AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation

Source: The Hacker News

Author: [email protected] (The Hacker News)

URL: https://thehackernews.com/2025/05/aws-default-iam-roles-found-to-enable.html

ONE SENTENCE SUMMARY:

Researchers discovered insecure default IAM roles in AWS services enabling attackers to escalate privileges and compromise entire AWS accounts.

MAIN POINTS:

1. Default IAM roles in AWS services grant overly broad permissions, enabling privilege escalation.
2. Vulnerable IAM roles found in AWS services like SageMaker, Glue, EMR, and Lightsail.
3. Similar issues identified in open-source framework Ray, using AmazonS3FullAccess policy.
4. Attackers exploit default IAM roles to move laterally across AWS services.
5. IAM roles with AmazonS3FullAccess provide complete read/write access to all S3 buckets.
6. Attackers can modify AWS assets such as CloudFormation templates and SageMaker resources.
7. Malicious machine learning models uploaded to Hugging Face can execute arbitrary code on SageMaker.
8. AWS addressed vulnerabilities by restricting AmazonS3FullAccess policy for default roles.
9. Researchers advise organizations to audit and tightly scope default IAM role permissions.
10. Similar privilege escalation vulnerability found in Azure Storage mounting utility AZNFS-mount.

TAKEAWAYS:

1. Default IAM roles must be strictly limited to required resources and actions.
2. Organizations should proactively audit default IAM role permissions to minimize risk.
3. Permissive IAM roles can break isolation boundaries between cloud services.
4. Attackers leverage broad IAM permissions for lateral movement and privilege escalation.
5. Cloud providers regularly patch vulnerabilities; organizations must promptly apply security updates.