low

Lack of internal change controls for IAM managed policies

Published Thu, Oct 15th, 2020
Platforms

Summary

AWS have released or changed managed IAM policies in unexpected and insecure ways. Examples include: CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller. The worst being the ReadOnlyAccess policy having almost all privileges removed and unexpected ones added.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Thu, Oct 15th, 2020
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
-