Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'
This product is not supported for your selected
Datadog site. (
).
Id: 15e6ad8c-f420-49a6-bafb-074f5eb1ec74
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting an IAM group both the ec2:RunInstances and iam:PassRole permissions with the Resource field set to "*" allows users to launch EC2 instances with any IAM role in the account. This opens a dangerous privilege escalation pathway, as users can assign themselves highly privileged roles by launching instances with those roles attached, effectively bypassing intended access controls. If left unaddressed, this misconfiguration can lead to full account compromise, as attackers could elevate their permissions and gain unauthorized access to sensitive resources.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_group" "cosmic" {
name = "cosmic"
}
resource "aws_iam_group_policy" "test_inline_policy" {
name = "test_inline_policy"
group = aws_iam_group.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:RunInstances",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
groups = [aws_iam_group.cosmic.name]
policy_arn = aws_iam_policy.policy.arn
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:PassRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
