aws vulnerabilities iam IAM role can be assumed by anyone

IAM role can be assumed by anyone

PLATFORM

SERVICE

iam

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

high

About

Identity and Access Management (IAM) roles dictate the effective potential blast radius for any abused
credential. This vulnerability describes a scenario in which any user, workload, or other principal could
assume a role inside of the target account simply by making the right API call and knowing the role ARN.

Understanding Impact

Business Impact

Roles should never be assumable by any principal in any AWS account. This configuration is high risk due to
the impactful nature of an attacker abusing the credentials. The impact is dictated by how permissive the role
in question is.

Technical Impact

In AWS, IAM roles have a trust policy that defines who can assume the role. Assuming the role allows users to
retrieve temporary STS credentials bound to that role. Roles with a public trust policy
allow anyone to retrieve such credentials and compromise the role.

Trust policy changes should be audited continuously to detect this potential vulnerability.

Identify affected resources

Use aws iam list-roles or aws iam get-role --role-name <your-role> to see the trust policy of a role.

Sample vulnerable role:

{
  "Path": "/",
  "RoleName": "vulnerable-role",
  "Arn": "arn:aws:iam::0123456789012:role/vulnerable-role",
  "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Principal": {
                  "AWS": "*"
              },
              "Action": "sts:AssumeRole",
              "Condition": {}
          }
      ]
  },
  "Description": "",
  "MaxSessionDuration": 3600  
}

Remediate vulnerable resources

Adapt the trust policy to remove public access. In particular, consider restricting who can assume the role.
See also Common scenario for roles.

How Datadog can help

CSM

Datadog CSM detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | IAM role trust policy does not contain a wildcard principal".

Cloud SIEM

Datadog Cloud SIEM detects this vulnerability using the out-of-the-box rule "Datadog Cloud SIEM Rule | Detect when an attacker accesses your AWS account from their AWS account.".

References

How to use trust policies with IAM roles

aws documentation

Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads

unit42.paloaltonetworks.com

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all