When a user supplied create-launch-configuration command, no check was performed to see if the role was authorized to assign a different role to create a launch configuration ... In a secure world, if I want to pass the second role to launch configuration using the first role, the first role needs to have iam:PassRole permission with a resource pointing to the second role’s Amazon Resource Name (ARN). Though that wasn’t the case as shown in the above POC, and due to the missing validation check, the unauthorized creation of EC2 instances was possible.
Summary (give a brief description of the issue)
References (provide links to blogposts, etc.)
https://medium.com/@shubham.agarawal95/bypassing-the-passrole-validation-in-amazon-ec2-autoscaling-be2471d27910 https://www.finra.org/about/technology/blog/finra-security-engineer-finds-privilege-escalation-in-amazon