aws vulnerabilities iam IAM role can be assumed by any GitHub Action

IAM role can be assumed by any GitHub Action

PLATFORM

SERVICE

iam

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

high

About

Identity and Access Management (IAM) roles dictate the effective potential blast radius for any abused
credential. This vulnerability describes a scenario where any malicious GitHub Action can retrieve credentials for a dangerously-configured role.

Understanding Impact

Business Impact

This configuration is high risk due to the impactful nature of an attacker abusing the credentials. The impact is dictated by how permissive the role
in question is.

Technical Impact

In AWS, IAM roles have a trust policy that defines who can assume the role. Assuming the role allows users to
retrieve temporary STS credentials bound to that role.

GitHub Actions are commonly used with IAM roles, and configured to work in a "keyless" manner through the use of OpenID Connect (OIDC) federation, with a trust policy similar to:

// ...
"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:sub": "repo:your-github-org/your-repo:*"
  },
  "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
  }
}
// ...

However, if the trust policy is misconfigured and does not contain a condition on "token.actions.githubusercontent.com:sub, it allows any GitHub Action to assume it.

Identify affected resources

Start by listing all roles that can be assumed by GitHub Actions, for instance with the following command:

aws iam list-roles --output json | jq -r '
  .Roles[] 
  | select((.AssumeRolePolicyDocument.Statement[]?.Principal.Federated? // empty) | endswith("githubusercontent.com")) 
  | .RoleName'

Then, verify each trust policy contains an explicit condition on token.actions.githubusercontent.com:sub mentioning both the allowed GitHub organization and repository.

Remediate vulnerable resources

Add a condition key on token.actions.githubusercontent.com:sub to the trust policy of the role, to restrict the GitHub organization, repository, and optionally branch from which a GitHub Action can assume it.

Sample secure role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678901:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:YourGitHubOrg/YourGitHubRepository:ref:refs/heads/main"
        }
      }
    }
  ]
}

As a guardrail, you can also use a custom OIDC issuer in GitHub Actions. This ensures that even if a role is misconfigured, it can only be assumed from GitHub Actions in the same GitHub organization.

How Datadog can help

CSM

Datadog CSM detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | AWS IAM role should not allow untrusted GitHub Actions to assume it".

References

Exploring GitHub-to-AWS keyless authentication flaws

securitylabs.datadoghq.com

Hacking Github AWS integrations again

dagrz.com

Use IAM roles to connect GitHub Actions to actions in AWS

aws documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all