For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-ec2-runinstances.md. A documentation index is available at /llms.txt.

User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-ec2-runinstances

Provider: AWS

Platform: Terraform

Severity: Medium

Category: Access Control

Learn More

Description

Granting a user the 'ec2:RunInstances' and 'iam:PassRole' permissions with the resource set to '*' allows them to launch EC2 instances and attach any IAM role, potentially escalating their privileges beyond intended limits.

For example, the following configuration is unsafe:

policy = jsonencode({
  Version = "2012-10-17"
  Statement = [
    {
      Action = [
        "iam:PassRole",
      ]
      Effect   = "Allow"
      Resource = "*"
    },
    {
      Action = [
        "ec2:RunInstances",
      ]
      Effect   = "Allow"
      Resource = "*"
    },
  ]
})

This vulnerability can enable attackers to assume highly privileged roles and gain full administrative access to AWS resources, leading to compromise of the entire cloud environment if left unaddressed. Access to these actions should be tightly scoped with least privilege and limited to essential roles.

Compliant Code Examples

resource "aws_iam_user" "cosmic2" {
  name = "cosmic2"
}

resource "aws_iam_user_policy" "inline_policy_run_instances2" {
  name = "inline_policy_run_instances"
  user = aws_iam_user.cosmic2.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

Non-Compliant Code Examples

resource "aws_iam_user" "cosmic" {
  name = "cosmic"
}

resource "aws_iam_user_policy" "test_inline_policy" {
  name = "test_inline_policy"
  user = aws_iam_user.cosmic.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:RunInstances",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}


resource "aws_iam_policy_attachment" "test-attach" {
  name       = "test-attachment"
  users      = [aws_iam_user.cosmic.name]
  roles      = [aws_iam_role.role.name]
  groups     = [aws_iam_group.group.name]
  policy_arn = aws_iam_policy.policy.arn
}


resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:PassRole",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}