--- title: >- Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' --- # Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-group-with-privilege-escalation-by-actions-iam-passrole-and-lambda-createfunction-and-lambda-invokefunction` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) ### Description{% #description %} This configuration allows an IAM group to escalate privileges by combining `lambda:CreateFunction`, `iam:PassRole`, and `lambda:InvokeFunction` permissions, all with the overly broad `Resource = "*"`. Attackers or unauthorized users with this access can create, invoke, and assign any role to Lambda functions, potentially gaining permissions beyond their intended scope and compromising the entire AWS account. To prevent this, restrict `iam:PassRole` and Lambda actions to specific, necessary resources and ensure that the policy does not broadly grant privileges, as shown below: ``` policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "ec2:Describe*", ] Effect = "Allow" Resource = "*" }, ] }) ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_iam_user" "cosmic2" { name = "cosmic2" } resource "aws_iam_user_policy" "inline_policy_run_instances2" { name = "inline_policy_run_instances" user = aws_iam_user.cosmic2.name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "ec2:Describe*", ] Effect = "Allow" Resource = "*" }, ] }) } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_iam_group" "cosmic" { name = "cosmic" } resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "lambda:CreateFunction", "lambda:InvokeFunction" ] Effect = "Allow" Resource = "*" }, ] }) } resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "iam:PassRole", ] Effect = "Allow" Resource = "*" }, ] }) } ```