Lateral movement

Privileged Group – Policy Attachment

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

An IAM Group is a collection of IAM Users. You can use groups to specify permissions for a collection of users. The group {AwsIamGroup} was found with permissive permissions that allow for the ability to perform one or more of the following actions: 1. Create or update an inline policy; An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. By leveraging this ability, an attacker may alter the inline policy to grant themselves additional privileges. 2. Attach a managed policy; Managed policies are standalone policies that are created and administered by either AWS or the customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. Standalone policies may be attached to multiple principles. By leveraging this ability, an attacker may attach to themselves a more privileged managed policy, such as ""AdministratorAccess"". 3. Update a role's trust policy; Roles' trust policies define which entities may assume that role, and under which conditions. By leveraging this ability, an attacker may alter a more privileged role's policy in order to allow themselves to assume it.
  • Recommended Mitigation

    Review the group's policy and consider removing any of the following actions: iam:PutGroupPolicy, iam:PutRolePolicy, iam:PutUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:AttachUserPolicy, iam:updateAssumeRolePolicy