Security Flaw in AWS Default IAM Roles Threatens Lateral Movement and Cross-Service Exploitation

Researchers in cybersecurity have identified concerning default identity and access management (IAM) roles within Amazon Web Services (AWS) that could potentially allow attackers to escalate privileges, manipulate other AWS services, and even compromise accounts entirely. According to Aqua researchers Yakir Kadkoda and Ofek Itach, “These roles, typically created automatically or suggested during setup, grant excessively broad permissions, including full access to S3.” They warn that these default roles create silent attack vectors for privilege escalation and cross-service access, leading to possible account breaches. The cloud security firm pinpointed vulnerabilities in default IAM roles established by AWS services such as SageMaker, Glue, EMR, and Lightsail. A similar issue has also been detected in the widely-used open-source framework Ray, which generates a default IAM role (ray-autoscaler-v1) that includes the AmazonS3FullAccess policy.

AWS Default IAM Roles Discovered to Facilitate Lateral Movement and Cross-Service Exploitation

May 20, 2025

Cybersecurity researchers have uncovered significant vulnerabilities tied to the default identity and access management (IAM) roles within Amazon Web Services (AWS). These vulnerabilities potentially allow adversaries to escalate privileges, access other AWS services, and in severe cases, take full control of AWS accounts. This alarming situation is underscored by Aqua researchers Yakir Kadkoda and Ofek Itach, who highlight that many of these roles are automatically created or recommended during the initial setup of AWS services, thereby granting excessively broad permissions, including unrestricted access to Amazon S3.

The researchers have specifically identified security concerns related to default IAM roles generated by various AWS services, including SageMaker, Glue, EMR, and Lightsail. A parallel issue has been detected within the widely used open-source framework Ray, which automatically assigns a default IAM role, designated as ray-autoscaler-v1, carrying the AmazonS3FullAccess policy. Such expansive permissions not only set the stage for potential privilege escalation but also introduce several attack vectors that adversaries could exploit for cross-service manipulation.

The security implications are profound, particularly as they expose organizations operating in the AWS environment to elevated risks of access and exploitation. The default roles in question are designed to streamline user access and enhance usability; however, their unintended consequences can create pathways for attackers. They could exploit these vulnerabilities to initiate unauthorized access, thereby compromising critical services and data.

This scenario invites scrutiny under the MITRE ATT&CK framework, which provides a structured approach to understanding adversary tactics and techniques. The discovery aligns with various tactics including initial access, where attackers may gain entry through poorly secured interfaces, and privilege escalation, as they leverage misconfigured permissions to gain higher levels of access. Moreover, the potential for lateral movement within AWS services reflects weaknesses in the cloud security posture that many organizations may overlook.

In the light of these findings, organizations must evaluate their IAM roles critically. The risk posed by default configurations highlights the necessity for rigorous security assessments and potentially restructuring access controls to align with the principle of least privilege. Adopting sound practices for IAM role management, including regular audits and updates, is essential in mitigating these vulnerabilities.

As the digital landscape evolves, so do the tactics employed by cyber adversaries. Business owners and IT security professionals must remain vigilant and proactive, reinforcing their infrastructure against potential threats that capitalize on such security gaps. Ensuring proper configuration and monitoring of IAM roles can serve as a crucial line of defense against the myriad of potential attacks looming in the cloud environment.

Continued vigilance and comprehensive security strategies will be paramount as organizations navigate the complexities of managing their cloud security effectively while safeguarding sensitive data and resources.

Source link

Related Posts

New Intel CPU Vulnerabilities Uncovered: Memory Leaks and Spectre v2 Exploits Persist

May 16, 2025
Hardware Security / Vulnerability

Researchers at ETH Zürich have identified a critical new security flaw that affects all modern Intel CPUs, allowing the leakage of sensitive data from memory. This latest vulnerability, dubbed Branch Privilege Injection (BPI), showcases that the Spectre threat continues to impact computer systems over seven years after its initial discovery. According to ETH Zürich, BPI can be exploited to manipulate the CPU’s prediction calculations, granting unauthorized access to information from other users on the same processor. Kaveh Razavi, head of the Computer Security Group (COMSEC) and a co-author of the study, noted that this flaw affects all Intel processors, potentially allowing malicious actors to access the cache contents and working memory of different users sharing the CPU. The attack exploits Branch Predictor Race Conditions (BPRC), which arise when a processor alternates between prediction calculations for multiple users.

Russian Hackers Target Ukraine Aid Logistics Through Email and VPN Vulnerabilities

May 21, 2025
Cyber Espionage / Vulnerability

State-sponsored Russian cyber actors have been linked to a campaign focused on Western logistics and tech firms since 2022. This activity is attributed to APT28 (also known as BlueDelta, Fancy Bear, or Forest Blizzard), connected to the Russian GRU’s 85th Main Special Service Center, Military Unit 26165. Key targets include companies involved in the coordination and delivery of international aid to Ukraine, as highlighted in a joint advisory from agencies across Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. The bulletin notes that this cyber-espionage campaign employs a range of previously identified tactics and is likely linked to broader efforts aimed at IP cameras in Ukraine and neighboring NATO countries.

Critical Flaws in Versa Concerto Allow Attackers to Escape Docker and Compromise Hosts

May 22, 2025
Vulnerability / Software Security

Cybersecurity researchers have identified several severe vulnerabilities within the Versa Concerto network security and SD-WAN orchestration platform. Exploitation of these flaws could potentially grant attackers control over vulnerable instances. Despite responsible disclosure on February 13, 2025, these issues remain unpatched, leading to a public announcement after the 90-day window expired. According to ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra, “When combined, these vulnerabilities could enable an attacker to fully compromise both the application and the host system.” The vulnerabilities include:

  • CVE-2025-34025 (CVSS score: 8.6): A privilege escalation and Docker container escape vulnerability resulting from unsafe default mounting of host binary paths, potentially allowing code execution on the host system.

Urgent Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Breach

May 22, 2025
Cybersecurity / Vulnerability

A critical privilege escalation flaw has been identified in Windows Server 2025, allowing attackers to compromise any user within Active Directory (AD). According to Akamai security researcher Yuval Gordon, the vulnerability exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This attack can be executed easily with the default configuration, posing a significant threat to organizations relying on AD. “In 91% of the environments we examined, users outside of the domain admin group possessed the necessary permissions to carry out this attack,” Gordon noted in a report shared with The Hacker News. The vulnerability takes advantage of the dMSA feature designed to facilitate migration from legacy service accounts and intended to mitigate Kerberoasting attacks. The attack technique has been dubbed “BadSuccessor” by the researchers.