ReplaceIamInstanceProfileAssociation
AWS
ReplaceIamInstanceProfileAssociation
Event
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — using credentials from a session he established on an EC2 instance he was authorized to interact with — replaces the legacy OccamyPipelineRole instance profile on i-0occamy0000000001 with the elevated GraphornAdminRole instance profile. Once attached, any process on the instance reading IMDS gets admin-equivalent credentials. Requires iam:PassRole on the target profile + ec2:ReplaceIamInstanceProfileAssociation. T1548 (privesc through abusing elevation control mechanism).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:48:33Z", "eventSource": "ec2.amazonaws.com", "eventName": "ReplaceIamInstanceProfileAssociation", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "ReplaceIamInstanceProfileAssociationRequest": { "AssociationId": "iip-assoc-0graph0rnasc00001", "IamInstanceProfile": { "Arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminRole" } } }, "responseElements": { "ReplaceIamInstanceProfileAssociationResponse": { "iamInstanceProfileAssociation": { "associationId": "iip-assoc-0graph0rnasc00010", "instanceId": "i-0occamy0000000001", "iamInstanceProfile": { "arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminRole", "id": "AIPAGRAPH0RN1NSTPR0F1" }, "state": "associating", "timestamp": "2026-04-15T19:48:33Z" } } }, "requestID": "90000000-0000-4000-8000-000110011110", "eventID": "90000000-0000-4000-8000-000110011111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence Stealth
Techniques:
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...