← Back to Labs Principal LAB

AWS · Identity · Role Chaining

AWS Role Chaining Escalation

Principal LAB modeling deterministic AWS privilege expansion through chained sts:AssumeRole paths across multiple IAM roles.

Status Principal
Shield Finding shield-rolechain-001
Aegis Signal IDENTITY_DRIFT_DETECTED
Authority OPA

Overview

This lab teaches how chained IAM role trust relationships can create a transitive privilege path that is not obvious from the initial principal alone.

Read-only Deterministic Shield-linked Aegis Runtime-linked

Concept Deep Dives

Expand these concepts when teaching chained role assumptions and transitive identity risk.

What is role chaining?

Role chaining occurs when temporary credentials from one assumed role are used to assume another role. This can create multi-step privilege paths that are hard to see from any single policy document.

Why does transitive trust matter?

A role may look safe in isolation, but its reachable downstream roles can expand effective authority. Reviewers must evaluate the chain, not only the first assumption.

What is session context?

Session context includes attributes of the assumed role session, such as session name, tags, source identity, MFA context, and duration. These details help explain who assumed what and under which conditions.

What should executives understand?

Role chaining is identity-path risk. It can turn individually approved roles into an unintended escalation route when the relationships are evaluated together.

Identity Path

Low-Privilege Principal
    →
sts:AssumeRole into IntermediateRole
    →
sts:AssumeRole into PrivilegedRole
    →
Expanded Permissions / Administrative Blast Radius

Shield Detection

What Shield Detects

  • Initial principal can assume an intermediate role
  • Intermediate role can assume a downstream privileged role
  • Downstream role has broader permissions
  • The transitive path expands blast radius

Finding Contract

Role Chaining Escalation Path Detected
shield-rolechain-001

Aegis Runtime Mapping

This lab maps to Aegis Runtime / Decision Intelligence as a bounded identity integrity signal.

Expected Signal

IDENTITY_DRIFT_DETECTED

Decision Boundary

Runtime = source of truth
OPA = decision authority
Aegis = bounded intelligence
Frontend = rendering only

Governance Boundary

This lab is read-only and deterministic.

  • Does not exploit AWS
  • Does not mutate a customer environment
  • Does not deploy live infrastructure
  • Does not assume a real AWS role
  • Does not execute remediation
  • Does not override OPA
  • Does not treat Aegis as enforcement authority

Source Artifacts

metadata.jsonLab identity and maturity metadata
architecture.mdRole chain and deterministic reasoning
runtime-mapping.jsonAegis Runtime linkage contract
shield-rolechain-001Reserved Intelligence Core finding