--- title: >- Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' --- # Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-lambda-createfunction-lambda-invokefunction` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) ### Description{% #description %} This configuration grants an IAM role permission to create and invoke Lambda functions (`lambda:CreateFunction` and `lambda:InvokeFunction`), and to pass any IAM role (`iam:PassRole`) with the resource set to `"*"`. This combination of permissions enables privilege escalation, as a user with these rights can create a Lambda function that assumes any role in the account, including high-privilege roles such as `Administrator`. The attacker could then execute arbitrary actions with elevated privileges by passing critical roles to their malicious Lambda and invoking it. If left unaddressed, this vulnerability could allow unauthorized access to sensitive resources or full account takeover. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_iam_user" "cosmic2" { name = "cosmic2" } resource "aws_iam_user_policy" "inline_policy_run_instances2" { name = "inline_policy_run_instances" user = aws_iam_user.cosmic2.name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "ec2:Describe*", ] Effect = "Allow" Resource = "*" }, ] }) } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_iam_role" "cosmic" { name = "cosmic" } resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "lambda:CreateFunction", "lambda:InvokeFunction" ] Effect = "Allow" Resource = "*" }, ] }) } resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "iam:PassRole", ] Effect = "Allow" Resource = "*" }, ] }) } ```