Check provider logo

Customer managed IAM policy does not allow actions that can lead to privilege escalation

iam_policy_allows_privilege_escalation

Severityhigh
Serviceiam
by Prowler
identity-access

Customer-managed IAM policies are evaluated for permissions that enable privilege escalation, including creating or updating policies, altering role trust, attaching higher-privilege policies, or using iam:PassRole to obtain broader access.

Risk

Privilege-escalation permissions let principals assume higher-privilege roles or attach admin policies, impacting:

  • Confidentiality via unauthorized data access/exfiltration
  • Integrity by modifying policies, configs, or logs
  • Availability through resource deletion or disabling controls
Run this check with Prowler CLI

prowler aws --checks iam_policy_allows_privilege_escalation

Run in Prowler Cloud

Recommendation

Apply least privilege to customer policies:

  • Avoid wildcards in Action and Resource
  • Remove or tightly scope iam:PassRole, policy attach/update, and trust-policy changes
  • Use conditions like iam:PassedToService and tags to constrain use
  • Enforce permissions boundaries and SCPs
  • Separate duties with change review

Remediation

CLI

aws iam create-policy-version --policy-arn <example_resource_id> --set-as-default --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"","Resource":""}]}'

Native IaC
Terraform
Other
  1. In the AWS Console, go to IAM > Policies
  2. Open the customer managed policy showing FAIL
  3. Click Edit policy > JSON
  4. Remove any Allow statements that enable privilege-escalation actions (for example broad wildcards like "iam:*" or actions such as creating/updating/attaching policies, PassRole, or AssumeRole on wildcards)
  5. Save changes so the policy no longer allows those actions
  6. Re-run the check to confirm it passes

Source Code

Resource Type

AwsIamPolicy

References