All IAM escalation methodsCritical severity
AWS IAM privilege escalation • iam:PassRole + ec2:RunInstances

iam:PassRole + EC2 RunInstances Privilege Escalation

With iam:PassRole and ec2:RunInstances, an attacker can launch an EC2 instance attached to a privileged instance profile, then read that role’s temporary credentials from the instance metadata service and use them anywhere.

Permissions an attacker needs

  • iam:PassRole
  • ec2:RunInstances
  • iam:PassRole on the instance profile role

How the escalation works

  • The attacker finds an instance profile / role they can pass that has broad permissions.
  • They run an EC2 instance with that instance profile and a user-data script (or SSH access) under their control.
  • They retrieve the role’s temporary credentials from the instance metadata service (IMDS) and use them from anywhere.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "ec2:RunInstances"
      ],
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws ec2 run-instances \
  --image-id ami-0abcd1234 --instance-type t3.micro \
  --iam-instance-profile Name=privileged-profile \
  --user-data file://exfil.sh
# then read role creds from IMDS on the instance:
#   curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>

How to detect and prevent it

  • Scope iam:PassRole to specific instance-profile roles and add iam:PassedToService = ec2.amazonaws.com.
  • Enforce IMDSv2 (HttpTokens=required) to make metadata credential theft harder, especially via SSRF.
  • Least-privilege the instance roles themselves so a launched instance cannot reach sensitive resources.

FAQ

Does IMDSv2 fully prevent this?

IMDSv2 mitigates remote credential theft (notably via SSRF) by requiring a session token, but a principal who controls the instance can still reach IMDS locally. The primary fix is scoping PassRole and the instance role.

Related escalation methods

Check your IAM policies for this — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.