Not much coverage of the privileged escalation threats, or what I've started calling the 'lateral roles' vector that occur when there are open IAM roles that are NOT locked down by;
- really specific condition statement (like principal OrgID, identity federation, and MFA as the best combination)
- principal AND condition (principal alone typically still allows an EC2 from attacker account use an resource default like Cognito or managed role as just 1 of numerous examples)
- less specific condition statement (like a resource tag, permissions boundary policy, or a time based condition for so-called temporary permissions)
- deliberately exposing a role assumed to be 'protected' by an
ExternalD
that is weak, reused, guessable, not actually a secret, or persistent (never rotated)
Essentially the most common vector used to attack AWS customers are not in practice most of the vectors in the threat model so far, it is far easier than all them! The easiest is to just become an authorised AWS user that nobody suspects, specifically these are IAM Roles that were created for a real use case and left open for any attacker to assume without any form of protection described above.
This is not some new attack vector I'm describing, it isn't something I identified. It is AWS fundamentals, a basic, common, well-known, and very widely understood, attack vector.
It would be great to see this explored in the threat model more than most of the other attack vectors that are essentially very low likelihood in comparison to open IAM roles that every account I've seen as an AWS APN Partner of the year with all AWS Competencies obtained, it is very obviously abused in every account I've assessed mostly because it is so easy to forget and ignore once a role is deemed to be working as intended.
EDIT: obviously (maybe not so obvious) this is in context to a Role that can interact with S3)