All IAM escalation methodsCritical severity
AWS IAM privilege escalation • iam:PassRole + sagemaker:CreateNotebookInstance

iam:PassRole + SageMaker Notebook Privilege Escalation

A SageMaker notebook instance runs as an IAM role and gives the user an interactive Jupyter shell. With iam:PassRole and sagemaker:CreateNotebookInstance, an attacker launches a notebook backed by a privileged role and reads that role’s credentials from inside the instance metadata.

Permissions an attacker needs

  • iam:PassRole
  • sagemaker:CreateNotebookInstance
  • sagemaker:CreatePresignedNotebookInstanceUrl

How the escalation works

  • The attacker picks a privileged role they are allowed to pass.
  • They create a SageMaker notebook instance, passing that role.
  • They open a presigned notebook URL, then read the role’s temporary credentials from the instance metadata and use them anywhere.

Example vulnerable policy

A policy like this grants the dangerous permission. Paste your own policy into the free AI-Powered IAM analyzer to see if you are exposed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "sagemaker:CreateNotebookInstance",
        "sagemaker:CreatePresignedNotebookInstanceUrl"
      ],
      "Resource": "*"
    }
  ]
}

Example exploitation

For illustration only — run against accounts you own or are authorized to test.

aws sagemaker create-notebook-instance \
  --notebook-instance-name esc \
  --instance-type ml.t2.medium \
  --role-arn arn:aws:iam::123456789012:role/privileged-role

How to detect and prevent it

  • Scope iam:PassRole to specific roles and add iam:PassedToService = sagemaker.amazonaws.com.
  • Restrict sagemaker:CreateNotebookInstance to the data-science teams that need it.
  • Use least-privilege SageMaker execution roles so a notebook cannot reach beyond its datasets.

FAQ

Is this different from PassRole + EC2?

It is the same pattern — pass a privileged role to a compute service you control, then read its credentials. SageMaker notebooks just give you the interactive shell directly. The fix is identical: scope PassRole and add a PassedToService condition.

Related escalation methods

Check your IAM policies for this — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.