Lateral movement

Privileged Instance Profile – Policy Version

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

IAM Instance Profiles are used to attach IAM Roles to EC2 Instances in order to grant them permissions to different AWS APIs. The instance profile {AwsIamInstanceProfile}, which is connected to {AwsIamInstanceProfile.Ec2Instances|count} instances, was found to have a role with permissive permissions that allow for the ability to create or change a managed policy's version. Managed policies often hold a list of previous versions of the permissions they grant. By creating a new versions with additional permissions, or reverting to an old more permissive version, an attacker may be able to escalate their privileges and achieve account takeover.
  • Recommended Mitigation

    Review the instance profile's policy and consider removing any of the following actions: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion