Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'
This product is not supported for your selected
Datadog site. (
).
Id: be2aa235-bd93-4b68-978a-1cc65d49082f
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting an IAM role permissions for both cloudformation:CreateStack and iam:PassRole actions with the resource set to "*" allows users with this role to launch CloudFormation stacks that assume any IAM role in the account, leading to privilege escalation. This vulnerability means an attacker could potentially create resources with elevated privileges or gain full administrative access to the AWS environment. To mitigate this, avoid assigning overly permissive policies, and instead restrict iam:PassRole and cloudformation:CreateStack to only trusted roles and explicitly specify the allowed resource ARNs in the policy’s Resource attribute.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_role" "cosmic" {
name = "cosmic"
}
resource "aws_iam_role_policy" "test_inline_policy" {
name = "test_inline_policy"
role = aws_iam_role.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"cloudformation:CreateStack",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
roles = [aws_iam_role.cosmic.name]
policy_arn = aws_iam_policy.policy.arn
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:PassRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
