Ethical Hacking News
Researchers have discovered a critical vulnerability in AWS default IAM roles that could allow attackers to escalate privileges, manipulate other AWS services, and even fully compromise AWS accounts. Organizations must take immediate action to address this issue and update their IAM roles to minimize the risk of lateral movement and cross-service exploitation.
A vulnerability has been discovered in default identity and access management (IAM) roles within Amazon Web Services (AWS), allowing attackers to escalate privileges, manipulate other AWS services, and fully compromise AWS accounts.The vulnerability was created due to overly broad permissions granted to default IAM roles, such as full S3 access.Default service roles that were vulnerable to these exploits include Amazon SageMaker AI, AWS Glue, Amazon EMR, and others.Organizations must proactively audit and update existing IAM roles to minimize risk and prevent lateral movement and cross-service exploitation.
In a recent discovery that has sent shockwaves through the cybersecurity community, researchers at Aqua have identified a vulnerability in default identity and access management (IAM) roles within Amazon Web Services (AWS). The finding, which was published on May 20, 2025, highlights a critical security flaw in AWS's default IAM roles that could allow attackers to escalate privileges, manipulate other AWS services, and even fully compromise AWS accounts.
According to the researchers, the default IAM roles in question were created automatically or recommended during setup and granted overly broad permissions, such as full S3 access. This allowed attackers to silently introduce attack paths that enabled privilege escalation, cross-service access, and potential account compromise. The researchers noted that these vulnerabilities went beyond "bucket monopoly attacks," which revolve around a scenario where a threat actor could take advantage of predictable S3 bucket naming patterns to gain control over the contents of a bucket when a legitimate customer starts using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.
In this case, an IAM role within an AWS account with AmazonS3FullAccess permissions had read/write access to every S3 bucket and modified various AWS services. This effectively turned the role into a powerful method for lateral movement and privilege escalation. The researchers identified several default service roles that were vulnerable to these exploits, including Amazon SageMaker AI, AWS Glue, Amazon EMR, and others.
To understand the gravity of this finding, it is essential to consider the potential consequences of an attacker gaining access to such a role. In a hypothetical attack scenario, a threat actor could upload a malicious machine learning model to Hugging Face that, when imported into SageMaker, could result in the execution of arbitrary code, which could then be used to seize control of other AWS services like Glue by injecting a backdoor capable of stealing IAM credentials of the Glue job. The adversary could then escalate their privileges within the account, ultimately breaching the entire AWS environment by looking for buckets used by CloudFormation and injecting a malicious template to escalate privileges further.
In response to the disclosure, AWS has addressed the issues by modifying the AmazonS3FullAccess policy for default service roles. The researchers emphasized that organizations should proactively audit and update existing roles to minimize risk, rather than relying on default configurations. They noted that default service roles must be tightly scoped and strictly limited to the specific resources and actions they require.
Furthermore, this finding highlights a broader concern about the security of open-source frameworks and utilities within AWS. In another related development, researchers at Varonis have detailed a vulnerability in a utility used for mounting Azure Storage that comes preinstalled on Microsoft Azure AI and High-Performance Computing (HPC) workloads. The flaw allows an unprivileged user on a Linux machine with this utility installed to escalate their privileges to root.
It is essential for organizations to take immediate action to address these vulnerabilities and update their IAM roles to minimize the risk of lateral movement and cross-service exploitation. This may involve proactively auditing existing roles, updating default configurations, and implementing additional security measures to protect against similar exploits in the future.
Researchers have discovered a critical vulnerability in AWS default IAM roles that could allow attackers to escalate privileges, manipulate other AWS services, and even fully compromise AWS accounts. Organizations must take immediate action to address this issue and update their IAM roles to minimize the risk of lateral movement and cross-service exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/AWS-Default-IAM-Roles-Found-to-Enable-Lateral-Movement-and-Cross-Service-Exploitation-A-Growing-Concern-for-Cloud-Security-ehn.shtml
https://thehackernews.com/2025/05/aws-default-iam-roles-found-to-enable.html
https://cloudindustryreview.com/aws-default-iam-roles-a-gateway-for-lateral-movement-and-cross-service-exploitation/
Published: Tue May 20 10:11:02 2025 by llama3.2 3B Q4_K_M
