IAM User or Group has Create Policy Version Privileges

Tenacity Id

Risk Level

Categories

iam-user-001

4

Last Updated:

April 21, 2022

An Identity Access and Management (IAM) user, group, or role can create new IAM policy versions. An IAM user account with this privilege that is compromised by a malicious actor could execute a privilege escalation and full account takeover by granting all privileges on all resources and setting this new policy as default. The iam:CreatePolicyVersion grants permission to set the new version as default thus making it instantly effective. Remove iam:CreatePolicyVersion from the IAM group or role.