Lateral movement

Privileged Instance Profile – Pass Role

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

IAM Instance Profiles are used to attach IAM Roles to EC2 Instances in order to grant them permissions to different AWS APIs. The instance profile {AwsIamInstanceProfile}, which is connected to {AwsIamInstanceProfile.Ec2Instances|count} instances, was found to have a role with permissive permissions that allows the user the ability to pass a role to a service. By passing a role to a service, a user may grant that service the ability to interact with the AWS API with the permissions of that role. By allowing a user to pass any role, an attacker may pass a role with administrative privileges to a service they control, such as an EC2 Instance or Lambda Function, and act through this service with escalated permissions.
  • Recommended Mitigation

    Review the instance profile's policy and consider removing any of the following actions: iam:PassRole, lambda:CreateFunction, lambda:InvokeFunction, lambda:CreateEventSourceMapping, glue:CreateDevEndpoint, glue:GetDevEndpoint, cloudformation:CreateStack, cloudformation:DescribeStacks, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline, ec2:RunInstances