Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 20 of 35
In Progress

[LAB] [CTF] iam:AttachUserPolicy PrivEsc

Christophe December 16, 2023
🧪Hands-On Lab

Scenario 🧪

AWS provides managed policies that anyone with an AWS account can assign and use as long as they have iam:AttachUserPolicy permissions. There are over a thousand of these managed policies that vary from providing read-only access to full administrative access.

This lab has been misconfigured, so exploit it with iam:AttachUserPolicy to grant yourself Secrets Manager permissions.

You’ve successfully completed this lab once you’ve accessed the value of that secret in plaintext!

Tips 🕵️‍♂️

Tip #1: As labs start to get a bit more challenging, they will likely take you more than 40 minutes. Having to start over with a fresh new lab will encourage you to take good notes along the way. You could even potentially create terminal aliases or simple scripts to make things go faster. Use the time limit restriction as a learning opportunity and don’t let it get in the way of you solving the labs! This will prepare you for the final Challenges.

Tip #2: AWS documentation provides a full list of managed policies. While there are over 1,000 policies, there aren’t many specifically related to this lab’s scenario, so don’t get overwhelmed and use that knowledge to help narrow it down 🙂


  • Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
  • Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
  • Leverage your iam:AttachUserPolicy permissions to gain access to Secrets Manager
  • Access Secrets Manager and retrieve the secret value


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.