AWS privilege escalation rarely involves a single dramatic vulnerability. The interesting paths tend to involve a sequence of permissions that, taken individually, look entirely reasonable. The classic example is a user who can pass roles to compute services. That single permission, combined with the ability to launch an EC2 instance or create a Lambda function, opens a route to assume any role the user can pass. The permission set looks fine on paper. The path to administrator is two hops away.
iam:PassRole Is The Quiet Killer
PassRole permissions are necessary for many legitimate workflows. Lambda functions need to be created with execution roles. EC2 instances need to be launched with instance profiles. The problem is that PassRole with a broad resource scope effectively lets the holder elevate to the privileges of any role they can pass. A user with PassRole on every role in the account is one step away from administrator, even if their own permissions are otherwise minimal. A focused AWS pen testing engagement should map every PassRole permission and the roles it covers.
CloudFormation Hides Permission Chains
Infrastructure as code is wonderful for repeatability and a frequent route to accidental privilege escalation. A user who can submit a CloudFormation stack gets the effective permissions of whatever role the service deploys with. If the deployment role has administrator permissions, the user inherits administrator capabilities through the stack interface even though their direct IAM policy never granted those permissions. Limit deployment role scope to what stacks actually need to create.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The trick with cloud privilege escalation is that the individual permissions are almost always defensible. A reviewer looking at any single line in the policy can rationalise it. The escalation appears only when you combine the lines, which is why graph based analysis is so much more useful than reading policies one at a time.
Detection Tells You What Slipped Through
Even with strong preventative controls, you need detection coverage for the privilege escalation paths that slip through. CloudTrail provides the raw events. GuardDuty and equivalent services correlate them into actionable alerts. Tune the detections for your environment, validate them with deliberate testing and respond to the findings within a meaningful timeframe. Detection without response capacity is theatre. Worth pairing detection investment with playbooks that describe what to do when each kind of alert fires. The team that runs the playbook needs to know what good response looks like before the first incident arrives.
Audit Tools Help, Manual Validation Confirms
AWS Access Analyser, ScoutSuite and Prowler all surface candidate paths. Use them to find suspects and then validate by hand whether the path actually produces meaningful escalation. Automated tools are useful for breadth. A capable best pen testing company provides the depth that turns alerts into ranked findings with verified impact. The combination beats either approach in isolation.
IAM is the perimeter. The path through it is rarely a single door. Map your hallways. Privilege escalation in the cloud is mostly about mapping. The defences are known. The maps need to actually be drawn. Cloud security is a shared responsibility model in name and a fully owned responsibility model in practice. The configuration choices that matter live on your side of the line, regardless of how the provider markets the platform.
