User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'
This product is not supported for your selected
Datadog site. (
).
Id: 19ffbe31-9d72-4379-9768-431195eae328
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting an IAM user permissions to both cloudformation:CreateStack and iam:PassRole with "Resource": "*" is a significant security risk, as it allows the user to create CloudFormation stacks that assume any IAM role in the AWS account. This creates a privilege escalation vector, enabling the user to gain broader or even administrative privileges, bypassing intended access controls. If left unaddressed, an attacker or insider with these rights could compromise the integrity and confidentiality of AWS resources, leading to unauthorized access or manipulation of critical infrastructure.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_user" "cosmic" {
name = "cosmic"
}
resource "aws_iam_user_policy" "test_inline_policy" {
name = "test_inline_policy"
user = aws_iam_user.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"cloudformation:CreateStack",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
users = [aws_iam_user.cosmic.name]
roles = [aws_iam_role.role.name]
groups = [aws_iam_group.group.name]
policy_arn = aws_iam_policy.policy.arn
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:PassRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
