Lateral movement

Privileged Managed Policy – Policy Attachment

Description

An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines their permissions. The policy {AwsIamManagedPolicy} was found with permissive permissions that allow for the ability to perform one or more of the following actions: 1. Create or update an inline policy; An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. By leveraging this ability, an attacker may alter the inline policy to grant themselves additional privileges. 2. Attach a managed policy; Managed policies are standalone policies that are created and administered by either AWS or the customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. Standalone policies may be attached to multiple principles. By leveraging this ability, an attacker may attach to themselves a more privileged managed policy, such as ""AdministratorAccess"". 3. Update a role's trust policy; Roles' trust policies define which entities may assume that role, and under which conditions. By leveraging this ability, an attacker may alter a more privileged role's policy in order to allow themselves to assume it.
  • Recommended Mitigation

    Review the policy and consider removing any of the following actions: iam:PutGroupPolicy, iam:PutRolePolicy, iam:PutUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:AttachUserPolicy, iam:UpdateAssumeRolePolicy