Summary
Research uncovered security flaws in default AWS service roles, granting overly broad permissions like full S3 access. This allows privilege escalation, cross-service access, and potential account compromise across services like SageMaker, Glue, and EMR. Attackers could exploit these roles to manipulate critical assets and move laterally within AWS environments. AWS has since updated default policies and documentation to mitigate risks.
Affected Services
SageMaker, Glue, EMR, CloudFormation, CDK
Remediation
Audit existing IAM roles and remove overly permissive policies like AmazonS3FullAccess. Restrict S3 access to only specific required buckets for each service role. Regularly review and enforce least privilege access across all AWS services.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
Monitor for suspicious S3 access patterns or modifications to service-specific buckets. Audit IAM roles for overly broad permissions, especially full S3 access. Use AWS CloudTrail to detect unauthorized actions across services.
Piercing Index Rating
-
Discovered by
Yakir Kadkoda, Ofek Itach, Aqua Security
