For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-glue-createdevendpoint.md.
A documentation index is available at /llms.txt.
Granting an AWS IAM role permissions for both glue:CreateDevEndpoint and iam:PassRole with the Resource attribute set to "*" allows for privilege escalation within an AWS environment. With these permissions, a user or attacker could create Glue DevEndpoints and assign any AWS IAM role to the endpoint, effectively running arbitrary code with higher privileges by passing roles they may not otherwise have access to. The use of the "iam:PassRole" action combined with a resource wildcard means that the role can be used to assign any role in the account, potentially including administrative or sensitive roles. If left unaddressed, this misconfiguration can lead to an attacker gaining full control over AWS resources, resulting in data breaches or the compromise of critical cloud infrastructure.
resource"aws_iam_role""cosmic"{name="cosmic"}resource"aws_iam_role_policy""test_inline_policy"{name="test_inline_policy"role=aws_iam_role.cosmic.namepolicy= jsonencode({Version="2012-10-17"Statement=[{Action=["glue:CreateDevEndpoint",]Effect="Allow"Resource="*"},]})}resource"aws_iam_policy_attachment""test-attach"{name="test-attachment"roles=[aws_iam_role.cosmic.name]policy_arn=aws_iam_policy.policy.arn}resource"aws_iam_policy""policy"{name="test-policy"description="A test policy"policy= jsonencode({Version="2012-10-17"Statement=[{Action=["iam:PassRole",]Effect="Allow"Resource="*"},]})}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
