iam:PassRole is one of the quieter privilege escalation primitives in AWS. It lets a principal hand a role to a service that can then do things the original principal couldn't. If a user with iam:PassRole plus a service action like ec2:RunInstances is compromised, the blast radius is much bigger than their direct permissions suggest.
You want to know who has it, and whether they should.
Prerequisites
- The Blue Lantern on-prem toolkit installed locally.
- Credits allocated to the toolkit (or auto-refresh enabled).
- AWS credentials with read access to IAM. The toolkit reads an
.envfile containingAWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, andAWS_SESSION_TOKEN. We recommend a sealed secrets file so credentials stay encrypted at rest.
Running the check
Through the CLI:
bluelantern run aws-iam find-principals-allowed-action \
--credential_file /data/secrets/aws.env \
--action iam:PassRole
Or through the local UI: bluelantern ui and run the same check from the browser.
If you have a sealed secrets file configured, you can drop the --credential_file flag.
What you get back
A list of every principal — users and roles — with iam:PassRole. Each entry includes:
- Principal type (
UserorRole). - Principal name.
- The action being audited.
From there it's a desk audit: cross-reference the list with what each principal is supposed to do. Anyone with iam:PassRole who doesn't need it is a privilege escalation path waiting to be exploited.
The same command shape works for any IAM action you want to audit — swap iam:PassRole for whatever you're hunting.