> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/aws/aws_can_create_login_profile.md).

# AWS\_CAN\_CREATE\_LOGIN\_PROFILE

## Summary

|                                |                                                                                       |
| ------------------------------ | ------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**        | AWS\_CAN\_CREATE\_LOGIN\_PROFILE                                                      |
| **Edge Type**                  | Attack Path                                                                           |
| **Affected Object Types**      | IAM Users                                                                             |
| **Exploitation Certainty**     | Certain                                                                               |
| **AWS IAM Action / Condition** | `iam:CreateLoginProfile` for target IAM user (related risk: `iam:UpdateLoginProfile`) |

## Description

`AWS_CAN_CREATE_LOGIN_PROFILE` represents the ability to set an IAM console password for a user account.

This is a privilege escalation and persistence path because an attacker can:

* Enable console access for an API-only user.
* Set a known password and immediately sign in to AWS Management Console.
* Expand attack surface by switching from API-only workflows to interactive console actions.

Related note: `iam:UpdateLoginProfile` is also high risk because it can reset the password of users who already have a login profile.

## Identification

### AWS CLI

Check whether the principal can create login profiles:

```bash
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:user/AnalystUser \
  --action-names iam:CreateLoginProfile \
  --resource-arns arn:aws:iam::123456789012:user/TargetUser
```

Check whether the target user already has a login profile:

```bash
aws iam get-login-profile --user-name TargetUser
```

If the command returns `NoSuchEntity`, no console password currently exists.

### AWS Console

* Open **IAM** -> **Users** -> select target user.
* Open **Security credentials**.
* Check **Console sign-in** status.
* Review who is delegated IAM user credential management permissions.

## Exploitation

### AWS CLI

Create a console password for target user:

```bash
aws iam create-login-profile \
  --user-name TargetUser \
  --password 'ExampleTempPassword123!' \
  --password-reset-required
```

After profile creation, attacker can attempt console sign-in with the created password.

Related risk:

* If attacker has `iam:UpdateLoginProfile`, they can reset an existing console password without creating a new profile.

## Mitigation

* Restrict `iam:CreateLoginProfile` and `iam:UpdateLoginProfile` to trusted identity administrators.
* Disable console access for service users that should remain programmatic-only.
* Enforce MFA and strong password policies for IAM users that require console login.
* Prefer AWS IAM Identity Center and temporary role-based access over long-lived IAM users.

## Detection

Monitor CloudTrail for login profile changes:

* **Event source**: `iam.amazonaws.com`
* **Event names**:
  * `CreateLoginProfile`
  * `UpdateLoginProfile`
  * `DeleteLoginProfile`

Example lookup:

```bash
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateLoginProfile
```

## References

* <https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html>
* <https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html>
* <https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html>
* <https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/index.html>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/aws/aws_can_create_login_profile.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.