The Report Warns AWS About A Possible Vulnerability In The IAM Service That Could Cause User Accounts To Be Compromised
A new report alerts Amazon Web Services (AWS) administrators about a possible flaw in Identity and Access Management (IAM) program, which could expose user accounts to hackers.
On Wednesday, Lightspin, a Tel Aviv-based provider of cloud protection solutions, published a report describing a “AWS authorization bypass,” in which researchers from Lightspin discovered that AWS IAM rules are not the same as those used by security engineers for Active Directory or other authorization mechanisms. They offer an example using Windows Groups, where a group’s explicit deny overrides all user permissions. They then look at IAM, where this is not the case, because even though a community has an explicit deny, it would only affect Group behavior, not Individual actions, potentially exposing organizations to misconfiguration and vulnerabilities if they think the mechanism is the same as with Windows.
“Initially, we believed this vulnerability was an isolated case,” mentioned Lightspin CEO Vladi. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe, easy to infiltrate.”
Lightpin has asked AWS for a response after discovering the issue, and they clarified that this approach is by design, not by mistake. When it comes to deny rules, AWS considers groups as a separate object, and a user is not considered a member of a group. Lightpin believes it is critical to raise awareness of this problem because it can expose significant vulnerabilities for any organization that assumes IAM functions in the same way as Active Directory on Azure, or Windows.
A plug for Lightspin’s own tool to protect an AWS IAM vulnerability is included in Lightspin’s report of a possible AWS IAM vulnerability. The company has made an IAM vulnerability scanner open source. When the tool detects “loosely defined” user permissions, it alerts administrators and offers them options to minimize the risk.