Block IAM Inline Policies That Enable Privilege Escalation
Why this matters
Inline IAM policies are attached directly to users, roles, or groups and are not reused or versioned like managed policies. This makes them harder to audit and maintain. Worse, if these policies grant overly broad permissions—such as allowing the creation of new roles or assignment of privileges—they can be exploited for privilege escalation.
Privilege escalation enables attackers to elevate their access rights in your AWS environment. This can lead to full compromise of accounts and services if not properly managed.
What this check does
This Auto Check scans all IAM inline policies for patterns that indicate potential privilege escalation, such as:
Use of wildcard actions like "Action": "*"
Permissions to modify IAM roles, policies, or access keys
Lack of conditions limiting sensitive operations
If such policies are detected, the check will fail.
How to fix it
From the AWS Console
Sign in to the IAM Console
In the navigation pane, choose Users, Roles, or Groups
For each identity, review the Inline Policies section
Open each inline policy and inspect the permissions
Look for broad statements like Effect: Allow
, Action: *
, or risky permissions (e.g., iam:PassRole
, iam:CreatePolicy
)
Delete or replace these policies with managed ones that follow least privilege principles
From the AWS CLI
You can list and detach inline policies using:
aws iam list-user-policies --user-name <user_name>
aws iam delete-user-policy --user-name <user_name> --policy-name <policy_name>
Repeat similarly for groups
and roles
.
Best Practices
Avoid inline policies entirely if possible; use managed policies instead
Apply least privilege: grant only the permissions required for the task
Regularly audit IAM policies across all accounts and regions
Use policy conditions to limit access by IP, service, or resource