IAM Privilege Escalation
What is IAM Privilege Escalation?
IAM Privilege EscalationAbusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
IAM privilege escalation in cloud environments occurs when a principal with limited permissions uses legitimate API actions to elevate to broader or administrative privileges. Common AWS paths include iam:CreateAccessKey on another user, iam:PutUserPolicy, sts:AssumeRole on a privileged role, lambda:UpdateFunctionCode on a function with a powerful role, or passrole abuse via ec2:RunInstances. Equivalent paths exist in Azure (role assignment writes) and GCP (setIamPolicy). Tools such as Pacu and PMapper enumerate these chains automatically. Defenders restrict iam:Pass, iam:Put, and *:Update permissions, enforce permission boundaries and SCPs, log every IAM change in CloudTrail, and alert on dangerous combinations.
● Examples
- 01
A read-only user with iam:CreateAccessKey on an admin user creates new keys and gains full access.
- 02
Updating a Lambda function code while the function runs with AdministratorAccess.
● Frequently asked questions
What is IAM Privilege Escalation?
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights. It belongs to the Cloud Security category of cybersecurity.
What does IAM Privilege Escalation mean?
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
How does IAM Privilege Escalation work?
IAM privilege escalation in cloud environments occurs when a principal with limited permissions uses legitimate API actions to elevate to broader or administrative privileges. Common AWS paths include iam:CreateAccessKey on another user, iam:PutUserPolicy, sts:AssumeRole on a privileged role, lambda:UpdateFunctionCode on a function with a powerful role, or passrole abuse via ec2:RunInstances. Equivalent paths exist in Azure (role assignment writes) and GCP (setIamPolicy). Tools such as Pacu and PMapper enumerate these chains automatically. Defenders restrict iam:Pass, iam:Put, and *:Update permissions, enforce permission boundaries and SCPs, log every IAM change in CloudTrail, and alert on dangerous combinations.
How do you defend against IAM Privilege Escalation?
Defences for IAM Privilege Escalation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IAM Privilege Escalation?
Common alternative names include: Cloud privesc, IAM privesc.
● Related terms
- cloud-security№ 186
Cloud Key Leak
Accidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- cloud-security№ 190
Cloud Token Theft
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- cloud-security№ 255
CSPM Finding
An alert produced by a Cloud Security Posture Management tool when a cloud resource violates a security benchmark, policy, or compliance rule.
- cloud-security№ 598
Kubernetes Cluster Attack
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
● See also
- № 211Container Escape
- № 187Cloud Metadata SSRF
- № 079AWS IMDSv1 Attack
- № 182Cloud Cryptojacking
- № 183Cloud Data Exfiltration