low

Resource policy confused deputy issue with services

Published Wed, Nov 28th, 2018
Platforms

Summary

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan Peebles and presented at re:Invent in 2018, this issue did not gain enough attention to be fixed until Shir Tamari and Ami Luttwak from Wiz presented it at Black Hat 2021.

Affected Services

N/A

Remediation

Update existing vulnerable IAM policies by adding scoping condition.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Wed, Nov 28th, 2018
Exploitablity Period
until February 2021
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Dan Peebles, Bridgewater