This page lists the unique sets of permissions that could allow one AWS IAM principal to either escalate their own privileges or access another AWS IAM principal.
| Path ID | Path Name | Category | OSS Detection |
|---|---|---|---|
|
APPRUNNER-001
|
iam:PassRole + apprunner:CreateService | New Passrole | — |
|
APPRUNNER-002
|
apprunner:UpdateService | Existing Passrole | — |
|
BEDROCK-001
|
iam:PassRole + bedrock-agentcore:CreateCodeInterpreter + bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter | New Passrole | PR |
|
BEDROCK-002
|
bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter | Existing Passrole | — |
|
CLOUDFORMATION-001
|
iam:PassRole + cloudformation:CreateStack | New Passrole | PMCSPR |
|
CLOUDFORMATION-002
|
cloudformation:UpdateStack | Existing Passrole | PM |
|
CLOUDFORMATION-003
|
iam:PassRole + cloudformation:CreateStackSet + cloudformation:CreateStackInstances | New Passrole | — |
|
CLOUDFORMATION-004
|
iam:PassRole + cloudformation:UpdateStackSet | New Passrole | — |
|
CLOUDFORMATION-005
|
cloudformation:CreateChangeSet + cloudformation:ExecuteChangeSet | New Passrole | PM |
|
CODEBUILD-001
|
iam:PassRole + codebuild:CreateProject + codebuild:StartBuild | New Passrole | PM |
|
CODEBUILD-002
|
codebuild:StartBuild | Existing Passrole | PM |
|
CODEBUILD-003
|
codebuild:StartBuildBatch | Existing Passrole | PM |
|
CODEBUILD-004
|
iam:PassRole + codebuild:CreateProject + codebuild:StartBuildBatch | New Passrole | PM |
|
DATAPIPELINE-001
|
iam:PassRole + datapipeline:CreatePipeline + datapipeline:PutPipelineDefinition + datapipeline:ActivatePipeline | New Passrole | PR |
|
EC2-001
|
iam:PassRole + ec2:RunInstances | New Passrole | PMPACSPR |
|
EC2-002
|
ec2:ModifyInstanceAttribute + ec2:StopInstances + ec2:StartInstances | Existing Passrole | — |
|
EC2-003
|
iam:PassRole + ec2:RequestSpotInstances | New Passrole | — |
|
EC2-004
|
ec2:CreateLaunchTemplateVersion + ec2:ModifyLaunchTemplate | Existing Passrole | — |
|
EC2INSTANCECONNECT-003
|
ec2-instance-connect:SendSSHPublicKey | Existing Passrole | — |
|
ECS-001
|
iam:PassRole + ecs:CreateCluster + ecs:RegisterTaskDefinition + ecs:CreateService | New Passrole | — |
|
ECS-002
|
iam:PassRole + ecs:CreateCluster + ecs:RegisterTaskDefinition + ecs:RunTask | New Passrole | — |
|
ECS-003
|
iam:PassRole + ecs:RegisterTaskDefinition + ecs:CreateService | New Passrole | — |
|
ECS-004
|
iam:PassRole + ecs:RegisterTaskDefinition + ecs:RunTask | New Passrole | — |
|
ECS-005
|
iam:PassRole + ecs:RegisterTaskDefinition + ecs:StartTask | New Passrole | — |
|
GLUE-001
|
iam:PassRole + glue:CreateDevEndpoint | New Passrole | CSPR |
|
GLUE-002
|
glue:UpdateDevEndpoint | Existing Passrole | CSPAPR |
|
GLUE-003
|
iam:PassRole + glue:CreateJob + glue:StartJobRun | New Passrole | — |
|
GLUE-004
|
iam:PassRole + glue:CreateJob + glue:CreateTrigger | New Passrole | — |
|
GLUE-005
|
iam:PassRole + glue:UpdateJob + glue:StartJobRun | New Passrole | — |
|
GLUE-006
|
iam:PassRole + glue:UpdateJob + glue:CreateTrigger | New Passrole | — |
|
IAM-001
|
iam:CreatePolicyVersion | Self Escalation | CSPAPR |
|
IAM-002
|
iam:CreateAccessKey | Principal Access | PMCSPAPR |
|
IAM-003
|
iam:CreateAccessKey + iam:DeleteAccessKey | Principal Access | PM |
|
IAM-004
|
iam:CreateLoginProfile | Principal Access | PMCSPAPR |
|
IAM-005
|
iam:PutRolePolicy | Self Escalation | CSPAPR |
|
IAM-006
|
iam:UpdateLoginProfile | Principal Access | PMCSPAPR |
|
IAM-007
|
iam:PutUserPolicy | Self Escalation | CSPAPR |
|
IAM-008
|
iam:AttachUserPolicy | Self Escalation | CSPAPR |
|
IAM-009
|
iam:AttachRolePolicy | Self Escalation | CSPAPR |
|
IAM-010
|
iam:AttachGroupPolicy | Self Escalation | CSPAPR |
|
IAM-011
|
iam:PutGroupPolicy | Self Escalation | CSPAPR |
|
IAM-012
|
iam:UpdateAssumeRolePolicy | Principal Access | PMCSPAPR |
|
IAM-013
|
iam:AddUserToGroup | Self Escalation | CSPAPR |
|
IAM-014
|
iam:AttachRolePolicy + sts:AssumeRole | Principal Access | CSPAPR |
|
IAM-015
|
iam:AttachUserPolicy + iam:CreateAccessKey | Principal Access | — |
|
IAM-016
|
iam:CreatePolicyVersion + sts:AssumeRole | Principal Access | — |
|
IAM-017
|
iam:PutRolePolicy + sts:AssumeRole | Principal Access | PR |
|
IAM-018
|
iam:PutUserPolicy + iam:CreateAccessKey | Principal Access | — |
|
IAM-019
|
iam:AttachRolePolicy + iam:UpdateAssumeRolePolicy | Principal Access | — |
|
IAM-020
|
iam:CreatePolicyVersion + iam:UpdateAssumeRolePolicy | Principal Access | — |
|
IAM-021
|
iam:PutRolePolicy + iam:UpdateAssumeRolePolicy | Principal Access | — |
|
LAMBDA-001
|
iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction | New Passrole | CSPR |
|
LAMBDA-002
|
iam:PassRole + lambda:CreateFunction + lambda:CreateEventSourceMapping | New Passrole | PA |
|
LAMBDA-003
|
lambda:UpdateFunctionCode | Existing Passrole | PMCSPAPR |
|
LAMBDA-004
|
lambda:UpdateFunctionCode + lambda:InvokeFunction | Existing Passrole | PAPR |
|
LAMBDA-005
|
lambda:UpdateFunctionCode + lambda:AddPermission | Existing Passrole | — |
|
LAMBDA-006
|
iam:PassRole + lambda:CreateFunction + lambda:AddPermission | New Passrole | PA |
|
SAGEMAKER-001
|
iam:PassRole + sagemaker:CreateNotebookInstance | New Passrole | PM |
|
SAGEMAKER-002
|
iam:PassRole + sagemaker:CreateTrainingJob | New Passrole | PM |
|
SAGEMAKER-003
|
iam:PassRole + sagemaker:CreateProcessingJob | New Passrole | PM |
|
SAGEMAKER-004
|
sagemaker:CreatePresignedNotebookInstanceUrl | Existing Passrole | — |
|
SAGEMAKER-005
|
sagemaker:CreateNotebookInstanceLifecycleConfig + sagemaker:StopNotebookInstance + sagemaker:UpdateNotebookInstance + sagemaker:StartNotebookInstance | Existing Passrole | — |
|
SSM-001
|
ssm:StartSession | Existing Passrole | PM |
|
SSM-002
|
ssm:SendCommand | Existing Passrole | PM |
|
STS-001
|
sts:AssumeRole | Principal Access | PM |