Skip to main content

Excessive privileges - AWS

Description

The application, a user or a role have more privileges than they require. This can be leveraged by an attacker to execute normally restricted actions on a system.

Impact

Execute actions that should be restricted to other groups or roles.

Recommendation

Explicitly assign permissions to the appropriate groups and roles following the principle of least privilege.

Threat

Authenticated attacker from the Internet with access to a misconfigured role.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C
  • Score:
    • Base: 5.0
    • Temporal: 4.7
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Every resource should have clearly defined authorization restrictions

{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:::123456789012:role/SomeRole"
"arn:aws:::123456789012:role/OtherRole"
]
}

Non compliant code

Resource with unrestricted access or not correctly configured restrictions

Resources:
BucketPolicy1:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: DOC-EXAMPLE-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
- ''
- - 'arn:aws:s3:::'
- DOC-EXAMPLE-BUCKET
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'

Another vulnerable example: defining a user without a role based security configuration

Resources:
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: [email protected]
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn

An IAM configuration with an open pass role

Resources:
AWS_IAM_Role_1:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: '*'
Condition:
StringEquals:
iam:PassedToService: cloudwatch.amazonaws.com
- Effect: Allow
Action: iam:PassRole
Resource: arn:aws:iam::*:role/EC2-roles-for-XYZ-*
- Effect: Allow
Action: iam:Pass*
Resource: '*'

Using the AWS CLI, the following command checks for Overly Permissive IAM Group Policies

$ aws iam get-policy-version
--policy-arn {arn_iam_policy}
--version-id v1
--query 'PolicyVersion.Document'

This returns the policy version configuration. If the output contains any wildcards (*), the policy is too permisive, for example:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}

Details

To configure many AWS services, you must pass an IAM role to the service. This allows the service to later assume the role and perform actions on your behalf.

By giving a role or user the iam:PassRole permission, you are saying:

this principal is allowed to assign AWS roles to resources and services in this account.

You can limit which roles a user or service can pass to others by specifying the role ARN(s) in the Resource field of the policy that grants them iam:PassRole:

{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:::123456789012:role/SomeRole"
"arn:aws:::123456789012:role/OtherRole"
]
}

As a rule of thumb, you should include only the roles required by your application. Wildcards and over-permissive resource grants highly increase the probability of (or completely allow) a privilege escalation.

Requirements