AWS IAM Trust Policy Condition Evaluation Bug
Published Tue, Apr 9th, 2024
Platforms
Summary
Tag variable names affected whether trust policy conditions were evaluated correctly. If the request tag referenced a principal tag called MemberRole in the JWT token, and the IAM role referenced a resource tag with the same variable name, the condition was always evaluated as true, regardless of whether the tag's values actually matched. Only role trust policies that used a variable substitution for both the request tag and the resource tag in the policy statement resulted in the policy evaluating incorrectly. The issue impacted statements within IAM boundary policies and SCP policies that contained the same pattern of STS role assumption with tag-based conditions.
Affected Services
IAM, STS
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/ramimac
Entry Status
Finalized
Disclosure Date
Tue, Jun 20th, 2023
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Stedi
