Summary
AWS has previously provided managed policies or guidance in documentation
for policies with mistakes that allow them to be bypassed. Additionally,
some policies are over-privileged. Date of disclosure is for the first issue of
this type, while references provide other examples by various individuals.
Affected Services
N/A
Remediation
Review the policies provided by AWS
Tracked CVEs
No tracked CVEs
References
https://duo.com/blog/potential-gaps-in-suggested-amazon-web-services-security-policies-for-mfahttps://summitroute.com/blog/2019/06/18/aws-iam-managed-policy-review/https://medium.com/ymedialabs-innovation/an-aws-managed-policy-that-allowed-granting-root-admin-access-to-any-role-51b409ea7ff0https://www.tenchisecurity.com/blog/thefaultinourstars
Contributed by https://github.com/0xdabbad00
Disclosure Date
Tue, Nov 7th, 2017
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Multiple findings
