Lateral movement

Privileged Role – User Management

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

An IAM Role is an identity with permission policies that determine what the identity can do in AWS. A role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. The role {AwsIamRole} was found with permissive permissions that allows the user the ability to create access keys for a user or create/update console login credentials. An attacker may leverage this ability in order to create or update credentials for a user other than themselves, allowing them to then log in and act on behalf of that user.
  • Recommended Mitigation

    Review the role's policy and consider removing any of the following actions: iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey