Lateral movement

Privileged Instance Profile – Pass Role


IAM Instance Profiles are used to attach IAM Roles to EC2 Instances in order to grant them permissions to different AWS APIs. The instance profile {AwsIamInstanceProfile}, which is connected to {AwsIamInstanceProfile.Ec2Instances|count} instances, was found to have a role with permissive permissions that allows the user the ability to pass a role to a service. By passing a role to a service, a user may grant that service the ability to interact with the AWS API with the permissions of that role. By allowing a user to pass any role, an attacker may pass a role with administrative privileges to a service they control, such as an EC2 Instance or Lambda Function, and act through this service with escalated permissions.
  • Recommended Mitigation

    Review the instance profile's policy and consider removing any of the following actions: iam:PassRole, lambda:CreateFunction, lambda:InvokeFunction, lambda:CreateEventSourceMapping, glue:CreateDevEndpoint, glue:GetDevEndpoint, cloudformation:CreateStack, cloudformation:DescribeStacks, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline, ec2:RunInstances