medium

Overprivileged AWS support IAM role policy

Published Wed, Dec 22nd, 2021
Platforms

Summary

AWS added an excessive s3:getObject permission to AWSSupportServiceRolePolicy IAM policy used by AWS Support teams, and removed it a day later.

Affected Services

N/A

Remediation

None required, though best practice would be to use KMS-CMK for bucket encryption and minimize privileges in resource policies.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Tue, Dec 21st, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Scott Piper, Summit Route