AssociateIamInstanceProfile
Event
Associates an IAM instance profile with an EC2 instance, potentially attaching a high-privilege role to an attacker-controlled instance.
Security Context
- Attaching an IAM instance profile grants the EC2 instance all permissions of the associated role, enabling an attacker with instance access to escalate privileges by associating a more powerful role.
- This technique is commonly used after gaining initial access to an EC2 instance to pivot from limited instance permissions to broader account-level access.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.