Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 34 of 35
In Progress

Challenge #2 – IAM Escape Room

Christophe December 5, 2023
🧪Hands-On Lab

Scenario 🧪

Difficulty: Intermediate

Objective: ⛳️ You’ve successfully completed this challenge once you’ve downloaded a PDF document containing F-15 Eagle development information.

Description: You work for a defense contractor organization named GuardianSys Defense that helps develop parts for fighter jets. The organization’s IT runs both on-prem and in the AWS cloud as part of an effort to modernize and increase innovation. Due to the nature of the projects your organization works on, individuals are supposed to have access to documents only on an as-needed basis.

You (Kevin) are an application developer with access to basic S3 documents needed by the application you help support. However, due to upper management pressure, the IT team was not able to follow best AWS security practices and is hosting all of its documents in the same account using Amazon S3.

Facing mounting personal financial pressure, and after having been passed up for a promotion that you were clearly the better fit for, you’ve decided to steal proprietary and secret documents in order to sell them to the highest bidder on the black market.

To do that, you have to find a way to access those secret documents that your IAM user doesn’t currently have access to.

Given the provided credentials, look for IAM Privilege Escalation paths that will give you permissions to a bucket on Amazon S3 hosting sensitive documents.

Disclaimer: Obviously, we do not condone this behavior in real life. This scenario is meant to showcase how insider threats can be even more dangerous to an organization than outsider threats, and why it’s so important to have proper access control to defend against all plausible threats.


Hint #1: Unlike the labs throughout this course that focused on a single exploit at a time, this challenge will require chaining two or more exploits together. All of the exploits and techniques that you need have been covered in this course — there isn’t anything new. For convenience, here’s a checklist of exploits we learned about that might be useful for this challenge (you only technically need 3 and some of these will not work):

  • CreateAcessKey
  • CreateLoginProfile
  • SetDefaultPolicyVersion
  • AttachUserPolicy
  • AttachGroupPolicy
  • PutUserPolicy
  • PutGroupPolicy

Hint #2: Remember to start with enumeration. You need to get a lay of the land to understand what’s going on in that specific AWS environment and what you have access to.

As you enumerate, ask questions like:

  • Am I part of a group? If so, what permissions does that group give me? (Remember that groups can have both inline and attached policies which are retrieved with different commands)
  • Do I have any inline policies that give me additional permissions?
  • Is there a boundary policy applied to the user? Even if you can’t see that policy, it could explain why you don’t have access that you think you should have
  • Are there other groups in this AWS account? Do those groups have different permissions?
  • Can I change my permissions with something like SetDefaultPolicyVersion, AddUserToGroup, PutUserPolicy, etc…?
  • And/or, does my user have access to create access keys or create login profiles for other users of interest?

Hint #3: Escaping a locked room typically requires finding or creating a key 🙂


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. This course not only taught me how to think like an attacker, but also how easy it is to escalate privileges if excessive IAM permissions are present in the cloud. I honestly loved it and recommend it 100%!

  2. Hey @Christophe Limpalair 👋,

    I just wanted to say that Challenge 2 was absolutely fantastic! 🎉 It’s evident that a lot of thought and effort went into crafting it. I really appreciated how it encompassed various learning strategies and commands. One of the standout features for me was how comprehensively it tackled IAM enumeration recon. 👏

    A quick tip for fellow students: It’s super beneficial to create your own notes on AWS CLI commands. Not only will it assist you in cracking Challenge 1, but it’s especially handy for navigating through Challenge 2. 📝

    Keep up the great work! Looking forward to more challenges ahead! 🚀