Abusing Vulnerable Trust Policies
Poorly written IAM Trust Policies can lead to compromise.
This policy allows the Lambda service in any AWS account to assume the role. An attacker only needs to know the ARN of the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*",
"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
The role assumption is restricted to a particular lambda function within a particular AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:lambda:<Region>:<AwsAccountId>:function:<LambdaFunction>"
}
}
}
]
}
AWS Identity Federation Trust Policy
This policy allows any GitLab instance to assume the role. An attacker only needs to know the ARN of the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.com:aud": "https://gitlab.com"
}
}
}
]
}
The role assumption is restricted to a particular GitLab project path.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGitlabToAssumeRole",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.example.com:sub": "project_path:mygroup/myproject:ref_type:branch:ref:main"
}
}
}
]
}
