C-AWS-ASSUMEROLE-CHAINLateral Movement

AWS sts:AssumeRole Chain

Hop across trust relationships (cross-account, cross-service) via STS — common when role trust policies are over-broad.

§ Where this technique fits

C-AWS-ASSUMEROLE-CHAIN is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4.7 on average.

§ Dossiers chaining this technique

GitHub OIDC trust over-broad → AWS admin
An IAM role trusts GitHub Actions OIDC with a wildcard 'repo:*' subject. Any attacker GitHub repo can assume the role and run with its privileges.
step 4 / 6
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
step 4 / 9
pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
step 6 / 7

§ What commonly comes next

01
AWS IAM Backdoor User / Access Key
C-AWS-IAM-BACKDOOR · Persistence
seen 1×
02
AWS iam:AttachUserPolicy → AdminAccess
C-AWS-IAM-ADDUSER-POLICY · Privilege Escalation
seen 1×
03
AWS iam:PassRole Chain
C-AWS-IAM-PASSROLE · Privilege Escalation
seen 1×
04
Secrets Manager / Key Vault Dump
C-SECRETS-MANAGER-DUMP · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

GitHub OIDC trust over-broad → AWS admin

SSRF → IMDS → AssumeRole chain → Org admin

pull_request_target injection → secrets → cloud takeover

§ What commonly comes next