Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'
This product is not supported for your selected
Datadog site. (
).
Id: 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Allowing an IAM group broad permissions with "cloudformation:CreateStack" and "iam:PassRole" actions on all resources ("Resource": "*") enables privilege escalation. With these permissions, a user can create a CloudFormation stack that provisions new IAM users, roles, or policies with elevated privileges and then use iam:PassRole to assume those roles, effectively bypassing intended access controls. If left unaddressed, attackers could gain unauthorized access to sensitive AWS resources or take full control of the account.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_group" "cosmic" {
name = "cosmic"
}
resource "aws_iam_group_policy" "test_inline_policy" {
name = "test_inline_policy"
group = aws_iam_group.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"cloudformation:CreateStack",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
groups = [aws_iam_group.cosmic.name]
policy_arn = aws_iam_policy.policy.arn
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:PassRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
