AWS - Codestar Privesc

Support HackTricks


You can find more information about codestar in:

codestar:CreateProject, codestar:AssociateTeamMember

iam:PassRole, codestar:CreateProject

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

iam:PassRole, codestar:CreateProject

codestar:CreateProject, codestar:AssociateTeamMember

This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.


aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME 

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
    --project-id $PROJECT_NAME \
    --user-arn "$USER_ARN" \
    --project-role "Owner" \

If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember

Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

codestar:CreateProject, codestar:AssociateTeamMember


  1. Create a New Project:

    • Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.

      • Upon successful creation, access is automatically granted for cloudformation:UpdateStack.

      • This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.

  2. Update the Target Stack:

    • With the granted CloudFormation permissions, proceed to update the specified stack.

      • The stack's name will typically conform to one of two patterns:

        • awscodestar-<generic project name>-infrastructure

        • awscodestar-<generic project name>-lambda

        • The exact name depends on the chosen template (referencing the example exploit script).

  3. Access and Permissions:

    • Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.

    • Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

For more information check the original research: You can find the exploit in

Potential Impact: Privesc to cloudformation IAM role.

Support HackTricks

Last updated