Security Firm: AWS IAM Quirk Leaves Accounts Open to Takeover
A new report warns Amazon Web Services (AWS) administrators of a potential weakness in the cloud giant's Identity and Access Management (IAM) service that could leave user accounts vulnerable to being hijacked by attackers.
Lightspin, a provider of cloud security solutions based in Tel Aviv, on Wednesday published a report describing an "AWS authorization bypass" wherein certain rules applied to a user group via AWS IAM are not applied to individual users in that group. This gap can lead to security "misconfigurations and vulnerabilities" in an organization's cloud environment, claimed Lightspin CTO Or Azarzar in the report.
Lightspin noted that IAM rules do not work the same in AWS as they do in, for example, Azure Active Directory. Administrators unaware of their differences may overlook the potential for authorization bypass in AWS. In its announcement, the company described the difference this way:
While defining Active Directory Azure policies, if a group is denied read access to the file, all group members cannot access it. However, IAM handles group and user authorizations separately. Even if a group has an explicit denial, this will only impact group actions, not user actions. Amazon does not warn system administrators that users' accounts can still be accessed even if their group is protected.
Azarzar's write-up describes in detail how AWS IAM's enforcement of rules for individual users can sometimes override the rules placed on groups, potentially causing "critical security misconfiguration while defining policies." Indeed, Lightspin claims its researchers have been able to "compromise dozens of accounts" using this mechanism.
"Initially, we believed this vulnerability was an isolated case," said Lightspin CEO Vladi Sandler in a prepared statement. "However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe, easy to infiltrate."
Lightspin said it raised the issue to AWS, which reportedly replied that "this approach [in AWS IAM] is by design, and not an error. AWS treats groups as a separate object, and they don't treat a user as part of a group when it comes to deny rules."
Lightspin's report of a potential AWS IAM vulnerability comes with a plug for its own tool to secure it. The company has released an IAM vulnerability scanner to open source; it's available here via GitHub. The tool warns administrators when it detects "loosely defined" users permissions and provides options to remediate their risk.