalation

A login profile is the console password for an IAM user. iam:CreateLoginProfile sets one for a user that has none; iam:UpdateLoginProfile resets an existing one. Either lets an attacker set a known password on a more privileged user and log into the console as them.

Permissions an attacker needs

• iam:CreateLoginProfile or iam:UpdateLoginProfile

How the escalation works

• The attacker finds a privileged user (ideally one without a console password, to avoid disrupting them).
• They set a password they control with CreateLoginProfile, or reset an existing password with UpdateLoginProfile.
• They sign in to the AWS console as that user with the chosen password.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateLoginProfile",
        "iam:UpdateLoginProfile"
      ],
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam create-login-profile \
  --user-name privileged-user \
  --password 'Sup3rSecret!2026' \
  --no-password-reset-required

How to detect and prevent it

• Scope these actions to the caller’s own user ARN so a user cannot set passwords for others.
• Require MFA for console sign-in so a password alone is insufficient.
• Alert on CreateLoginProfile / UpdateLoginProfile where the target differs from the caller.

FAQ

Related escalation methods

• iam:CreateAccessKey Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.