PassRole
PassRole
Event
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
Adversarial — privilege escalation. Draco has iam:PassRole for GraphornAdminRole and ec2:RunInstances. He launches an EC2 with that role attached as the instance profile, then SSHes into the instance and uses the now-attached IMDS credentials to act as the GRAPHORN admin role — a classic IAM privesc that bypasses all the IAM-user MFA controls. T1548 + T1078.004.
Note for SME: PassRole does not generate a standalone CloudTrail event — this draft therefore models the carrier event (RunInstances) where the PassRole authorization happens. The persona doc may want a follow-up note clarifying this for any future PassRole-related events.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:03:11Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "instancesSet": { "items": [ { "imageId": "ami-0occamy0base000001", "minCount": 1, "maxCount": 1 } ] }, "instanceType": "t3.medium", "iamInstanceProfile": { "arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminInstanceProfile", "name": "GraphornAdminInstanceProfile" } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000101011010", "instancesSet": { "items": [ { "instanceId": "i-0draco0privesc00666", "imageId": "ami-0occamy0base000001", "instanceState": { "code": 0, "name": "pending" }, "instanceType": "t3.medium", "iamInstanceProfile": { "arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminInstanceProfile", "id": "AIPAGRAPH0RNINSTPR0F" } } ] } }, "requestID": "90000000-0000-4000-8000-000101011010", "eventID": "90000000-0000-4000-8000-000101011011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence Stealth
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...