Cybersecurity researchers have uncovered critical vulnerabilities arising from default Identity and Access Management (IAM) roles in Amazon Web Services (AWS). Service setups often create these roles automatically or recommend them, granting excessive permissions that expose environments to privilege escalation and the potential for full account compromise. Continue reading this Cybersecurity Threat Advisory to keep your system secure.
What is the threat?
The default IAM roles in AWS, particularly the AmazonS3FullAccess policy, grant excessive permissions. While these roles serve specific service functionalities, attackers actively exploit them to perform administrative actions and breach isolation boundaries between services.
Why is it noteworthy?
Organizations using Amazon services are at risk. Services identified with such permissive default roles include:
- Amazon SageMaker AI: When setting up a SageMaker Domain, a default execution role like AmazonSageMaker-ExecutionRole-<Date&Time> is created with a custom policy equivalent to AmazonS3FullAccess.
- AWS Glue: The system automatically creates the default AWSGlueServiceRole with the AmazonS3FullAccess policy, granting extensive permissions to Glue jobs.
- Amazon EMR: The default AmazonEMRStudio_RuntimeRole_<Epoch-time> role is automatically assigned the AmazonS3FullAccess policy, allowing EMR notebooks7 full access to S3.
- AWS Lightsail: It is implied to also have similar issues with default roles.
- Ray (open-source framework): Automatically creates a default IAM role (ray-autoscaler-v1) with the AmazonS3FullAccess policy.
What is the exposure or risk?
The broad permissions of these default roles introduce several significant security risks, including:
- Privilege escalation: Attackers gaining access to such a role can escalate their privileges far beyond their original scope.
- Full account takeover: In severe cases, these vulnerabilities can allow attackers to seize complete control over an AWS account, allowing them to exfiltrate data, disrupt services, or deploy malicious resources.
- Cross-service access and lateral movement: An attacker can move laterally across services within the same AWS account. They can use existing privileges to search for buckets used by other services, modify assets, and gain control.
What are the recommendations?
Barracuda recommends the following actions to secure these default IAM roles to prevent abuse:
- Review existing IAM roles’ permissions; replace AmazonS3FullAccess with more restrictive, bucket-specific policies.
- Ensure roles have only the permissions necessary for their function. Avoid wildcard permissions like s3:* or *:*.
- Limit which entities can assume roles by specifying trusted principals in role trust policies.
- Define scoped IAM policies for S3 and avoid giving predictable names to S3 buckets. Instead, generate unique hashes or random identifiers per region and account.
- Utilize tools like AWS IAM Access Analyzer to identify overly permissive policies and AWS CloudTrail to monitor changes in IAM configurations and detect suspicious activity.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
