medium

Bypassable and overly-privileged IAM policies

Published Tue, Nov 7th, 2017
Platforms

Summary

AWS has previously provided managed policies or guidance in documentation for policies with mistakes that allow them to be bypassed. Additionally, some policies are over-privileged. Date of disclosure is for the first issue of this type, while references provide other examples by various individuals.

Affected Services

N/A

Remediation

Review the policies provided by AWS

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Tue, Nov 7th, 2017
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Multiple findings