Critical

IAM user can execute a Privilege Escalation by using inline CreatePolicyVersion

Security & Compliance
No items found.
Description

When an IAM user has the ability to create policy versions inline, they can potentially execute a privilege escalation attack by creating a new version of a policy that grants them additional permissions, and then attaching that version to a role or user. This can result in unauthorized access to sensitive resources and data. To prevent this type of attack, it is important to ensure that IAM users only have the minimum permissions necessary to perform their assigned tasks, and that policies are regularly reviewed and updated to remove any unnecessary permissions.‍

Remediation

The IAM user can execute a privilege escalation by using inline CreatePolicyVersion. The user can create a new version of an existing policy with escalated privileges that allow access to sensitive data or resources that the user is not authorized to access. To remediate this issue, you can follow the below steps:

  1. Identify the IAM user who has CreatePolicyVersion permissions.
  2. Review the inline policies attached to the user and identify the policy/policies that allow CreatePolicyVersion.
  3. Remove the CreatePolicyVersion permission from the identified policy/policies.
  4. Use AWS Managed policies or create new custom policies to grant only necessary permissions to the user.
  5. Monitor the IAM user activities and set up alarms to alert when any user makes changes to policies.

Regular auditing of IAM policies and monitoring of IAM users' activities can help prevent privilege escalations and unauthorized access to resources. It is also recommended to follow the least privilege principle and grant only necessary permissions to IAM users.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.