User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'
This product is not supported for your selected
Datadog site. (
).
Id: 33627268-1445-4385-988a-318fd9d1a512
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting an IAM user iam:UpdateAssumeRolePolicy and sts:AssumeRole permissions with the resource set to "*" allows them to escalate their privileges by modifying the trust policies of IAM roles and then assuming those roles. This configuration effectively enables the user to grant themselves access to any role and associated permissions in the AWS account, bypassing intended security controls. If left unaddressed, this vulnerability could lead to full account compromise, data exfiltration, or malicious activity performed under elevated permissions.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_user" "cosmic" {
name = "cosmic"
}
resource "aws_iam_user_policy" "test_inline_policy" {
name = "test_inline_policy"
user = aws_iam_user.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:UpdateAssumeRolePolicy",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
users = [aws_iam_user.cosmic.name]
roles = [aws_iam_role.role.name]
groups = [aws_iam_group.group.name]
policy_arn = aws_iam_policy.policy.arn
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"sts:AssumeRole",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
