An attacker could take over accounts, delete group members, steal data and shut down services.

Edward Gately, Senior News Editor

March 24, 2021

2 Min Read
Risk level
Shutterstock

A gap between AWS Identity and Access Management (IAM) user and group policies presents a prime opportunity for exploitation by cybercriminals.

That’s according to Israel-based Lightspin, the cloud security provider, which discovered the gap. Its research team was able to compromise dozens of accounts by using this technique.

By exploiting this gap, an attacker can take over accounts, delete group members, steal data and shut down services.

Or Azarzar is Lightspin‘s co-founder and CTO. He cited no evidence of threat actors exploiting the gap, but now that it’s public, they will likely abuse it.

Azarzar-Or_Lightspin.jpg

Lightspin’s Or Azarzar

“It can allow standard users to escalate their privileges and steal admin credentials or reset admin passwords and login on their behalf (in certain circumstances),” he said. “So generally it can lead to an AWS account compromise.”

Differing Policies

Lightspin researchers discovered many security administrators were unaware that AWS IAM rules do not work the same way as Azure Active Directory or other authorization mechanisms.

According to Active Directory Azure policies, if a group is denied read access to the file, all group members cannot access it. However, IAM handles group and user authorizations separately. Even if a group has an explicit denial, this will only impact group actions, not user actions. Amazon does not warn system administrators that users’ accounts can still be accessed even if their group is protected.

Vladi Sandler is Lightspin‘s CEO.

“Initially, we believed this vulnerability was an isolated case,” he said. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe easy to infiltrate.”

Lightspin says more than half of the companies it works with have unintentional, loose permissions for their users due to this authorization bypass. This puts them at risk.

There are two options to ensure users can’t perform actions they were intended to be denied using group authorizations:

  • Each user can be listed separately while setting deny rules.

  • Each user can be tagged to be included in a group.

Both procedures can be cumbersome and difficult to maintain, Lightspin said. However, they are the best way to prevent intruders from changing login information and taking over accounts.

Lightspin developed an open-source scanner that reports when user permissions are loosely defined, opening up an attack path for hackers.

Read more about:

VARs/SIs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like