Lateral movement

Privileged Role – Assume Role

Risk Level

Hazardous (3)

Compliance Frameworks


An IAM Role is an identity with permission policies that determine what the identity can do in AWS. A role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. The role {AwsIamRole} was found with permissive permissions that allows the user the ability to assume any role, temporarily granting them any privileges given to that role. By allowing an entity to assume any role on the account, an attacker may choose to assume a highly privileged role, which may lead to full account takeover.
  • Recommended Mitigation

    Review the role's policy and consider removing any of the following actions: sts:AssumeRole