Summary
AWS's Account Assessment for AWS Organizations tool, designed to audit cross-account access, inadvertently introduced privilege escalation risks due to flawed deployment instructions. Customers were encouraged to deploy the tool in lower-sensitivity accounts, creating risky trust paths from insecure environments into highly sensitive ones. This could allow attackers to pivot from compromised development accounts into production and management accounts.
Affected Services
Account Assessment for AWS Organizations
Remediation
Uninstall the tool by deleting CloudFormation stacks for Hub, Spoke, and Org-Management components. If needed, redeploy with the hub role in an account with security equivalent to the management account to prevent privilege escalation risks.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Thu, Dec 12th, 2024
Exploitablity Period
Until 2025/01/28
Known ITW Exploitation
-
Detection Methods
Search for IAM roles containing "ScanSpokeResource" or "AccountAssessment-Spoke-ExecutionRole" in their names. Use AWS CLI command: aws iam list-roles --query "Roles[?contains(RoleName, 'ScanSpokeResource') || contains(RoleName, 'AccountAssessment-Spoke-ExecutionRole')]"
Piercing Index Rating
-
Discovered by
Eliav Livneh, Token Security
