Policy destruction

The IAM Privilege Catalog

risks / Policy destruction

Description

Allows an attacker to delete IAM policies. When these policies would otherwise deny attacker access, can allow an attacker both vertical and lateral privilege escalation.

Risk: CRITICAL

Exploited in isolation, this risk has the potential to disrupt central organizational operations, destroy trust, or create significant liability. Alternatively, this risk gives attackers access to broadly provisioned identities that enable the above impacts (such as root privilege escalation risks).

Mitigations

Favor restricted allow policies over deny policies

Links

https://attack.mitre.org/techniques/T1098/

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Amazon Web Services

acm-pca:CreatePermission

acm-pca:DeletePermission

acm-pca:DeletePolicy

acm-pca:PutPolicy

apigateway:UpdateRestApiPolicy

backup:DeleteBackupVaultAccessPolicy

backup:PutBackupVaultAccessPolicy

chime:DeleteVoiceConnectorTerminationCredentials

chime:PutVoiceConnectorTerminationCredentials

cloudformation:SetStackPolicy

cloudsearch:UpdateServiceAccessPolicies

codeartifact:DeleteDomainPermissionsPolicy

codeartifact:DeleteRepositoryPermissionsPolicy

codebuild:DeleteResourcePolicy

codebuild:DeleteSourceCredentials

codebuild:ImportSourceCredentials

codebuild:PutResourcePolicy

codeguru-profiler:PutPermission

codeguru-profiler:RemovePermission

codestar:AssociateTeamMember

codestar:CreateProject

codestar:DeleteProject

codestar:DisassociateTeamMember

codestar:UpdateTeamMember

cognito-identity:CreateIdentityPool

cognito-identity:DeleteIdentities

cognito-identity:DeleteIdentityPool

cognito-identity:GetId

cognito-identity:MergeDeveloperIdentities

cognito-identity:SetIdentityPoolRoles

cognito-identity:UnlinkDeveloperIdentity

cognito-identity:UnlinkIdentity

cognito-identity:UpdateIdentityPool

deeplens:AssociateServiceRoleToAccount

ds:CreateConditionalForwarder

ds:CreateDirectory

ds:CreateMicrosoftAD

ds:ShareDirectory

ec2:CreateNetworkInterfacePermission

ec2:DeleteNetworkInterfacePermission

ec2:DisableImageBlockPublicAccess

ec2:ModifySnapshotAttribute

ec2:ModifyVpcEndpointServicePermissions

ec2:ResetSnapshotAttribute

ecr:DeleteRepositoryPolicy

ecr:SetRepositoryPolicy

elasticfilesystem:DeleteFileSystemPolicy

elasticfilesystem:PutFileSystemPolicy

elasticmapreduce:PutBlockPublicAccessConfiguration

es:CreateElasticsearchDomain

es:UpdateElasticsearchDomainConfig

glacier:AbortVaultLock

glacier:CompleteVaultLock

glacier:DeleteVaultAccessPolicy

glacier:InitiateVaultLock

glacier:SetDataRetrievalPolicy

glacier:SetVaultAccessPolicy

glue:DeleteResourcePolicy

glue:PutResourcePolicy

greengrass:AssociateServiceRoleToAccount

health:DisableHealthServiceAccessForOrganization

health:EnableHealthServiceAccessForOrganization

iam:AddClientIDToOpenIDConnectProvider

iam:AddRoleToInstanceProfile

iam:AddUserToGroup

iam:AttachGroupPolicy

iam:AttachRolePolicy

iam:AttachUserPolicy

iam:ChangePassword

iam:CreateAccessKey

iam:CreateAccountAlias

iam:CreateGroup

iam:CreateInstanceProfile

iam:CreateLoginProfile

iam:CreateOpenIDConnectProvider

iam:CreatePolicy

iam:CreatePolicyVersion

iam:CreateSAMLProvider

iam:CreateServiceLinkedRole

iam:CreateServiceSpecificCredential

iam:CreateVirtualMFADevice

iam:DeactivateMFADevice

iam:DeleteAccessKey

iam:DeleteAccountAlias

iam:DeleteAccountPasswordPolicy

iam:DeleteGroup

iam:DeleteGroupPolicy

iam:DeleteInstanceProfile

iam:DeleteLoginProfile

iam:DeleteOpenIDConnectProvider

iam:DeletePolicy

iam:DeletePolicyVersion

iam:DeleteRolePermissionsBoundary

iam:DeleteRolePolicy

iam:DeleteSAMLProvider

iam:DeleteSSHPublicKey

iam:DeleteServerCertificate

iam:DeleteServiceLinkedRole

iam:DeleteServiceSpecificCredential

iam:DeleteSigningCertificate

iam:DeleteUserPermissionsBoundary

iam:DeleteUserPolicy

iam:DeleteVirtualMFADevice

iam:DetachGroupPolicy

iam:DetachRolePolicy

iam:DetachUserPolicy

iam:EnableMFADevice

iam:PutGroupPolicy

iam:PutRolePermissionsBoundary

iam:PutRolePolicy

iam:PutUserPermissionsBoundary

iam:PutUserPolicy

iam:RemoveClientIDFromOpenIDConnectProvider

iam:RemoveRoleFromInstanceProfile

iam:RemoveUserFromGroup

iam:ResetServiceSpecificCredential

iam:ResyncMFADevice

iam:SetDefaultPolicyVersion

iam:SetSecurityTokenServicePreferences

iam:UpdateAccessKey

iam:UpdateAccountPasswordPolicy

iam:UpdateAssumeRolePolicy

iam:UpdateGroup

iam:UpdateLoginProfile

iam:UpdateOpenIDConnectProviderThumbprint

iam:UpdateRoleDescription

iam:UpdateSAMLProvider

iam:UpdateSSHPublicKey

iam:UpdateServerCertificate

iam:UpdateServiceSpecificCredential

iam:UpdateSigningCertificate

iam:UploadSSHPublicKey

iam:UploadServerCertificate

iam:UploadSigningCertificate

imagebuilder:PutComponentPolicy

imagebuilder:PutImagePolicy

imagebuilder:PutImageRecipePolicy

iot:AttachPolicy

iot:AttachPrincipalPolicy

iot:DetachPolicy

iot:DetachPrincipalPolicy

iot:SetDefaultAuthorizer

iot:SetDefaultPolicyVersion

iotsitewise:CreateAccessPolicy

iotsitewise:DeleteAccessPolicy

iotsitewise:UpdateAccessPolicy

kms:CreateGrant

kms:PutKeyPolicy

kms:RetireGrant

kms:RevokeGrant

lakeformation:BatchGrantPermissions

lakeformation:BatchRevokePermissions

lakeformation:GrantPermissions

lakeformation:PutDataLakeSettings

lakeformation:RevokePermissions

lambda:AddLayerVersionPermission

lambda:AddPermission

lambda:DisableReplication

lambda:EnableReplication

lambda:RemoveLayerVersionPermission

lambda:RemovePermission

license-manager:UpdateServiceSettings

lightsail:GetRelationalDatabaseMasterUserPassword

logs:DeleteResourcePolicy

logs:PutResourcePolicy

mediapackage:RotateIngestEndpointCredentials

mediastore:DeleteContainerPolicy

mediastore:PutContainerPolicy

opsworks:SetPermission

opsworks:UpdateUserProfile

quicksight:CreateAdmin

quicksight:CreateGroup

quicksight:CreateGroupMembership

quicksight:CreateIAMPolicyAssignment

quicksight:CreateUser

quicksight:DeleteGroup

quicksight:DeleteGroupMembership

quicksight:DeleteIAMPolicyAssignment

quicksight:DeleteUser

quicksight:DeleteUserByPrincipalId

quicksight:RegisterUser

quicksight:UpdateDashboardPermissions

quicksight:UpdateGroup

quicksight:UpdateIAMPolicyAssignment

quicksight:UpdateTemplatePermissions

quicksight:UpdateUser

ram:AcceptResourceShareInvitation

ram:AssociateResourceShare

ram:CreateResourceShare

ram:DeleteResourceShare

ram:DisassociateResourceShare

ram:EnableSharingWithAwsOrganization

ram:RejectResourceShareInvitation

ram:UpdateResourceShare

rds:AuthorizeDBSecurityGroupIngress

redshift:AuthorizeSnapshotAccess

redshift:CreateClusterUser

redshift:CreateSnapshotCopyGrant

redshift:JoinGroup

redshift:ModifyClusterIamRoles

redshift:RevokeSnapshotAccess

route53resolver:PutResolverRulePolicy

s3:BypassGovernanceRetention

s3:DeleteAccessPointPolicy

s3:DeleteBucketPolicy

s3:ObjectOwnerOverrideToBucketOwner

s3:PutAccessPointPolicy

s3:PutAccountPublicAccessBlock

s3:PutBucketAcl

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutObjectAcl

s3:PutObjectVersionAcl

secretsmanager:DeleteResourcePolicy

secretsmanager:PutResourcePolicy

secretsmanager:ValidateResourcePolicy

servicecatalog:CreatePortfolioShare

servicecatalog:DeletePortfolioShare

sns:AddPermission

sns:CreateTopic

sns:RemovePermission

sns:SetTopicAttributes

sqs:AddPermission

sqs:CreateQueue

sqs:RemovePermission

sqs:SetQueueAttributes

ssm:ModifyDocumentPermission

sso-directory:AddMemberToGroup

sso-directory:CreateAlias

sso-directory:CreateGroup

sso-directory:CreateUser

sso-directory:DeleteGroup

sso-directory:DeleteUser

sso-directory:DisableUser

sso-directory:EnableUser

sso-directory:RemoveMemberFromGroup

sso-directory:UpdateGroup

sso-directory:UpdatePassword

sso-directory:UpdateUser

sso-directory:VerifyEmail

sso:AssociateDirectory

sso:AssociateProfile

sso:CreateApplicationInstance

sso:CreateApplicationInstanceCertificate

sso:CreatePermissionSet

sso:CreateProfile

sso:CreateTrust

sso:DeleteApplicationInstance

sso:DeleteApplicationInstanceCertificate

sso:DeletePermissionSet

sso:DeletePermissionsPolicy

sso:DeleteProfile

sso:DisassociateDirectory

sso:DisassociateProfile

sso:ImportApplicationInstanceServiceProviderMetadata

sso:PutPermissionsPolicy

sso:UpdateApplicationInstanceActiveCertificate

sso:UpdateApplicationInstanceDisplayData

sso:UpdateApplicationInstanceResponseConfiguration

sso:UpdateApplicationInstanceResponseSchemaConfiguration

sso:UpdateApplicationInstanceSecurityConfiguration

sso:UpdateApplicationInstanceServiceProviderConfiguration

sso:UpdateApplicationInstanceStatus

sso:UpdateDirectoryAssociation

sso:UpdatePermissionSet

sso:UpdateProfile

sso:UpdateSSOConfiguration

sso:UpdateTrust

storagegateway:DeleteChapCredentials

storagegateway:SetLocalConsolePassword

storagegateway:SetSMBGuestPassword

storagegateway:UpdateChapCredentials

waf-regional:DeletePermissionPolicy

waf-regional:PutPermissionPolicy

waf:DeletePermissionPolicy

waf:PutPermissionPolicy

wafv2:CreateWebACL

wafv2:DeletePermissionPolicy

wafv2:DeleteWebACL

wafv2:PutPermissionPolicy

wafv2:UpdateWebACL

worklink:UpdateDevicePolicyConfiguration

workmail:ResetPassword

workmail:ResetUserPassword

xray:PutEncryptionConfig

Google Cloud Platform

appengine.applications.update

appengine.services.update

bigquery.connections.setIamPolicy

bigquery.dataPolicies.setIamPolicy

bigquery.datasets.deleteTagBinding

bigquery.datasets.setIamPolicy

bigquery.rowAccessPolicies.setIamPolicy

bigquery.tables.setIamPolicy

billing.accounts.setIamPolicy

cloudbuild.connections.setIamPolicy

cloudfunctions.functions.setIamPolicy

cloudkms.cryptoKeys.setIamPolicy

cloudkms.ekmConfigs.setIamPolicy

cloudkms.ekmConnections.setIamPolicy

cloudkms.importJobs.setIamPolicy

cloudkms.keyRings.deleteTagBinding

cloudkms.keyRings.setIamPolicy

cloudsql.instances.deleteTagBinding

compute.backendBuckets.setIamPolicy

compute.backendServices.setIamPolicy

compute.disks.deleteTagBinding

compute.disks.setIamPolicy

compute.firewallPolicies.cloneRules

compute.firewallPolicies.delete

compute.firewallPolicies.removeAssociation

compute.firewallPolicies.setIamPolicy

compute.globalNetworkEndpointGroups.setIamPolicy

compute.images.deleteTagBinding

compute.images.setIamPolicy

compute.instances.deleteTagBinding

compute.instances.setIamPolicy

compute.instances.setTags

compute.networkEndpointGroups.setIamPolicy

compute.networks.setFirewallPolicy

container.clusterRoleBindings.delete

container.clusterRoles.delete

container.clusters.deleteTagBinding

container.namespaces.delete

container.roleBindings.delete

container.roles.delete

dataproc.clusters.setIamPolicy

dns.managedZones.setIamPolicy

dns.policies.delete

dns.policies.setIamPolicy

dns.responsePolicies.delete

domains.registrations.deleteTagBinding

domains.registrations.setIamPolicy

firebaserules.releases.delete

firebaserules.releases.update

firebaserules.rulesets.create

iam.roles.delete

iam.serviceAccounts.setIamPolicy

iap.tunnel.setIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.setIamPolicy

iap.tunnelZones.setIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.setIamPolicy

pubsub.schemas.setIamPolicy

pubsub.snapshots.setIamPolicy

pubsub.subscriptions.setIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.delete

resourcemanager.projects.setIamPolicy

resourcemanager.tagkeys.setIamPolicy

resourcemanager.tagvalues.setIamPolicy

run.jobs.deleteTagBinding

run.jobs.setIamPolicy

run.services.deleteTagBinding

run.services.setIamPolicy

secretmanager.secrets.setIamPolicy

storage.buckets.deleteTagBinding

storage.buckets.setIamPolicy

storage.objects.setIamPolicy

© 2023–present P0 Security and contributors to the IAM Privilege Catalog