← Back to Labs Principal LAB

AWS · Identity · Privilege Escalation

AWS Privilege Escalation via iam:PassRole

Principal LAB modeling deterministic AWS privilege escalation through iam:PassRole combined with compute service creation or update capability.

Status Principal
Shield Finding shield-passrole-001
Aegis Signal IDENTITY_DRIFT_DETECTED
Authority OPA

Overview

This lab teaches how a low-privilege AWS principal can create a deterministic privilege escalation path when it can pass a higher-privilege execution role to a compute service such as Lambda.

Read-only Deterministic Shield-linked Aegis Runtime-linked

Concept Deep Dives

Expand these concepts when teaching iam:PassRole escalation to students, interns, or executives.

What is iam:PassRole?

iam:PassRole allows a principal to pass an IAM role to an AWS service. By itself, it does not execute code, but it becomes dangerous when combined with a service action such as creating or updating Lambda, EC2, ECS, Glue, or other compute resources.

Why does compute creation matter?

If a low-privilege identity can create or update a compute service and pass a higher-privilege role to it, the service may run with permissions the original identity could not directly use.

Why is this privilege escalation?

The escalation path is created by permission composition: PassRole plus service-control capability. The attacker does not need AdministratorAccess directly; they only need the ability to cause a trusted service to assume a stronger role.

What should executives understand?

iam:PassRole risk is a governance problem, not only a technical misconfiguration. Teams must review which identities can pass powerful roles and which services those identities can create or modify.

Identity Path

Low-Privilege Principal
    →
iam:PassRole
    →
Compute Service Creation or Update
    →
High-Privilege Execution Role
    →
Expanded Permissions / Administrative Blast Radius

Shield Detection

What Shield Detects

  • Principal has iam:PassRole
  • Principal can pass a role with broader privileges
  • Principal can create or update a service that accepts an execution role
  • The resulting path creates deterministic privilege escalation risk

Finding Contract

Privilege Escalation Path via iam:PassRole Detected
shield-passrole-001

Aegis Runtime Mapping

This lab maps to Aegis Runtime / Decision Intelligence as a bounded identity integrity signal.

Expected Signal

IDENTITY_DRIFT_DETECTED

Decision Boundary

Runtime = source of truth
OPA = decision authority
Aegis = bounded intelligence
Frontend = rendering only

Governance Boundary

This lab is read-only and deterministic.

  • Does not exploit AWS
  • Does not mutate a customer environment
  • Does not deploy live infrastructure
  • Does not pass a real AWS role
  • Does not execute remediation
  • Does not override OPA
  • Does not treat Aegis as enforcement authority

Source Artifacts

metadata.jsonLab identity and maturity metadata
architecture.mdPrivilege path and deterministic reasoning
runtime-mapping.jsonAegis Runtime linkage contract
Phase 13 evidencePrincipal LAB lock record