AddRoleToInstanceProfile
AWS
AddRoleToInstanceProfile
Event
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
Adversarial. Draco has compromised an IAM principal that holds iam:AddRoleToInstanceProfile and iam:PassRole. He swaps a higher-privilege role (GraphornAdminRole) into an existing OCCAMY pipeline instance profile so that any EC2 instance using that profile silently inherits admin permissions. The instance profile previously held a least-privileged pipeline role; the change is invisible at runtime aside from the profile-association timestamp.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:55:46Z", "eventSource": "iam.amazonaws.com", "eventName": "AddRoleToInstanceProfile", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "instanceProfileName": "OccamyPipelineInstanceProfile", "roleName": "GraphornAdminRole" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000001100110", "eventID": "90000000-0000-4000-8000-000001100111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence Stealth
Techniques:
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...