All IAM escalation methodsHigh severity
AWS IAM privilege escalation • iam:PassRole + datapipeline:CreatePipeline

iam:PassRole + Data Pipeline Privilege Escalation

AWS Data Pipeline runs activities on EC2 resources that assume a passed IAM role. With iam:PassRole plus datapipeline:CreatePipeline and PutPipelineDefinition, an attacker defines a pipeline that runs shell commands on a resource backed by a privileged role, then reads that role’s credentials.

Permissions an attacker needs

  • iam:PassRole
  • datapipeline:CreatePipeline
  • datapipeline:PutPipelineDefinition
  • datapipeline:ActivatePipeline

How the escalation works

  • The attacker picks a privileged role they are allowed to pass as the pipeline’s resource role.
  • They create and define a pipeline whose activity runs shell commands on an EC2 resource using that role.
  • They activate the pipeline; the commands run as the passed role, and its credentials can be exfiltrated.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "datapipeline:CreatePipeline",
        "datapipeline:PutPipelineDefinition",
        "datapipeline:ActivatePipeline"
      ],
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws datapipeline create-pipeline --name esc --unique-id esc
# then put-pipeline-definition with a ShellCommandActivity whose
# resourceRole is the privileged role, and activate-pipeline

How to detect and prevent it

  • Scope iam:PassRole to specific roles and add an iam:PassedToService condition for the pipeline resource role.
  • Restrict the datapipeline:* create/define/activate actions to the few teams that use Data Pipeline.
  • Prefer modern, least-privileged alternatives (Step Functions, Glue) with tightly scoped roles.

FAQ

Is Data Pipeline still common?

It is a legacy service, so many accounts never use it — but if the permissions are present in a broad policy, the escalation path is real. Removing unused datapipeline actions closes it entirely.

Related escalation methods

Check your IAM policies for this — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.