Lateral movement

Privileged Managed Policy – Policy Version

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines their permissions. The policy {AwsIamManagedPolicy} was found with permissive permissions that allow for the ability to create or change a managed policy's version. Managed policies often hold a list of previous versions of the permissions they grant. By creating a new versions with additional permissions, or reverting to an old more permissive version, an attacker may be able to escalate their privileges and achieve account takeover.
  • Recommended Mitigation

    Review the policy and consider removing any of the following actions: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion