AWS_CAN_CREATE_LOGIN_PROFILE

Summary

FSProtect ACL Alias

Edge Type

Attack Path

Affected Object Types

IAM Users

Exploitation Certainty

Certain

AWS IAM Action / Condition

iam:CreateLoginProfile for target IAM user (related risk: iam:UpdateLoginProfile)

Description

AWS_CAN_CREATE_LOGIN_PROFILE represents the ability to set an IAM console password for a user account.

This is a privilege escalation and persistence path because an attacker can:

Enable console access for an API-only user.
Set a known password and immediately sign in to AWS Management Console.
Expand attack surface by switching from API-only workflows to interactive console actions.

Related note: iam:UpdateLoginProfile is also high risk because it can reset the password of users who already have a login profile.

Identification

AWS CLI

Check whether the principal can create login profiles:

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:user/AnalystUser \
  --action-names iam:CreateLoginProfile \
  --resource-arns arn:aws:iam::123456789012:user/TargetUser

Check whether the target user already has a login profile:

aws iam get-login-profile --user-name TargetUser

If the command returns NoSuchEntity, no console password currently exists.

AWS Console

Open IAM -> Users -> select target user.
Open Security credentials.
Check Console sign-in status.
Review who is delegated IAM user credential management permissions.

Exploitation

AWS CLI

Create a console password for target user:

aws iam create-login-profile \
  --user-name TargetUser \
  --password 'ExampleTempPassword123!' \
  --password-reset-required

After profile creation, attacker can attempt console sign-in with the created password.

Related risk:

If attacker has iam:UpdateLoginProfile, they can reset an existing console password without creating a new profile.

Mitigation

Restrict iam:CreateLoginProfile and iam:UpdateLoginProfile to trusted identity administrators.
Disable console access for service users that should remain programmatic-only.
Enforce MFA and strong password policies for IAM users that require console login.
Prefer AWS IAM Identity Center and temporary role-based access over long-lived IAM users.

Detection

Monitor CloudTrail for login profile changes:

Event source: iam.amazonaws.com
Event names:
- CreateLoginProfile
- UpdateLoginProfile
- DeleteLoginProfile

Example lookup:

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateLoginProfile

References

PreviousAWS_CAN_CREATE_ACCESS_KEY NextAWS_CAN_CREATE_POLICY_VERSION

Last updated 6 days ago

Was this helpful?