Skip to content

AddRoleToInstanceProfile

AWS

AddRoleToInstanceProfile

service: AWS - IAM
techniques:

Event

Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

CloudTrail

Sample Event

Adversarial. Draco has compromised an IAM principal that holds iam:AddRoleToInstanceProfile and iam:PassRole. He swaps a higher-privilege role (GraphornAdminRole) into an existing OCCAMY pipeline instance profile so that any EC2 instance using that profile silently inherits admin permissions. The instance profile previously held a least-privileged pipeline role; the change is invisible at runtime aside from the profile-association timestamp.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:55:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "AddRoleToInstanceProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"instanceProfileName": "OccamyPipelineInstanceProfile",
"roleName": "GraphornAdminRole"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000001100110",
"eventID": "90000000-0000-4000-8000-000001100111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence Stealth

Techniques:
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...