All IAM escalation methodsCritical severity
AWS IAM privilege escalation • iam:PassRole + codebuild:CreateProject

iam:PassRole + CodeBuild Privilege Escalation

A CodeBuild project runs build commands as an IAM service role. With iam:PassRole, codebuild:CreateProject, and codebuild:StartBuild, an attacker creates a project backed by a privileged role and runs arbitrary commands as that role — including exfiltrating its credentials.

Permissions an attacker needs

  • iam:PassRole
  • codebuild:CreateProject
  • codebuild:StartBuild

How the escalation works

  • The attacker picks a privileged role they are allowed to pass.
  • They create a CodeBuild project with that service role and a buildspec that prints the role’s credentials (from the metadata endpoint) or performs privileged actions directly.
  • They start the build; CodeBuild runs the commands as the passed role.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "codebuild:CreateProject",
        "codebuild:StartBuild"
      ],
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws codebuild create-project \
  --name esc \
  --source type=NO_SOURCE,buildspec="version: 0.2" \
  --artifacts type=NO_ARTIFACTS \
  --environment type=LINUX_CONTAINER,image=aws/codebuild/standard:7.0,computeType=BUILD_GENERAL1_SMALL \
  --service-role arn:aws:iam::123456789012:role/privileged-role

How to detect and prevent it

  • Scope iam:PassRole to specific roles and add iam:PassedToService = codebuild.amazonaws.com.
  • Restrict codebuild:CreateProject to the teams that own the build pipeline.
  • Use least-privilege CodeBuild service roles scoped to the resources a build legitimately needs.

FAQ

Why is CodeBuild a good escalation target?

It runs attacker-controlled commands as a service role and is often given broad permissions for deployment. Passing a privileged role to it turns a build into arbitrary code execution as that role.

Related escalation methods

Check your IAM policies for this — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.