An AWS access key was copied to the wrong profile. Four minutes later, an attacker had full admin rights. No alarms fired.

An AWS access key was copied to the wrong profile. Four minutes later, an attacker had full admin rights. No alarms fired.

Privilege escalation through misconfigured AWS CLI-style profiles is silent, fast, and brutal. One misplaced credential or overly generous policy in ~/.aws/config can open a direct path from least privilege to full account takeover. Many teams still treat CLI profiles as harmless shortcuts, but every profile is a security boundary—and if you cross it without tight controls, it becomes an attack surface.

What Makes AWS CLI-Style Profiles Risky

AWS CLI profiles store authentication settings locally, often with named profiles tied to IAM users, roles, or SSO configurations. Switching profiles is simple. So is abusing them:

• Chaining roles: If a profile allows sts:AssumeRole into another with higher privileges, the jump is immediate.
• Misconfigured trust policies: Roles trusting accounts without strict conditions can be hijacked.
• Privilege creep: Temporary testing permissions that are never revoked can silently grant escalation routes.
• Weak monitoring: CLI activity often bypasses alerting tuned for AWS Console events.

These risks multiply in multi-account AWS environments. Without continuous visibility into relationships between profiles, IAM roles, and permissions, it’s easy for a low-privilege compromise to pivot upward.

How to Detect Privilege Escalation Before It’s Too Late

Real detection means going beyond generic CloudTrail searches. It requires mapping who can assume what, across all profiles, and watching for anomalies in real time. Key tactics include:

• Cross-profile activity analysis: Alerts when a user or automation jumps from one profile to another unexpectedly.
• Role assumption pattern mapping: Building a live graph of role trust relationships and detecting changes that create new escalation paths.
• Tight permission baselines: Instant alerts when a profile gains rights like iam:PassRole, iam:AttachRolePolicy, or sts:AssumeRole into an admin-like role.
• Session correlation: Tying profile switches to specific processes, hosts, and users for accountability.

Best Practices to Reduce Exposure

• Limit sts:AssumeRole access to only what’s needed, with strong Condition keys.
• Enforce MFA on sensitive role assumptions.
• Audit ~/.aws/credentials and ~/.aws/config for unused or risky profiles.
• Remove broad wildcard permissions and unused policies.
• Continuously test escalation scenarios in staging to catch gaps before attackers do.

Privilege escalation is not a rare AWS misconfiguration—it’s an attack vector that’s used every day. By the time you find the breadcrumb trail in your logs, the blast radius could be massive. The only winning move is to detect suspicious profile-to-profile jumps the moment they happen.

That’s exactly what you can see in action, live, in minutes with hoop.dev—real-time privilege escalation alerts across AWS CLI-style profiles, with zero blind spots.

Want to see what’s happening between your profiles right now? Go to hoop.dev, connect your AWS accounts, and watch as escalation paths light up before attackers can use them.