Description

An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines their permissions. The policy {AwsIamManagedPolicy} was found with permissive permissions that allow for the ability to create or change a managed policy's version. Managed policies often hold a list of previous versions of the permissions they grant. By creating a new versions with additional permissions, or reverting to an old more permissive version, an attacker may be able to escalate their privileges and achieve account takeover.

• 

  Recommended Mitigation

  Review the policy and consider removing any of the following actions: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion