In AWS, Identity and Access Management (IAM) is the gatekeeper. Misconfigured IAM policies are the primary way attackers gain unauthorized access and escalate their privileges within a cloud environment.
If a user has the 'iam:CreatePolicyVersion' permission, they can create a new version of a policy they are already attached to, potentially granting themselves 'AdministratorAccess'.
The 'iam:PassRole' permission allows a user to pass an IAM role to an AWS service, such as EC2 or Lambda. If a user can pass a highly privileged role to a service they control, they can execute code with that role's permissions.
The ultimate goal for an attacker is often the 'AdministratorAccess' managed policy. By chaining multiple low-level permissions, an attacker can often find a path to this level of control.
Regularly auditing IAM policies using tools like PMapper or Pacu is critical. Organizations should follow the principle of least privilege and use IAM Access Analyzer to identify unintended access.