PassRole to Lambda
highPrivilege Escalation
An attacker with iam:PassRole and lambda:CreateFunction can create a Lambda function with a privileged execution role and invoke it to escalate privileges.
Required Permissions
Description
This technique chains two permissions: iam:PassRole (to assign a privileged role to a new Lambda function) and lambda:CreateFunction + lambda:InvokeFunction (to execute code as that role).
The attack flow: 1. Identify a highly privileged IAM role that has a trust policy allowing lambda.amazonaws.com 2. Create a new Lambda function with the attacker's code, specifying the privileged role as the execution role 3. Invoke the function — the code runs with the privileges of the assigned role 4. The Lambda function can perform any action the role allows, such as creating admin users or exfiltrating data
This is a common real-world privilege escalation path because many environments have powerful Lambda execution roles that trust the Lambda service but are not restricted on who can pass them.
Impact
Access to all permissions granted to the target Lambda execution role. If the role has admin access, full account compromise.
Detection
Monitor for Lambda functions created with high-privilege execution roles. Alert on iam:PassRole calls targeting sensitive roles.
Mitigation
Scope iam:PassRole to specific role ARNs using conditions. Ensure Lambda execution roles follow least privilege. Use SCPs to restrict which roles can be passed.