Back to Details

performing-aws-privilege-escalation-assessment

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing AWS Privilege Escalation Assessment

执行AWS权限提升评估

When to Use

使用场景

  • When conducting authorized penetration testing of AWS IAM configurations
  • When validating that IAM policies follow the principle of least privilege
  • When assessing the blast radius of a compromised AWS credential
  • When building security reviews for IAM role and policy changes in CI/CD pipelines
  • When evaluating cross-account trust relationships for privilege escalation risks
Do not use for unauthorized testing against AWS accounts, for assessing non-IAM attack vectors (SSRF, application vulnerabilities), or as a substitute for comprehensive cloud penetration testing. Always obtain written authorization before testing.
  • 对AWS IAM配置进行授权渗透测试时
  • 验证IAM策略是否遵循最小权限原则时
  • 评估泄露的AWS凭证影响范围时
  • 在CI/CD流水线中为IAM角色和策略变更构建安全评审时
  • 评估跨账户信任关系的权限提升风险时
请勿用于对AWS账户进行未授权测试、评估非IAM攻击向量(如SSRF、应用程序漏洞),或替代全面的云渗透测试。测试前务必获得书面授权。

Prerequisites

前提条件

  • Written authorization for privilege escalation testing in the target AWS account
  • Test IAM user or role with limited permissions as the starting point
  • Pacu installed (
    pip install pacu
    )
  • CloudFox installed (
    go install github.com/BishopFox/cloudfox@latest
    )
  • PMapper (Principal Mapper) installed (
    pip install principalmapper
    )
  • AWS CLI configured with test credentials and CloudTrail logging enabled for audit trail
  • 目标AWS账户权限提升测试的书面授权
  • 作为起点的、权限有限的测试IAM用户或角色
  • 已安装Pacu(
    pip install pacu
  • 已安装CloudFox(
    go install github.com/BishopFox/cloudfox@latest
  • 已安装PMapper(Principal Mapper,
    pip install principalmapper
  • 已用测试凭证配置AWS CLI,且已启用CloudTrail日志用于审计追踪

Workflow

工作流程

Step 1: Enumerate Starting Permissions

步骤1:枚举初始权限

Establish the baseline permissions of the test principal before attempting escalation.
bash
undefined
在尝试权限提升前,确定测试主体的基线权限。
bash
undefined

Get current identity

获取当前身份

aws sts get-caller-identity
aws sts get-caller-identity

Enumerate inline and attached policies for the current user

枚举当前用户的内联和附加策略

aws iam list-user-policies --user-name test-user aws iam list-attached-user-policies --user-name test-user
aws iam list-user-policies --user-name test-user aws iam list-attached-user-policies --user-name test-user

Get group memberships and group policies

获取组成员身份和组策略

aws iam list-groups-for-user --user-name test-user for group in $(aws iam list-groups-for-user --user-name test-user --query 'Groups[*].GroupName' --output text); do echo "=== Group: $group ===" aws iam list-group-policies --group-name "$group" aws iam list-attached-group-policies --group-name "$group" done
aws iam list-groups-for-user --user-name test-user for group in $(aws iam list-groups-for-user --user-name test-user --query 'Groups[*].GroupName' --output text); do echo "=== 组: $group ===" aws iam list-group-policies --group-name "$group" aws iam list-attached-group-policies --group-name "$group" done

Simulate specific API calls to map effective permissions

模拟特定API调用以映射有效权限

aws iam simulate-principal-policy
--policy-source-arn arn:aws:iam::ACCOUNT:user/test-user
--action-names iam:CreateUser iam:AttachUserPolicy iam:PassRole
lambda:CreateFunction ec2:RunInstances sts:AssumeRole
--query 'EvaluationResults[*].[EvalActionName,EvalDecision]' --output table
undefined
aws iam simulate-principal-policy
--policy-source-arn arn:aws:iam::ACCOUNT:user/test-user
--action-names iam:CreateUser iam:AttachUserPolicy iam:PassRole
lambda:CreateFunction ec2:RunInstances sts:AssumeRole
--query 'EvaluationResults[*].[EvalActionName,EvalDecision]' --output table
undefined

Step 2: Scan for Privilege Escalation Paths with Pacu

步骤2:使用Pacu扫描权限提升路径

Use Pacu's privilege escalation scanner to identify known IAM escalation techniques.
bash
undefined
使用Pacu的权限提升扫描器识别已知的IAM提升技术。
bash
undefined

Start Pacu session

启动Pacu会话

pacu
pacu

Create session and set credentials

创建会话并设置凭证

Pacu (new:session) > set_keys --key-alias privesc-test
Pacu (new:session) > set_keys --key-alias privesc-test

Enumerate IAM configuration

枚举IAM配置

Pacu > run iam__enum_users_roles_policies_groups Pacu > run iam__enum_permissions
Pacu > run iam__enum_users_roles_policies_groups Pacu > run iam__enum_permissions

Run privilege escalation scanner

运行权限提升扫描器

Pacu > run iam__privesc_scan
Pacu > run iam__privesc_scan

The scanner checks for 21+ known escalation methods including:

扫描器会检查21种以上已知的提升方法,包括:

- iam:CreatePolicyVersion (create admin policy version)

- iam:CreatePolicyVersion(创建管理员策略版本)

- iam:SetDefaultPolicyVersion (revert to permissive older version)

- iam:SetDefaultPolicyVersion(恢复为权限宽松的旧版本)

- iam:AttachUserPolicy / iam:AttachRolePolicy (attach admin policy)

- iam:AttachUserPolicy / iam:AttachRolePolicy(附加管理员策略)

- iam:PutUserPolicy / iam:PutRolePolicy (create inline admin policy)

- iam:PutUserPolicy / iam:PutRolePolicy(创建内联管理员策略)

- iam:PassRole + lambda:CreateFunction (Lambda with admin role)

- iam:PassRole + lambda:CreateFunction(带有管理员角色的Lambda)

- iam:PassRole + ec2:RunInstances (EC2 with admin instance profile)

- iam:PassRole + ec2:RunInstances(带有管理员实例配置文件的EC2)

- iam:CreateLoginProfile / iam:UpdateLoginProfile (set console password)

- iam:CreateLoginProfile / iam:UpdateLoginProfile(设置控制台密码)

- iam:CreateAccessKey (create keys for other users)

- iam:CreateAccessKey(为其他用户创建密钥)

- sts:AssumeRole (assume more privileged roles)

- sts:AssumeRole(承担权限更高的角色)

- glue:CreateDevEndpoint + iam:PassRole (Glue with admin role)

- glue:CreateDevEndpoint + iam:PassRole(带有管理员角色的Glue)

undefined
undefined

Step 3: Map Privilege Escalation Graphs with PMapper

步骤3:使用PMapper绘制权限提升图谱

Use Principal Mapper to build a graph of all IAM principals and identify escalation edges.
bash
undefined
使用Principal Mapper构建所有IAM主体的图谱,识别提升路径。
bash
undefined

Collect IAM data for graph construction

收集IAM数据以构建图谱

pmapper graph create --account ACCOUNT_ID
pmapper graph create --account ACCOUNT_ID

Query for paths to admin

查询通往管理员的路径

pmapper query 'who can do iam:AttachUserPolicy with * on *' pmapper query 'who can do sts:AssumeRole with arn:aws:iam::ACCOUNT:role/AdminRole'
pmapper query 'who can do iam:AttachUserPolicy with * on *' pmapper query 'who can do sts:AssumeRole with arn:aws:iam::ACCOUNT:role/AdminRole'

Find all principals that can escalate to admin

找出所有可提升至管理员权限的主体

pmapper analysis
pmapper analysis

Visualize the privilege escalation graph

可视化权限提升图谱

pmapper visualize --filetype png
pmapper visualize --filetype png

Check specific escalation paths

检查特定的提升路径

pmapper query 'can arn:aws:iam::ACCOUNT:user/test-user do iam:CreatePolicyVersion with ' pmapper query 'can arn:aws:iam::ACCOUNT:user/test-user do sts:AssumeRole with arn:aws:iam::ACCOUNT:role/'
undefined
pmapper query 'can arn:aws:iam::ACCOUNT:user/test-user do iam:CreatePolicyVersion with ' pmapper query 'can arn:aws:iam::ACCOUNT:user/test-user do sts:AssumeRole with arn:aws:iam::ACCOUNT:role/'
undefined

Step 4: Test Cross-Account Role Assumption

步骤4:测试跨账户角色承担

Evaluate cross-account trust policies for misconfigured role assumptions that allow unauthorized escalation.
bash
undefined
评估跨账户信任策略,检查是否存在允许未授权提升的配置错误。
bash
undefined

List all roles and their trust policies

列出所有角色及其信任策略

aws iam list-roles --query 'Roles[*].[RoleName,Arn]' --output text | while read name arn; do trust=$(aws iam get-role --role-name "$name" --query 'Role.AssumeRolePolicyDocument' --output json 2>/dev/null)

Check for wildcards or broad trust

echo "$trust" | python3 -c " import json, sys doc = json.load(sys.stdin) for stmt in doc.get('Statement', []): principal = stmt.get('Principal', {}) condition = stmt.get('Condition', {}) if isinstance(principal, dict): aws_princ = principal.get('AWS', '') else: aws_princ = principal if '*' in str(aws_princ) or 'root' in str(aws_princ): has_external_id = 'sts:ExternalId' in str(condition) has_mfa = 'aws:MultiFactorAuthPresent' in str(condition) print(f'ROLE: $name') print(f' Principal: {aws_princ}') print(f' ExternalId required: {has_external_id}') print(f' MFA required: {has_mfa}') if not has_external_id and not has_mfa: print(f' WARNING: No ExternalId or MFA condition - confused deputy risk') " 2>/dev/null done
aws iam list-roles --query 'Roles[*].[RoleName,Arn]' --output text | while read name arn; do trust=$(aws iam get-role --role-name "$name" --query 'Role.AssumeRolePolicyDocument' --output json 2>/dev/null)

检查通配符或宽泛的信任设置

echo "$trust" | python3 -c " import json, sys doc = json.load(sys.stdin) for stmt in doc.get('Statement', []): principal = stmt.get('Principal', {}) condition = stmt.get('Condition', {}) if isinstance(principal, dict): aws_princ = principal.get('AWS', '') else: aws_princ = principal if '*' in str(aws_princ) or 'root' in str(aws_princ): has_external_id = 'sts:ExternalId' in str(condition) has_mfa = 'aws:MultiFactorAuthPresent' in str(condition) print(f'角色: $name') print(f' 主体: {aws_princ}') print(f' 是否需要ExternalId: {has_external_id}') print(f' 是否需要MFA: {has_mfa}') if not has_external_id and not has_mfa: print(f' 警告:未设置ExternalId或MFA条件 - 存在混淆代理风险') " 2>/dev/null done

Test role assumption

测试角色承担

aws sts assume-role
--role-arn arn:aws:iam::TARGET_ACCOUNT:role/CrossAccountRole
--role-session-name privesc-test
--duration-seconds 900
undefined
aws sts assume-role
--role-arn arn:aws:iam::TARGET_ACCOUNT:role/CrossAccountRole
--role-session-name privesc-test
--duration-seconds 900
undefined

Step 5: Enumerate CloudFox Attack Paths

步骤5:使用CloudFox枚举攻击路径

Use CloudFox to identify additional attack surfaces including resource-based policies and service-specific escalation paths.
bash
undefined
使用CloudFox识别额外的攻击面,包括基于资源的策略和特定服务的提升路径。
bash
undefined

Run all CloudFox checks

运行所有CloudFox检查

cloudfox aws --profile target-account all-checks -o ./cloudfox-output/
cloudfox aws --profile target-account all-checks -o ./cloudfox-output/

Specific privilege escalation checks

特定的权限提升检查

cloudfox aws --profile target-account permissions cloudfox aws --profile target-account role-trusts cloudfox aws --profile target-account access-keys cloudfox aws --profile target-account env-vars # Lambda environment variables with secrets cloudfox aws --profile target-account instances # EC2 with instance profiles cloudfox aws --profile target-account endpoints # Exposed services
undefined
cloudfox aws --profile target-account permissions cloudfox aws --profile target-account role-trusts cloudfox aws --profile target-account access-keys cloudfox aws --profile target-account env-vars # 包含密钥的Lambda环境变量 cloudfox aws --profile target-account instances # 带有实例配置文件的EC2 cloudfox aws --profile target-account endpoints # 暴露的服务
undefined

Step 6: Document Findings and Remediation

步骤6:记录发现结果与修复建议

Compile all discovered escalation paths with proof-of-concept steps and remediation recommendations.
bash
undefined
整理所有发现的提升路径,包含概念验证步骤和修复建议。
bash
undefined

Generate a consolidated report

生成合并报告

cat > privesc-report.md << 'EOF'
cat > privesc-report.md << 'EOF'

AWS Privilege Escalation Assessment Report

AWS权限提升评估报告

Tested Escalation Vectors

已测试的提升向量

VectorStatusStarting PrincipalEscalated ToRisk
iam:CreatePolicyVersionEXPLOITABLEtest-userAdministratorAccessCritical
iam:PassRole + lambda:CreateFunctionEXPLOITABLEdev-roleLambdaAdminRoleCritical
sts:AssumeRole (cross-account)EXPLOITABLEtest-userProdAdminRoleHigh
iam:AttachUserPolicyBLOCKEDtest-userN/AN/A
ec2:RunInstances + iam:PassRoleBLOCKEDtest-userN/AN/A
向量状态初始主体提升至风险
iam:CreatePolicyVersion可利用test-userAdministratorAccess严重
iam:PassRole + lambda:CreateFunction可利用dev-roleLambdaAdminRole严重
sts:AssumeRole(跨账户)可利用test-userProdAdminRole
iam:AttachUserPolicy已阻止test-userN/AN/A
ec2:RunInstances + iam:PassRole已阻止test-userN/AN/A

Remediation

修复建议

  1. Apply permission boundaries to all IAM users and roles
  2. Remove iam:CreatePolicyVersion from non-admin principals
  3. Add sts:ExternalId condition to all cross-account role trust policies
  4. Implement SCP guardrails preventing privilege escalation actions EOF
undefined
  1. 为所有IAM用户和角色应用权限边界
  2. 从非管理员主体中移除iam:CreatePolicyVersion权限
  3. 为所有跨账户角色信任策略添加sts:ExternalId条件
  4. 实施SCP防护规则,阻止权限提升操作 EOF
undefined

Key Concepts

核心概念

TermDefinition
IAM Privilege EscalationExploiting overly permissive IAM policies to gain higher-level access than originally granted to a principal
Permission BoundaryIAM policy that sets the maximum permissions a principal can have, regardless of identity-based policies attached to it
iam:PassRoleIAM action allowing a principal to pass an IAM role to an AWS service, enabling the service to act with that role's permissions
Confused DeputyAttack where an attacker tricks a trusted service into performing actions on their behalf using cross-account role assumption without external ID validation
Service Control PolicyAWS Organizations policy that sets maximum permissions for member accounts, providing guardrails against privilege escalation
Principal MapperOpen-source tool that models IAM principals and their escalation paths as a directed graph for analysis
术语定义
IAM权限提升利用过于宽松的IAM策略,获取比主体原本授予权限更高的访问权限
权限边界(Permission Boundary)一种IAM策略,设置主体可拥有的最大权限,无论附加到主体的基于身份的策略如何
iam:PassRole允许主体将IAM角色传递给AWS服务的IAM操作,使服务能够以该角色的权限执行操作
混淆代理(Confused Deputy)一种攻击方式,攻击者诱使受信任的服务代表其执行操作,利用未验证外部ID的跨账户角色承担机制
服务控制策略(Service Control Policy)AWS Organizations的策略,为成员账户设置最大权限,提供防止权限提升的防护措施
Principal Mapper开源工具,将IAM主体及其提升路径建模为有向图谱以进行分析

Tools & Systems

工具与系统

  • Pacu: AWS exploitation framework with 21+ privilege escalation modules for automated detection and exploitation
  • Principal Mapper: Graph-based IAM analysis tool that maps escalation paths between principals
  • CloudFox: AWS enumeration tool focused on identifying attack paths from an attacker's perspective
  • IAM Policy Simulator: AWS-native tool for testing effective permissions against specific API actions
  • AWS Access Analyzer: Service that identifies resource policies granting external access and validates IAM policy changes
  • Pacu: AWS利用框架,包含21种以上权限提升模块,用于自动化检测和利用
  • Principal Mapper: 基于图谱的IAM分析工具,绘制主体间的提升路径
  • CloudFox: AWS枚举工具,专注于从攻击者视角识别攻击路径
  • IAM Policy Simulator: AWS原生工具,针对特定API操作测试有效权限
  • AWS Access Analyzer: 识别授予外部访问权限的资源策略并验证IAM策略变更的服务

Common Scenarios

常见场景

Scenario: Developer Role with iam:CreatePolicyVersion Leads to Admin Access

场景:拥有iam:CreatePolicyVersion权限的开发者角色可获取管理员访问权限

Context: During an authorized assessment, a tester discovers that a developer role has the 
iam:CreatePolicyVersion
permission, which allows creating a new version of any customer-managed policy with arbitrary permissions.
Approach:
  1. Enumerate policies attached to the developer role using 
    iam__enum_permissions
    in Pacu
  2. Identify that the role can call 
    iam:CreatePolicyVersion
    on its own attached policy
  3. Create a new policy version with 
    "Action": "*", "Resource": "*", "Effect": "Allow"
  4. Set the new version as the default policy version
  5. Verify admin access by calling 
    iam:ListUsers
    , 
    s3:ListBuckets
    , etc.
  6. Document the escalation chain and recommend removing 
    iam:CreatePolicyVersion
    and implementing permission boundaries
Pitfalls: AWS limits managed policies to 5 versions. If all 5 exist, you must delete a version before creating a new one. Always record the original default version to restore it during cleanup. Permission boundaries prevent this escalation if properly configured, so verify boundary policies before declaring a finding.
背景: 在授权评估中,测试人员发现开发者角色拥有
iam:CreatePolicyVersion
权限,该权限允许创建任意权限的客户管理策略新版本。
方法:
  1. 使用Pacu中的
    iam__enum_permissions
    枚举开发者角色附加的策略
  2. 确认该角色可对自身附加的策略调用
    iam:CreatePolicyVersion
  3. 创建包含
    "Action": "*", "Resource": "*", "Effect": "Allow"
    的新策略版本
  4. 将新版本设置为默认策略版本
  5. 通过调用
    iam:ListUsers
    s3:ListBuckets
    等操作验证管理员访问权限
  6. 记录提升链并建议移除
    iam:CreatePolicyVersion
    权限并实施权限边界
注意事项: AWS限制托管策略最多5个版本。如果已存在5个版本,必须先删除一个版本才能创建新的。清理时务必恢复原始默认版本。如果正确配置了权限边界,可阻止此类提升,因此在确认发现前需验证边界策略。

Output Format

输出格式

AWS Privilege Escalation Assessment Report
=============================================
Account: 123456789012 (Production)
Assessment Date: 2026-02-23
Starting Principal: arn:aws:iam::123456789012:user/test-user
Starting Permissions: S3 read-only, Lambda invoke, EC2 describe
Authorization: Signed by CISO, engagement #PT-2026-014

ESCALATION PATHS DISCOVERED: 4

[PRIVESC-001] iam:CreatePolicyVersion -> Admin
  Severity: CRITICAL
  Starting Permission: iam:CreatePolicyVersion on policy/dev-policy
  Escalation: Created policy version 6 with Action:* Resource:*
  Time to Exploit: < 2 minutes
  Remediation: Remove iam:CreatePolicyVersion, apply permission boundary

[PRIVESC-002] iam:PassRole + lambda:CreateFunction -> LambdaAdminRole
  Severity: CRITICAL
  Starting Permission: iam:PassRole, lambda:CreateFunction
  Escalation: Created Lambda function with AdminRole, invoked to get admin credentials
  Time to Exploit: < 5 minutes
  Remediation: Restrict iam:PassRole to specific role ARNs with condition key

[PRIVESC-003] sts:AssumeRole -> Cross-Account Admin
  Severity: HIGH
  Starting Permission: sts:AssumeRole on arn:aws:iam::987654321098:role/SharedRole
  Escalation: Role trust policy allows any principal in source account
  Remediation: Add sts:ExternalId condition and restrict Principal to specific roles

TOTAL ESCALATION PATHS: 4 (2 Critical, 1 High, 1 Medium)
PERMISSION BOUNDARIES IN PLACE: 0 / 47 IAM principals
SCP GUARDRAILS BLOCKING ESCALATION: 0 / 3 tested vectors
AWS权限提升评估报告
=============================================
账户: 123456789012(生产环境)
评估日期: 2026-02-23
初始主体: arn:aws:iam::123456789012:user/test-user
初始权限: S3只读、Lambda调用、EC2描述
授权文件: 由CISO签署,项目编号#PT-2026-014

已发现的提升路径: 4条

[PRIVESC-001] iam:CreatePolicyVersion -> 管理员
  严重程度: CRITICAL
  初始权限: 对policy/dev-policy的iam:CreatePolicyVersion
  提升方式: 创建包含Action:* Resource:*的策略版本6
  利用时间: < 2分钟
  修复建议: 移除iam:CreatePolicyVersion权限,应用权限边界

[PRIVESC-002] iam:PassRole + lambda:CreateFunction -> LambdaAdminRole
  严重程度: CRITICAL
  初始权限: iam:PassRole、lambda:CreateFunction
  提升方式: 创建带有AdminRole的Lambda函数,调用以获取管理员凭证
  利用时间: < 5分钟
  修复建议: 通过条件键将iam:PassRole限制为特定角色ARN

[PRIVESC-003] sts:AssumeRole -> 跨账户管理员
  严重程度: HIGH
  初始权限: 对arn:aws:iam::987654321098:role/SharedRole的sts:AssumeRole
  提升方式: 角色信任策略允许源账户中的任意主体
  修复建议: 添加sts:ExternalId条件并将主体限制为特定角色

总提升路径数: 4条(2条严重、1条高风险、1条中风险)
已配置权限边界的IAM主体: 0 / 47个
阻止提升的SCP防护规则: 0 / 3个已测试向量