Profile Applicability:
Level 1

Description:
This control ensures that customer-managed IAM policies do not include permissions that can lead to privilege escalation. Privilege escalation occurs when a user or role gains more access rights than originally intended, typically by exploiting overly permissive IAM policies. Reviewing and restricting such permissions prevents unauthorized elevation of privileges, protecting critical AWS resources from misuse or compromise.

Rationale:
Overly permissive IAM policies pose a significant security risk, as they may allow users to attach high-privilege roles, modify their own permissions, or create new policies granting administrator-level access. Detecting and mitigating these policies is crucial to maintaining the principle of least privilege. Preventing privilege escalation aligns with security frameworks such as CIS, ISO 27001, SOC 2, and NIST 800-53, ensuring that no IAM entity can gain unauthorized access or control over AWS resources.

Impact:
Positive Impact: Reduces the attack surface by ensuring that no IAM users or roles can escalate privileges beyond their intended scope, strengthening overall account security.
Negative Impact: Over-restricting policies may temporarily hinder legitimate administrative tasks if not properly reviewed before modification.

Default Value:
AWS does not automatically prevent privilege escalation in custom IAM policies. Administrators must review and restrict these permissions manually.

Pre-Requisite:

  • IAM permissions required: iam:ListPolicies, iam:GetPolicyVersion, iam:GetPolicy, iam:ListEntitiesForPolicy.

  • A defined list of sensitive IAM and AWS actions that can result in privilege escalation (e.g., iam:AttachUserPolicy, iam:CreatePolicyVersion, iam:PassRole).

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console with administrative privileges.

  2. Navigate to IAM → Policies → Customer managed policies.

  3. Review each policy and inspect the policy JSON document for the following high-risk actions:

    • iam:AttachUserPolicy, iam:AttachRolePolicy, iam:AttachGroupPolicy

    • iam:PutUserPolicy, iam:PutRolePolicy, iam:PutGroupPolicy

    • iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion

    • iam:PassRole combined with ec2:RunInstances or lambda:CreateFunction

  4. If a policy includes any of these permissions without proper conditions or constraints, it is considered non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Policies → Customer managed policies.

  2. Select the non-compliant policy and click Edit policy.

  3. Remove or restrict permissions related to privilege escalation.

  4. Where applicable, replace broad permissions (e.g., iam:*) with specific allowed actions.

  5. Apply policy conditions such as "StringEquals" or "ArnLike" to limit role or resource scope.

  6. Reattach the updated policy to users, roles, or groups.

  7. Implement continuous monitoring via AWS Config or AWS Access Analyzer to detect future privilege escalation risks.

Backout Plan:

  1. If legitimate operations are impacted, temporarily reapply the previous version of the policy while reviewing and creating a controlled, compliant version.

  2. Use AWS CloudTrail logs to audit activity related to IAM changes and ensure no misuse occurred during modifications.

References: