Auditing PassRole: Finding the Hidden Trails of a Problematic Privilege Escalation Permission
2022-07-25 , Room 2/3

The iam:PassRole permission is one of the most common open privilege escalation vector in AWS accounts today, The basic idea of iam:PassRole is simple: whenever a principal (which can be a user or a role, a human, code or a service) uses a service that needs to perform other actions, the AWS architecture often has that service assume an AWS role to perform the actions. When that happens, the service performing the actions is “passed” a role by the calling principal and implicitly (without performing sts:AssumeRole) assumes that role to perform the actions. The privileges associated with the role are different from — and can be greater than — those of the principal calling the action.

Consider launching an EC2 instance with a certain IAM Instance profile. The instance profile is resolved to an IAM role whose permissions determine what the instance can and can’t do. Whenever behavior like this happens, AWS checks, behind the scenes, if the calling principal has the permission iam:PassRole to pass the role to the service.

PassRole is both a facilitator of critical privilege escalation and a permission for which is remarkably difficult to monitor, control and create policies for.

In this talk, we’ll walk through the work we did to automatically map hundreds of potential actions requiring iam:PassRole and the manual and automatic methods we used to sift through these to isolate the actions which truly require the permission. We’ll discuss tips and tricks picked up along the way and how to use these to provision, control and limit iam:PassRole in AWS environments.

Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.