AWS API calls indicating CloudFormation privilege escalation
Description
AlphaSOC detected an IAM policy change granting permissions for privilege
escalation through AWS CloudFormation. This detection identifies policies
combining iam:PassRole with either cloudformation:CreateStack or
cloudformation:UpdateStack. The detection triggers on CreatePolicy,
CreatePolicyVersion, PutUserPolicy, PutGroupPolicy, PutRolePolicy,
AttachUserPolicy, AttachRolePolicy, AttachGroupPolicy events that
introduce these permissions.
These permissions enable privilege escalation by allowing an attacker to create or update CloudFormation stacks with an IAM service role that has higher privileges than they currently hold. CloudFormation executes templates using the passed role's permissions, enabling the attacker to provision resources they couldn't create directly. Malicious templates can create Lambda functions with privileged execution roles, launch EC2 instances with elevated instance profiles, create IAM users or roles with administrative policies, or modify security groups and resource policies to grant broader access. Since CloudFormation is a legitimate infrastructure automation tool, these malicious stack deployments blend with normal operational activity.
Impact
If exploited, the attacker can provision AWS resources using the permissions of privileged CloudFormation service roles, effectively inheriting elevated access. This enables creation of backdoor access mechanisms through Lambda functions or EC2 instances, deployment of resources for data exfiltration, modification of security controls, or establishment of persistent access.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating CloudFormation privilege escalation |
Investigation and Remediation
Check CloudTrail for the PutUserPolicy, PutGroupPolicy, PutRolePolicy, or
Attach\*Policy event that added CloudFormation permissions with
iam:PassRole. Identify the target principal and review requestParameters to
examine the exact permissions granted. Verify whether these permissions are
required for legitimate infrastructure automation.
If unauthorized, immediately detach or delete the policy. Review CloudTrail for
CreateStack or UpdateStack actions performed by the affected principal.
Check CloudFormation for stacks created or updated by the principal. Review
stack templates for suspicious resources including Lambda functions, EC2
instances, IAM resources, or security group modifications. Examine IAM roles
passed to these stacks to identify elevated permissions used. Delete suspicious
stacks and review their CloudFormation events to understand what resources were
created. Rotate credentials for the affected principal and any IAM roles passed
to CloudFormation stacks during the compromise.
Known False Positives
- Authorized infrastructure teams provisioning CloudFormation permissions for infrastructure-as-code deployments
- CI/CD pipelines creating service roles for automated stack deployments