H3-2024-0044¶

AWS Privilege Escalation via iam:PassRole, lambda:CreateFunction, and lambda:InvokeFunction

Description¶

AWS users or roles with the iam:PassRole and lambda:CreateFunction permissions can pass an existing role in the account to a newly created Lambda function. They can then invoke the function using lambda:InvokeFunction. This allows the original user or role to utilize the permissions of the passed role indirectly.

Impact¶

By exploiting this weakness, an attacker can gain unauthorized access to resources and actions that are permitted to the passed role, potentially leading to significant compromise of data and resources within the AWS environment.

References¶

• Security Best Practices for AWS IAM
• MITRE ATT&CK Technique: T1548.005: Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access