C-AWS-IAM-PASSROLEPrivilege Escalation

AWS iam:PassRole Chain

Pass a higher-priv role to a service (EC2, Lambda, Glue) you can launch — service runs with the elevated role.

§ Where this technique fits

C-AWS-IAM-PASSROLE is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 5.7 on average.

§ Dossiers chaining this technique

Secret echoed to public build log → cloud takeover
A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.
step 5 / 6
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
step 5 / 9
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
step 7 / 7

§ What commonly comes next

01
AWS Lambda Code Update → RCE
C-AWS-LAMBDA-EXEC · Execution
seen 1×
02
S3 / Blob / GCS Mass Exfil
C-S3-EXFIL · Collection
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Secret echoed to public build log → cloud takeover

SSRF → IMDS → AssumeRole chain → Org admin

Public bucket → CI/CD secret leak → cloud takeover

§ What commonly comes next