Aqua Security’s Team Nautilus has discovered a critical vulnerability in six popular AWS services that could allow bad actors to gain control over cloud environments.
The flaw, rooted in how AWS automatically creates default IAM roles in new regions, could be exploited without user interaction. It could endanger organizations using Glue, SageMaker, EMR, CloudFormation, Redshift, and CodeBuild.
The attack vector, termed “Shadow Role”, takes advantage of AWS’s behavior of silently creating IAM roles with predefined trust policies when specific services are used in a new region.
These roles are designed to allow specific AWS services to assume them on behalf of users. However, Team Nautilus found that if an attacker predicts the naming pattern of these roles and pre-creates a resource in another AWS account using the same name, they can exploit the trust policy to gain privileges they shouldn’t have.
“If any role in your account has AmazonS3FullAccess (either through an attached policy or inline permissions), it effectively has read/write access to every S3 bucket – and by extension, the ability to tamper with multiple AWS services,” the researchers said. “This turns a seemingly limited role into a powerful pivot point for lateral movement and privilege escalation within your cloud environment.”
Overly Permissive Settings
What makes the threat particularly dangerous is that these IAM roles are often created in the background without administrators realizing it, particularly in multi-region deployments. Once created, the trust policy may include overly permissive settings that allow AWS services from any account to assume the role.
Aqua’s research shows that a malicious actor could abuse these trust relationships to escalate privileges, pivot across services, or take complete control of the environment.
The researchers demonstrated the issue across six AWS services. In each instance, the exploitation method followed a similar pattern: identify the role name AWS would generate by default, create a malicious resource with that name in a controlled account, and wait for the victim to trigger the vulnerable service in a new region.
Once the service is used and the role is created, AWS trusts the malicious resource due to the pre-set trust policy, enabling the attacker to assume the role.
This vulnerability is not a typical user misconfiguration but rather a systemic weakness in how AWS initializes roles with trust policies. Aqua says that users have little visibility into automatic role creations, and in some cases, even AWS administrators were unaware of their existence.
The implications are significant, especially for entities with sensitive workloads in cloud environments.
Responsible Disclosure
Aqua Security responsibly disclosed the issue to AWS, quickly updating the affected services to use stricter trust policies and prevent malicious cross-account access. While AWS has rolled out patches, Aqua advises organizations to audit their IAM roles, especially those created automatically, and implement tighter controls on role assumptions.
In response to the findings, Aqua has also released tools and detection queries to help cloud security teams identify vulnerable roles and monitor suspicious activity. The company stressed the need for better visibility and more secure defaults for IAM roles in cloud platforms.
This discovery, yet again, highlights the complexities of identity and access management in cloud computing—and the need for constant vigilance, even in default configurations provided by major cloud providers like AWS.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.