iam:PutRolePolicy Privilege Escalation

iam:PutRolePolicy writes an inline policy directly onto an IAM role. If the attacker can assume that role, they author a document granting Action "*" on Resource "*" and gain full control — without depending on any existing managed policy.

Permissions an attacker needs

• iam:PutRolePolicy
• sts:AssumeRole

How the escalation works

• The attacker identifies a role they can assume or trigger via a service.
• They call PutRolePolicy with an inline document granting Action "*" on Resource "*".
• They assume the role and operate as an administrator.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PutRolePolicy",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam put-role-policy \
  --role-name assumable-role \
  --policy-name esc \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}'

How to detect and prevent it

• Restrict iam:PutRolePolicy to specific roles and tightly controlled automation only.
• Enforce a permissions boundary so an inline policy on the role cannot exceed it.
• Monitor PutRolePolicy, PutUserPolicy, and PutGroupPolicy in CloudTrail — inline writes do not appear in managed-policy inventories and are easy to miss.

FAQ

Related escalation methods

• iam:AttachRolePolicy Privilege Escalation
• iam:PutUserPolicy Privilege Escalation
• iam:UpdateAssumeRolePolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.