iam:PutGroupPolicy Privilege Escalation

iam:PutGroupPolicy writes an inline policy onto an IAM group. An attacker who belongs to the group authors an inline document granting Action "*" on Resource "*", and every member — including their own user — inherits those permissions.

Permissions an attacker needs

• iam:PutGroupPolicy

How the escalation works

• The attacker confirms the group their IAM user belongs to.
• They call PutGroupPolicy with an inline document granting Action "*" on Resource "*".
• Their user inherits the escalated permissions immediately.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PutGroupPolicy",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam put-group-policy \
  --group-name developers \
  --policy-name esc \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}'

How to detect and prevent it

• Scope iam:PutGroupPolicy to specific groups and tightly controlled automation only.
• Apply permissions boundaries so inline group policies cannot exceed the boundary.
• Audit inline group policies explicitly — they are invisible to managed-policy inventories. Shieldly and CloudTrail both surface them.

FAQ

Related escalation methods

• iam:AttachGroupPolicy Privilege Escalation
• iam:AddUserToGroup Privilege Escalation
• iam:PutUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.