Check provider logo

IAM inline policy does not allow privilege escalation

iam_inline_policy_allows_privilege_escalation

Severityhigh
Serviceiam
by Prowler
identity-accessprivilege-escalation

IAM inline policies are evaluated for permission combinations that enable privilege escalation, such as sts:AssumeRole, iam:PassRole, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.

Risk

Excessive inline policy permissions let identities escalate to admin, compromising CIA:

  • Confidentiality: read secrets and data
  • Integrity: alter policies, code, and configs
  • Availability: delete or stop resources, disable logging Attackers can persist by creating keys/users or assuming powerful roles.
Run this check with Prowler CLI

prowler aws --checks iam_inline_policy_allows_privilege_escalation

Run in Prowler Cloud

Recommendation

Apply least privilege and remove escalation paths:

  • Avoid wildcards and sensitive actions like sts:AssumeRole, iam:PassRole, or policy modification without tight scope
  • Restrict by resource and Condition
  • Prefer managed, versioned policies; use permissions boundaries/SCPs
  • Require reviews and MFA for admins

Remediation

Native IaC
Terraform
Other
  1. In the AWS Console, go to IAM > Users/Roles/Groups and select the entity with the failing inline policy
  2. In the Permissions tab, under Inline policies, choose the flagged policy and click Edit
  3. Remove privilege-escalation actions (e.g., iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PassRole, sts:AssumeRole, iam:UpdateAssumeRolePolicy)
  4. Keep only the minimum required, non-escalating permissions (for example, read-only actions)
  5. Save changes

Source Code

Resource Type

AwsIamPolicy

References