Role Assumption
The AWS mechanism (sts:AssumeRole) that allows one principal to temporarily take on the permissions of an IAM role, commonly exploited for lateral movement and privilege escalation.
Role assumption is a core AWS identity mechanism that allows principals (users, roles, or services) to temporarily acquire the permissions of another IAM role via the sts:AssumeRole API call.
While essential for legitimate AWS operations, role assumption is one of the most common vectors for lateral movement and privilege escalation:
- **Same-account role assumption** — Moving between roles within a single AWS account - **Cross-account role assumption** — Pivoting between AWS accounts via trust policies - **Service-linked role assumption** — AWS services assuming roles on behalf of users - **Role chaining** — Assuming a role that can assume another role, creating chains of access - **Confused deputy attacks** — Exploiting trust policies that don't properly constrain the source principal
Trust policies define who can assume a role. Common misconfigurations include:
- Overly broad principal specifications (e.g., trusting an entire account instead of specific roles) - Missing external ID conditions on cross-account roles - Wildcard conditions that match unintended principals - Circular trust relationships that allow infinite role chaining
Each role assumption expands the attacker's access to whatever permissions that role grants. Mapping every possible role assumption path is essential to understanding your AWS attack surface.