Lightspin has announced the results of its research, which discovered a gap between AWS Identity and Access Management (IAM) user and group policies that an attacker can abuse to take over accounts, delete group members, steal data and shut down services. The research team was able to compromise dozens of accounts by using this technique.
“Initially, we believed this vulnerability was an isolated case,” said Vladi Sandler, CEO at Lightspin. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe, easy to infiltrate.”
Lightspin researchers discovered that many security administrators were unaware that AWS IAM rules do not work the same way as Azure Active Directory or other authorization mechanisms.
While defining Active Directory Azure policies, if a group is denied read access to the file, all group members cannot access it. However, IAM handles group and user authorizations separately. Even if a group has an explicit denial, this will only impact group actions, not user actions.
Amazon does not warn system administrators that users’ accounts can still be accessed even if their group is protected, Lightspin said.
Based on Lightspin’s research, more than half of the companies they work with have unintentional loose permissions for their users due to this authorization bypass, putting them at risk. There are two options to ensure that users can’t perform actions they were intended to be denied using group authorizations:
Each user can be listed separately while setting deny rules.
Each user can be tagged to be included in a group.
Both procedures can be cumbersome and difficult to maintain but are the best way to prevent intruders from changing login information and taking over accounts.
Lightspin has developed an open-source scanner that reports when user permissions are loosely defined, opening up an attack path for hackers.