A recent study by cybersecurity experts has found serious weaknesses in the default Identity and Access Management (IAM) roles of Amazon Web Services (AWS), which could lead to unauthorized access, exploitation of different services, and even full control of accounts.
These default roles, automatically generated or recommended during setup for services like SageMaker, Glue, EMR, and Lightsail, often carry overly permissive policies, such as AmazonS3FullAccess, which grants unrestricted read/write access to all S3 buckets.
This permissiveness creates silent attack paths, allowing adversaries to manipulate critical assets and move laterally across services within an AWS account. With global cloud spending projected to reach $1.4 trillion by 2028, securing these configurations is paramount as organizations increasingly rely on AWS for critical operations.
How Default IAM Roles Become Attack Vectors
Default IAM roles, designed to simplify service setup, inadvertently introduce vulnerabilities by granting broad permissions. For instance, the AmazonSageMaker-ExecutionRole, created during SageMaker Domain setup, includes a custom policy equivalent to AmazonS3FullAccess, enabling access to all S3 buckets.
Similarly, AWS Glue’s AWSGlueServiceRole and Amazon EMR’s AmazonEMRStudio_RuntimeRole roles come with excessive permissions, allowing attackers to modify CloudFormation templates, EMR scripts, or SageMaker resources.
A notable case involves the open-source framework Ray, where the default ray-autoscaler-v1 role also inherits AmazonS3FullAccess, amplifying risks in environments using this tool.
If these roles are hacked, attackers can run any code they want, add hidden access points, or steal login information, as shown in a made-up attack where a harmful machine learning model uploaded to Hugging Face could use SageMaker to access other services like Glue.
ALSO READ | Taiwan’s AI Leap Forward: NVIDIA and Foxconn Power a Groundbreaking Supercomputer
Real-World Implications and Attack Scenarios
The implications of these vulnerabilities are profound. An attacker with access to a default IAM role could search for S3 buckets used by other services, manipulate their contents, and escalate privileges by injecting malicious code or templates. For example, an adversary could exploit a SageMaker role to upload a backdoor to a Glue job, extracting IAM credentials to gain broader access.
Recent industry updates highlight that such misconfigurations contributed to 45% of cloud breaches in 2024, with an average cost of $4.14 million per incident. The complexity of AWS environments, coupled with the ease of exploiting predictable S3 bucket naming patterns, exacerbates these risks, making proactive security measures essential.
AWS has responded by revising the AmazonS3FullAccess policy for default roles, but organizations must remain vigilant to prevent exploitation.
Did You Know?
The 2019 Capital One breach, one of the largest AWS-related incidents, exploited a misconfigured IAM role, exposing data of over 100 million customers and highlighting the dangers of permissive policies.
Mitigating the Risks
Addressing these vulnerabilities requires a proactive approach to IAM governance. Organizations should audit existing roles using tools like AWS IAM Access Analyzer and enforce the principle of least privilege, ensuring roles are tightly scoped to specific resources and actions. Regular monitoring with AWS CloudTrail can detect unusual activity, such as unauthorized role assumptions.
Implementing multi-factor authentication (MFA) and rotating access keys further reduces risks. AWS’s recent updates to default policies, prompted by responsible disclosures, mark progress, but organizations must update legacy roles to align with these changes.
Additionally, adopting zero-trust architectures and restricting access to trusted IP ranges can mitigate lateral movement risks, especially in hybrid cloud environments.
ALSO READ | Can Alphabet’s I/O Conference Redefine Its AI Future Amid Market Doubts?
The Broader Cloud Security Landscape
These findings align with broader cloud security challenges, as evidenced by a similar vulnerability in Microsoft Azure’s AZNFS-mount utility, which allowed privilege escalation to root on Linux machines until patched in January 2025.
The growing complexity of cloud environments underscores the need for robust security practices, as 72% of organizations will use cloud infrastructure in 2024.
Tools like Pacu and iam-deescalate can help identify misconfigurations, while penetration testing frameworks like Bishop Fox’s IAM Vulnerable provide hands-on practice for securing AWS environments. As cloud adoption accelerates, organizations must prioritize IAM hygiene to safeguard sensitive data and maintain operational resilience.
Comments (0)
Please sign in to leave a comment