Lateral movement

Privileged Instance Profile – Policy Attachment

Risk Level

Hazardous (3)

Compliance Frameworks


IAM Instance Profiles are used to attach IAM Roles to EC2 Instances in order to grant them permissions to different AWS APIs. The instance profile {AwsIamInstanceProfile}, which is connected to {AwsIamInstanceProfile.Ec2Instances|count} instances, was found to have a role with permissive permissions that allow for the ability to perform one or more of the following actions: 1. Create or update an inline policy; An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. By leveraging this ability, an attacker may alter the inline policy to grant themselves additional privileges. 2. Attach a managed policy; Managed policies are standalone policies that are created and administered by either AWS or the customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. Standalone policies may be attached to multiple principles. By leveraging this ability, an attacker may attach to themselves a more privileged managed policy, such as ""AdministratorAccess"". 3. Update a role's trust policy; Roles' trust policies define which entities may assume that role, and under which conditions. By leveraging this ability, an attacker may alter a more privileged role's policy in order to allow themselves to assume it.
  • Recommended Mitigation

    Review the instance profile's policy and consider removing any of the following actions: iam:PutGroupPolicy, iam:PutRolePolicy, iam:PutUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:AttachUserPolicy, iam:updateAssumeRolePolicy