Phase 1 — Misconfiguration
IAM User & Overpermissioned Policy Setup
Created a low-privilege IAM user with iam:AttachUserPolicy scoped to Resource: "*" — a single permission that enables full administrator escalation with no further access required.
Phase 2 — Attack Chain
Privilege Escalation via AWS CLI
Step-by-step exploitation: low-privilege user attaches AdministratorAccess, creates a backdoor admin user, and generates persistent credentials — full takeover in 45 seconds with raw CLI output logged.
Phase 3 — Impact Assessment
CVSS 9.1 · MITRE ATT&CK Cloud Mapping
5 findings with CVSS v3.1 vector strings. Mapped to MITRE ATT&CK Cloud Matrix: T1078.004 (Valid Cloud Accounts), T1484.001 (Policy Modification), T1098.001 (Additional Cloud Credentials), and more.
Phase 4 — Remediation
Principle of Least Privilege Fix
Before/after policy comparison, fine-grained IAM remediation CLI commands, and an SCP (Service Control Policy) to block self-escalation org-wide — eliminating the attack vector at the organisation level.