AWS Built a Security Tool. It Introduced a Security Risk

Summary

(If you missed the previous parts of this trust policy blog series, we recommend reading parts one and two first)In the previous post of this series, we explored four dangerous misconceptions regarding how to securely set up cross-account access in AWS environments.In this final post of the series, we’ll walk through a real-world case where even AWS got it wrong. Their Account Assessment for AWS Organizations tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions. Specifically, customers were effectively encouraged to deploy the tool in lower-sensitivity accounts, creating risky trust paths from insecure environments into highly sensitive ones.We’ll share how we discovered the issue, the risks it introduced, how AWS fixed it, and what affected organizations should do to detect and remediate it.How it startedWhile investigating a critical privilege escalation risk involving an IAM role in a customer’s AWS environment, we discovered a role present in both their production and management accounts, each of which trusted two roles in their development account:The risky IAM role we investigatedThese were the details of the privilege escalation risk (sensitive info redacted):Examining the permissions of that role in the production and management accounts, we found it had access to several sensitive IAM and data-related API calls, including:iam:ListRoles (lists all IAM roles, helping an attacker identify privileged and vulnerable roles)iam:ListPolicies (reveals all IAM policies, exposing potential misconfigurations)secretsmanager:ListSecrets (lists all stored secret names, identifying potential targets)s3:ListAllMyBuckets (enumerates all S3 buckets, exposing potential sensitive data locations)kms:ListKeys (lists all encryption keys, indicating what is being encrypted)kms:GetKeyPolicy (retrieves key policies, which could reveal weak or misconfigured a...