iam:UpdateLoginProfile Privilege Escalation

iam:UpdateLoginProfile resets the console password of an IAM user that already has a login profile. An attacker resets the password of a more-privileged user, then signs in to the console as that user — unless the target is protected by MFA.

Permissions an attacker needs

• iam:UpdateLoginProfile

How the escalation works

• The attacker enumerates IAM users and finds one with broad permissions that has a console login profile.
• They call UpdateLoginProfile to set a new password they control.
• They sign in to the AWS console as that user and inherit its privileges.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:UpdateLoginProfile",
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws iam update-login-profile \
  --user-name privileged-admin \
  --password 'N3w-Passw0rd!' \
  --no-password-reset-required

How to detect and prevent it

• Scope iam:UpdateLoginProfile to specific users and never grant it on Resource "*".
• Require MFA on every human user — a reset password alone cannot complete sign-in when MFA is enforced.
• Alert on UpdateLoginProfile and CreateLoginProfile in CloudTrail; a password set on another principal is a strong escalation signal.

FAQ

Related escalation methods

• iam:CreateLoginProfile and UpdateLoginProfile Privilege Escalation
• iam:CreateAccessKey Privilege Escalation
• iam:AttachUserPolicy Privilege Escalation

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.