Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 3 of 35
In Progress

Useful IAM tips and security tools

Christophe November 19, 2023

Practical AWS CLI tips

This course requires heavy use of the AWS CLI, and especially aws iam commands. You’ll need to regularly refer to documentation but another tip is to use grep in order to search through the help menu, like this:

aws iam help | grep -e "list-group" -e "get-group"
       o get-group
       o get-group-policy
       o list-group-policies
       o list-groups
       o list-groups-for-userCode language: PHP (php)

That way you can save a lot of time instead of constantly going back and forth with docs.

About using tools/automation for this course

You do not need any of the tools in this lesson in order to successfully complete the labs in this course! Every single one of them can be 100% accomplished using the AWS CLI, and that’s how I recommend that you do it the first time around to get experience with using the AWS CLI.

With that said, if you’re already experienced or if you’ve already gone through a first run, trying out these automation tools is also a great idea as they can help speed things up and/or find issues you may not have manually found.

Also, please note that while I have personally used and continue to use some of these tools, I’ve also included some that I have heard about but haven’t personally (or thoroughly) tested, so they may not work as intended. Especially since some of them are a few years old and haven’t been recently updated. If that’s the case, please drop me a comment below and I’ll remove the tool. (I ultimately want to test them all, just haven’t had the time yet)

Command line tool

IDE-style autocomplete for your existing terminal. Not technically an IAM security tool, but what I love about Fig:

  • Autocomplete – it can autocomplete a lot of AWS commands for you, so you don’t have to constantly search through AWS CLI documentation to remember correct syntax
  • You can create CLI scripts, which is great for repeatable steps

Great tool that I recommend not just for this but for day-to-day command line work. It was acquired by Amazon in 2023, so it’s now backed by AWS themselves.

I think it might only work for MacOS though? Not sure.


Quickly and easily evaluate one or more IAM policies to find issues.

This is a tool you can use to more quickly understand what the vulnerability might be across one policy or across multiple policies.


IAMFinder enumerates and finds users and IAM roles in a target AWS account.


Enumerate the permissions associated with an AWS credential set. This tool tries to brute force all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed). Great for finding weaknesses you may not have manually found.


A tool for quickly evaluating IAM permissions in AWS.

A script that can help you find privesc paths.


Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. This is the same tool we demonstrate in our Pentesting AWS Environments with Pacu, CloudGoat, and ChatGPT course

Any other tools we should add?

There are many other AWS security tools out there, but I tried only adding lightweight and open-source tools (minus Fig). If you have other tools you’d recommend adding to this list that fit that criteria and that’s specific to IAM, let me know in the comments below!


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. New update on

    “Fig is sunsetting, migrate to Amazon CodeWhisperer
    Dear Fig users,

    Effective September 1, 2024 we will be ending access to Fig.

    We encourage users to migrate to Amazon CodeWhisperer for command line. It’s free on the Individual tier and is designed to be faster and more reliable than Fig. To make this transition as easy as possible, users can upgrade to CodeWhisperer for command line directly from the Fig dashboard.

    To learn more about the changes to Fig and how to export your data, read our blog post. …”