C-AWS-IAM-ADDUSER-POLICYPrivilege Escalation

AWS iam:AttachUserPolicy → AdminAccess

AttachUserPolicy on self with AdministratorAccess — instant root if the principal has the permission.

§ Where this technique fits

C-AWS-IAM-ADDUSER-POLICY is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 8 on average.

§ Dossiers chaining this technique

SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
step 8 / 9

§ What commonly comes next

01
AWS IAM Backdoor User / Access Key
C-AWS-IAM-BACKDOOR · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SSRF → IMDS → AssumeRole chain → Org admin

§ What commonly comes next