AWS policy allows passing any role
Description
AlphaSOC detected an AWS IAM policy that grants the iam:PassRole permission
for all resources. This configuration enables users to pass any IAM role to AWS
services, including EC2 instances. Such broad permissions can be exploited by
threat actors to escalate privileges, access unauthorized resources, or
manipulate AWS services with elevated roles.
Impact
Threat actors can leverage an overly permissive iam:PassRole policy to assume
any role in the AWS environment, including administrative roles. This could
result in unauthorized access to sensitive data, manipulation of AWS resources,
and potential breaches of compliance requirements.
Severity
| Severity | Condition |
|---|---|
Medium | AWS policy allows passing any role |
Investigation and Remediation
Review the IAM policy and identify the users or roles to which it's attached.
Determine if the broad iam:PassRole permission is necessary for their
functions. If not, modify the policy to restrict iam:PassRole to specific
roles required for legitimate operations. After making changes, test the policy
to ensure the restrictions are properly enforced.