Lateral movement

Privileged Role – Policy Version

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

An IAM Role is an identity with permission policies that determine what the identity can do in AWS. A role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. The role {AwsIamRole} was found with permissive permissions that allow for the ability to create or change a managed policy's version. Managed policies often hold a list of previous versions of the permissions they grant. By creating a new versions with additional permissions, or reverting to an old more permissive version, an attacker may be able to escalate their privileges and achieve account takeover.
  • Recommended Mitigation

    Review the role's policy, {AwsIamRole.Policies}, and consider removing any of the following actions: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion. ## Remediation --- >1. Sign in to the AWS Management Console and open the **[IAM console](https://console.aws.amazon.com/iam/)**. >2. In the navigation pane, choose **Policies**, and choose the desired policy. >3. Under **Permissions** tab, choose **Edit policy**. >4. Edit the policy via **visual editor/JSON**. >5. Consider removing any of the following actions: >- **iam:CreatePolicyVersion** >- **iam:SetDefaultPolicyVersion** >6. At the bottom of the page, choose **Review Policy**. >7. Choose **save changes**.