iam:SetDefaultPolicyVersion Privilege Escalation

Managed policies keep up to five versions. iam:SetDefaultPolicyVersion lets a principal switch the active version to any existing one. If an older, more permissive version is still stored on the policy, the attacker can roll the policy back to it and inherit those broader permissions.

Permissions an attacker needs

• iam:SetDefaultPolicyVersion
• iam:ListPolicyVersions (to enumerate)

How the escalation works

• The attacker lists the stored versions of a policy they are attached to.
• They find a non-default version that grants more than the current default (a common result of someone tightening a policy without deleting the old version).
• They call SetDefaultPolicyVersion to make that broader version active again.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:SetDefaultPolicyVersion",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam list-policy-versions --policy-arn arn:aws:iam::123456789012:policy/example
aws iam set-default-policy-version \
  --policy-arn arn:aws:iam::123456789012:policy/example \
  --version-id v1

How to detect and prevent it

• Delete old policy versions after editing a policy so a permissive version cannot be reactivated.
• Scope iam:SetDefaultPolicyVersion to specific policy ARNs, never Resource "*".
• Use a permissions boundary to cap the effective permissions regardless of which version is active.

FAQ

Related escalation methods

• iam:CreatePolicyVersion Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.