Lightspin discovered a gap between AWS Identity and Access Management (IAM) user and group policies that an attacker can abuse to take over accounts, delete group members, steal data, and shut down services. Lightspin is a contextual cloud security provider protecting native, Kubernetes, and microservices from known and unknown risks.
Details of the vulnerability
According to the research results, many security administrators were unaware that AWS IAM rules do not work the same way as Azure Active Directory or other authorization mechanisms. While defining Active Directory Azure policies, all group members cannot access it if a group is denied read access to the file. However, IAM handles group and user authorizations separately. Even if a group has an explicit denial, this will only impact group actions, not user actions.
Vladi Sandler, CEO at Lightspin said,
“Initially, we believed this vulnerability was an isolated case. However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe, easy to infiltrate.”
More than half of the companies they work with have unintentional loose permissions for their users due to this authorization bypass, putting them at risk. There are two options to ensure that users can’t perform actions they were intended to be denied using group authorizations. Lightspin has developed an open-source scanner that reports when user permissions are loosely defined, opening up an attack path for hackers.
See more Cloud Computing News