Excessive privileges - AWS
Description
The application, a user or a role have more privileges than they require. This can be leveraged by an attacker to execute normally restricted actions on a system.
Impact
Execute actions that should be restricted to other groups or roles.
Recommendation
Explicitly assign permissions to the appropriate groups and roles following the principle of least privilege.
Threat
Authenticated attacker from the Internet with access to a misconfigured role.
Expected Remediation Time
⌚ 30 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: P
- Remediation level: U
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C
- Score:
- Base: 5.0
- Temporal: 4.7
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit madurity: P
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 1.3
- Severity:
- CVSS-BT: Low
Details
To configure many AWS services, you must pass an IAM role to the service. This allows the service to later assume the role and perform actions on your behalf.
By giving a role or user the iam:PassRole
permission,
you are saying:
this principal is allowed to assign AWS roles to resources and services in this account.
You can limit which roles a user or service
can pass to others by specifying the role ARN(s)
in the Resource field of the policy
that grants them iam:PassRole
:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:::123456789012:role/SomeRole"
"arn:aws:::123456789012:role/OtherRole"
]
}
As a rule of thumb, you should include only the roles required by your application. Wildcards and over-permissive resource grants highly increase the probability of (or completely allow) a privilege escalation.
Requirements
- 095.Define users with privileges
- 096.Set user's required privileges
- 186.Use the principle of least privilege
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.