AWS_ATTACHED_POLICY

Summary

Description

AWS_ATTACHED_POLICY represents that a managed IAM policy is attached to a user, group, or role.

This edge is a relationship, not an action by itself. Its security impact depends on what permissions are granted by the attached policy. It is essential for graphing effective permissions and attack paths because attached managed policies are a primary inheritance mechanism in IAM.

Identification

AWS CLI

List policies attached to a user:

aws iam list-attached-user-policies --user-name TargetUser

List policies attached to a group:

aws iam list-attached-group-policies --group-name TargetGroup

List policies attached to a role:

AWS Console

• Open IAM.

• For Users, Groups, or Roles, open the target identity.

• Open the Permissions tab and review Managed policies attached.

Exploitation

There is no direct exploit path for this edge. AWS_ATTACHED_POLICY shows a permission relationship.

Abuse potential depends on the content of the attached policy and whether the attacker can alter attachments or policy versions.

Mitigation

• Minimize use of broad managed policies (for example full-admin policies).

• Use least privilege managed policies and periodic access reviews.

• Remove unnecessary policy attachments from users, groups, and roles.

• Prefer role-based access patterns over direct user policy attachment.

Detection

Monitor attachment changes in CloudTrail:

• AttachUserPolicy, DetachUserPolicy

• AttachGroupPolicy, DetachGroupPolicy

• AttachRolePolicy, DetachRolePolicy

These events are high-value signals when they involve privileged policies.

References

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html