IAM Trust Policies - PrivEsc

Abusable AWS IAM Trust Policies that can lead to compromise or privilege escalation

Abusing Vulnerable Trust Policies

Poorly written IAM Trust Policies can lead to compromise

AWS Service Trust Policy

Bad policy

This policy allows the Lambda service in any AWS account to assume the role. An attacker only needs to know the ARN of the role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
	  "AWS": "*",
	  "Service": "lambda.amazonaws.com"
	},
      "Action": "sts:AssumeRole"
    }
  ]
}

Better policy

The role assumption is restricted to a particular lambda function within a particular AWS account but other conditions can be specified too

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:lambda:<Region>:<AwsAccountId>:function:<LambdaFunction>"
        }
      }
    }
  ]
}

Resources

AWS global condition context keys - AWS Identity and Access ManagementAWS Identity and Access Management

IAM and AWS STS condition context keys - AWS Identity and Access ManagementAWS Identity and Access Management

IAM JSON policy elements reference - AWS Identity and Access ManagementAWS Identity and Access Management

PreviousIAM - PrivEsc NextKMS - PrivEsc

Last updated 9 days ago