Inside the Cloud: Unintended Privileges
This is the third article in a series about cloud-based attack vectors. Check out our last article about Cloud-Based ransomware!
As Identity Access Management (IAM) becomes more complex, it becomes possible for an attacker to exploit the capabilities of legitimate permissions alone or in combination, escalating privileges and gaining potentially devastating levels of access. Because these privileges are legitimate, these attacks can be difficult to detect until the damage is already done. This article will address how this happens and how to mitigate the risk.
What it is
Here’s a straightforward example of privilege escalation in AWS. An attacker with the “iam:CreatePolicyVersion” role can create a new version of an IAM policy. When creating a new policy, the attacker can set the “set-as-default” flag. This does not require the specific “iam:SetPolicyVersion” role to do, as might be expected. Therefore, an attacker can create an open policy that grants them administrator privileges, upload the policy using the “set-as-default” flag, and the policy will apply to the attacker’s account – granting them full administrator access far beyond their initial role.
There are many examples like this – an administrator can accidentally add heightened privileges to an account, combine multiple roles to result in privilege escalation, or add functions to a custom role that result in unintended access. How can a cloud environment administrator avoid falling into these traps?
Protecting against unintended privileges
- Assign the least privilege to any user with access to the cloud environment to minimize the risk that they may gain access to a combination of roles that allow for privilege escalation.
- If the cloud provider issues a warning when you modify roles or accounts, don’t just click through it – review the warnings carefully to ensure you are not granting unintended access levels.
- Consider using an IAM access security scanner to check across your accounts for insecure configuration. Cloud providers may have built-in or marketplace options for scanning your IAM environment, like AWS IAM Access Analyzer or CodeShield’s IAM Vulnerability Scanner in the AWS marketplace.
- Regularly audit accounts for appropriate levels of access. More frequently audit accounts with access to critical resources or functions.
- Enable logging and alerts across the cloud environment, especially for critical assets. Though this may not prevent an attacker from escalating privileges, it will help the security team identify it quickly to mitigate the damage.
Learn more about Creating Visibility In Your Digital Environment with Attack Surface Management (ASM).
Need more personalized security advice?