Lateral movement

Privileged Managed Policy – Pass Role


An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines their permissions. The policy {AwsIamManagedPolicy} was found with permissive permissions that allows the user the ability to pass a role to a service. By passing a role to a service, a user may grant that service the ability to interact with the AWS API with the permissions of that role. By allowing a user to pass any role, an attacker may pass a role with administrative privileges to a service they control, such as an EC2 Instance or Lambda Function, and act through this service with escalated permissions.
  • Recommended Mitigation

    Review the policy and consider removing one of the following groups of actions: iam:PassRole, (lambda:CreateFunction, lambda:InvokeFunction), (lambda:InvokeFunction, lambda:CreateEventSourceMapping), (glue:CreateDevEndpoint, glue:GetDevEndpoint/s), (cloudformation:CreateStack, cloudformation:DescribeStacks), (datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline)