AWS Directory Service not checking iam:PassRole on EnableRoleAccess
Published Wed, Jun 7th, 2023
Platforms
Summary
AWS Directory Service didn't check the iam:PassRole permissions when using the
EnableRoleAccess action. This could have been used for privilege escalation by an
authenticated user with sufficient permissions (ds:EnableRoleAccess), if the
role had a trust policy that allowed use by Directory Service.