Full Report
Cybersecurity researchers have discovered risky default identity and access management (IAM) roles impacting Amazon Web Services that could open the door for attackers to escalate privileges, manipulate other AWS services, and, in some cases, even fully compromise AWS accounts. "These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3
Analysis Summary
# Vulnerability: Overly Permissive Default AWS IAM Roles Leading to Privilege Escalation
## CVE Details
- CVE ID: N/A (The article describes systemic permission issues rather than a single, CVE-tracked software vulnerability, though related issues might have CVEs.)
- CVSS Score: N/A (Severity based on impact is High)
- CWE: CWE-276 (Incorrect Default Permissions)
## Affected Systems
- Products: Amazon Web Services (AWS) services creating default IAM roles, including SageMaker, Glue, EMR, and Lightsail.
- Versions: Default configurations where these services create roles with overly broad permissions (e.g., `AmazonS3FullAccess`).
- Configurations: Default role creation during service setup, and the open-source Ray framework (default role `ray-autoscaler-v1`).
## Vulnerability Description
Certain default IAM roles automatically created or recommended by AWS services (like SageMaker, Glue, and EMR) are assigned overly permissive policies, notably `AmazonS3FullAccess`. This grants the role read/write access to *all* S3 buckets within the account, regardless of the role's intended function. An attacker gaining a foothold via a compromised service using such a role can leverage these permissions to move laterally across services, search for sensitive objects (like CloudFormation templates), modify critical assets (like ML models or EMR scripts), and ultimately escalate privileges up to account compromise. This bypasses typical isolation boundaries intended between services.
## Exploitation
- Status: Research findings detailing theoretical attack paths; not explicitly indicated as exploited in the wild.
- Complexity: Medium (Requires initial foothold within an environment that utilizes the vulnerable service role).
- Attack Vector: Adjacent (Service-to-service lateral movement within the same AWS account environment).
## Impact
- Confidentiality: High (Access to all S3 data, potential credential theft).
- Integrity: High (Ability to modify critical assets like ML models, infrastructure templates).
- Availability: Medium (Potential for data deletion or service disruption through template modification).
## Remediation
### Patches
- AWS has addressed the issues by modifying the `AmazonS3FullAccess` policy for default service roles, ensuring they are tightly scoped.
### Workarounds
- **Audit and Restrict:** Organizations must proactively audit all existing default or service-specific IAM roles.
- **Principle of Least Privilege:** Reconfigure roles to be strictly limited to the specific resources and actions truly required for their function, moving away from broad policies like `AmazonS3FullAccess`.
- **Review Ray Deployments:** If using the Ray framework, ensure the automatically created `ray-autoscaler-v1` role is suitably restricted or replaced.
## Detection
- **Indicators of Compromise:** Unusual outbound requests from service instances (e.g., SageMaker or Glue) associated with excessive S3 API calls beyond its expected scope. Look for modifications to S3 content or CloudFormation templates initiated by service roles.
- **Detection Methods and Tools:** Use AWS IAM Access Analyzer to review policies attached to service roles. Configure AWS CloudTrail to monitor for high volumes of S3:GetObject, S3:PutObject, and CloudFormation API calls originating from specific service execution roles.
## References
- Aqua Security Research Analysis: [https://www.aquasec[dot]com/blog/shadow-roles-aws-defaults-lead-to-service-takeover/]
- Related lateral movement context: [https://thehackernews[dot]com/2024/08/experts-uncover-severe-aws-flaws[dot]html]
- CloudFormation Injection Context: [https://rhinosecuritylabs[dot]com/aws/cloud-malware-cloudformation-injection/]