Lightspin Security Research Team Reveals AWS Identity and Access Management Vulnerable to Abuse
AWS authorization bypass enables attacker to change login information and take over accounts undetected
Lightspin, a pioneer in contextual cloud security protecting native, Kubernetes, and microservices from known and unknown risks, announced the results of its research, which discovered a gap between AWS Identity and Access Management (IAM) user and group policies that an attacker can abuse to take over accounts, delete group members, steal data and shut down services. The research team was able to compromise dozens of accounts by using this technique.
Recommended AI News: uCloudlink Expands Footprint in Southeast Asia with Local Business Partners
“Initially, we believed this vulnerability was an isolated case,” said Vladi Sandler, CEO at Lightspin. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users accounts believed to be safe, easy to infiltrate.”
Lightspin researchers discovered that many security administrators were unaware that AWS IAM rules do not work the same way as Azure Active Directory or other authorization mechanisms.
While defining Active Directory Azure policies, if a group is denied read access to the file, all group members cannot access it. However, IAM handles group and user authorizations separately. Even if a group has an explicit denial, this will only impact group actions, not user actions. Amazon does not warn system administrators that users’ accounts can still be accessed even if their group is protected.
Recommended AI News: Partners Accelerate Profitability with New Customer Lifecycle Incentives from VMware
Based on Lightspin’s research, more than half of the companies they work with have unintentional loose permissions for their users due to this authorization bypass, putting them at risk. There are two options to ensure that users can’t perform actions they were intended to be denied using group authorizations:
- Each user can be listed separately while setting deny rules.
- Each user can be tagged to be included in a group.
Both procedures can be cumbersome and difficult to maintain but are the best way to prevent intruders from changing login information and taking over accounts.
Recommended AI News: Neptune Flood Joins MarshBerry’s Connect Platform As Premier Partner