Lateral movement

Privileged Role – Policy Attachment

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

An IAM Role is an identity with permission policies that determine what the identity can do in AWS. A role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. The role {AwsIamRole} was found with permissive permissions that allow for the ability to perform one or more of the following actions:1. Create or update an inline policy; An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. By leveraging this ability, an attacker may alter the inline policy to grant themselves additional privileges.2. Attach a managed policy; Managed policies are standalone policies that are created and administered by either AWS or the customer. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. Standalone policies may be attached to multiple principles. By leveraging this ability, an attacker may attach to themselves a more privileged managed policy, such as ""AdministratorAccess"". 3. Update a role's trust policy; Roles' trust policies define which entities may assume that role, and under which conditions. By leveraging this ability, an attacker may alter a more privileged role's policy in order to allow themselves to assume it.
  • Recommended Mitigation

    ## Remediation --- >1. Sign in to the AWS Management Console and open the **[IAM console](https://console.aws.amazon.com/iam/)**. >2. In the navigation pane, choose **Policies**, and choose the desired policy. >3. Under **Permissions** tab, choose **Edit policy**. >4. Edit the policy via **visual editor/JSON**. >5. Consider removing any of the following actions: >- **iam:PutGroupPolicy** >- **iam:PutRolePolicy** >- **iam:PutUserPolicy** >- **iam:AttachGroupPolicy** >- **iam:AttachRolePolicy** >- **iam:AttachUserPolicy** >- **iam:updateAssumeRolePolicy** >- **sts:AssumeRole** >6. At the bottom of the page, choose **Review Policy**. >7. Choose **save changes**.