IAM user can execute a Privilege Escalation by using inline AttachUserPolicy

Security & Compliance
No items found.

When an IAM user is granted permission to attach an inline policy to their own user account, it can lead to privilege escalation. An attacker can attach an overly permissive policy to their own account and use that to access or modify resources beyond their intended permissions. Therefore, it's important to monitor and prevent IAM users from being able to execute privilege escalation by using inline AttachUserPolicy.


The following are the remediation steps that can be taken:

  1. Identify the user account that attached the policy and the policy that was attached.
  2. Remove the policy from the user account if it is found to be overly permissive or unnecessary.
  3. Review the user's permissions and remove any unnecessary permissions.
  4. Monitor the user's activity going forward to ensure they are not attempting to perform any unauthorized actions.
  5. Consider implementing policies that prevent users from attaching policies to their own user accounts, or limit the scope of policies that can be attached. This can help prevent similar privilege escalation attacks in the future.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.