---
title: >-
  AWS EC2 instance can assume a role with administrative privileges
  cross-account
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS EC2 instance can assume a role with
  administrative privileges cross-account
---

# AWS EC2 instance can assume a role with administrative privileges cross-account
 
## Description{% #description %}

In AWS environments, some IAM permissions can lead to privilege escalation, where an identity can gain access to another more privileged identity. This rule identifies when a given EC2 instance can use `sts:AssumeRole` to assume a role with administrative privileges in a different account inside your AWS Organization. By assuming this more privileged role, an adversary can leverage their permissions for further access.

## Rationale{% #rationale %}

The identity which triggered this detection can assume a role with administrative privileges in a different account of your AWS Organization, giving them access to the privileges of that role.

## Remediation{% #remediation %}

Datadog recommends reducing the permissions attached to an EC2 instance to the minimum required for it to fulfill its function. To remediate the issue, either remove the `sts:AssumeRole` permission entirely or modify the resource specified in the IAM policy.