Lateral movement

Privileged Group – User Management

Risk Level

Hazardous (3)

Compliance Frameworks


An IAM Group is a collection of IAM Users. You can use groups to specify permissions for a collection of users. The group {AwsIamGroup} was found with permissive permissions that allows the user the ability to create access keys for a user or create/update console login credentials. An attacker may leverage this ability in order to create or update credentials for a user other than themselves, allowing them to then log in and act on behalf of that user.
  • Recommended Mitigation

    Review the group's policy and consider removing any of the following actions: iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey