Skip to content

ReplaceIamInstanceProfileAssociation

AWS

ReplaceIamInstanceProfileAssociation

service: AWS - EC2
techniques:

Event

Replaces the IAM instance profile associated with a running EC2 instance with a different one.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — using credentials from a session he established on an EC2 instance he was authorized to interact with — replaces the legacy OccamyPipelineRole instance profile on i-0occamy0000000001 with the elevated GraphornAdminRole instance profile. Once attached, any process on the instance reading IMDS gets admin-equivalent credentials. Requires iam:PassRole on the target profile + ec2:ReplaceIamInstanceProfileAssociation. T1548 (privesc through abusing elevation control mechanism).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:48:33Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "ReplaceIamInstanceProfileAssociation",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"ReplaceIamInstanceProfileAssociationRequest": {
"AssociationId": "iip-assoc-0graph0rnasc00001",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminRole"
}
}
},
"responseElements": {
"ReplaceIamInstanceProfileAssociationResponse": {
"iamInstanceProfileAssociation": {
"associationId": "iip-assoc-0graph0rnasc00010",
"instanceId": "i-0occamy0000000001",
"iamInstanceProfile": {
"arn": "arn:aws:iam::555123456789:instance-profile/GraphornAdminRole",
"id": "AIPAGRAPH0RN1NSTPR0F1"
},
"state": "associating",
"timestamp": "2026-04-15T19:48:33Z"
}
}
},
"requestID": "90000000-0000-4000-8000-000110011110",
"eventID": "90000000-0000-4000-8000-000110011111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence Stealth

Techniques:
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...