None of these seem very interesting or tricky to me. The fact that users with the ability to edit permission structure things can leverage that to give themselves more permissions just seems kind of obvious.
I don’t think shown like this they’re meant to be “tricky”, but there are so many tutorials and example policies out there that don’t fully specify their IAM policies and would run afoul of these if they were used as-is.
Agree... Was hoping for something novel ... I sent this to my newer coworkers, but this is mostly obvious for people with 1+ years of experience making policies
In short: don't give passrole permission, or any IAM policy modification policy to people. If you do, yes, privilege escalation is possible
How is this relevant? AFAICT AWS Policy statements are capabilities. Each policy statement denotes both actions and resources, and that policy is then granted to another identity/resource.
As noted by other comments the parent article focuses on capabilities that grant definition of capabilities. It shouldn't be surprising that principals can use that to establish further capabilities in the absence of other restrictions.
