RedLock is now a part of Palo Alto Networks - READ MORE
Privilege Escalation Attacks
< Back

RedTalk: Privilege Escalation Through IAM Instance Profile Role

by   |   05.08.18, 8:00 AM

In the first of our new video and blog series, RedTalk, we will discuss an interesting privilege escalation attack that could impact public cloud computing environments.

Per wikipedia,

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Let's assume that there is a user named Bob who has an AWS IAM account within his organization's environment. The IAM policy associated with Bob doesn’t allow the user to view contents of an S3 bucket named S3://sensitive-content. However, the policy does allow him to launch an EC2 instance and assign any instance role to it. These types of setups are unfortunately common.

Privilege Escalation Through IAM Instance Profile Role

The user Bob (“the victim”, indicated left in the figure above), who is not a malicious person, was struck with bad luck and had his IAM Access Key compromised, an increasingly common type of compromise.

Usually, the worst an attacker can do is launch more EC2 instances. However, since Bob's account has an IAM policy that allow attaching any instance role, the attacker can simply find a role which has privileged access and attaches the role to an instance. From there, the attacker can log into the EC2 instance and run AWS CLI commands and do virtually anything that the privileged role allows.

As documented by AWS and debated on Twitter over a year ago, if you launch an AWS EMR cluster from the AWS console and choose defaults, a role named “EMR_DefaultRole” is created. Unfortunately, the policy associated with this particular role has fairly broad permissions such as “S3:Get*”.

Proactive Approach to Prevent Such Attacks

Although we have an internal POC to demonstrate the attack on AWS, this attack is possible on Google’s GCP and Microsoft’s Azure cloud computing platform as well.

To detect if you are vulnerable to such attacks, you must review all IAM policies which allow the creation of EC2 instances under ANY role and then identify instance roles which have privileged access.

The RedLock Cloud Security Intelligence (CSI) team also highly recommends that you invest in tools which can utilize unsupervised machine learning to build profiles of entities such as IAM users, roles, and instances and alert you if a privilege escalation attack or other anomalous access patterns are detected.


Get the NEW Cloud Security Trends - May 2018 - Anniversary Edition

RedLock - May 2018 - CSI Cloud Security Trends Report

This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. Download the latest Cloud Security Trends - May 2018 report to get 14 tips to fortify your public cloud environment. 

Download Report



Related Posts