Passed roles

When a CloudFormation stack is created, there is the option to pass an IAM role to it for the deployment process. If a role is passed, the stack will be created using that role, but if a role is not passed, then CloudFormation just uses the current user privileges to deploy the stack. This opens the possibility of privilege escalation through stacks that have already been passed roles when they were created.

Let's say that a user we compromised has "cloudformation:*" permissions, but not "iam:PassRole". This means that we cannot escalate our privileges by creating a new stack and passing it a role with higher privileges than what we have (because that requires the "iam:PassRole" permission), but it does mean that we can modify ...

Get Hands-On AWS Penetration Testing with Kali Linux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.