Exploiting IAM Misconfigurations

In the cloud, privilege escalation usually means abusing IAM permissions rather than exploiting memory bugs. If a low-priv identity can modify policies, create keys, or assume roles, it can reach admin.

• Permissions that modify IAM are inherently dangerous.
• Escalation paths are policy logic, not vulnerabilities.
• The fix is least privilege, not a patch.

Certain IAM actions enable direct escalation. Watch for these on a principal you control:

• iam:CreateAccessKey on another user.
• iam:AttachUserPolicy / iam:PutUserPolicy (attach AdministratorAccess).
• iam:CreatePolicyVersion (rewrite an existing policy).
• iam:PassRole + a compute service (run code as a privileged role).
• sts:AssumeRole with a weak trust policy.