Excessive Permissions and Privilege Escalation

Excessive Permissions and Privilege Escalation

IAM misconfigurations in IaC create pathways for privilege escalation and lateral movement. Overly permissive policies grant more access than necessary, violating the principle of least privilege. Wildcard permissions like "s3:" or "ec2:" provide broad access that attackers can exploit. Trust relationships between roles might allow unintended assumption, enabling privilege escalation.

The complexity of cloud IAM systems contributes to permission vulnerabilities. AWS alone has thousands of possible actions across hundreds of services. Developers often grant broad permissions to avoid troubleshooting access issues, planning to restrict them later but forgetting to do so. IaC makes these overly permissive configurations permanent and reproducible across environments.

// Common IAM vulnerability patterns

// VULNERABLE: Overly permissive policy with wildcards
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",  // DANGER: Allows all AWS actions
      "Resource": "*" // DANGER: On all resources
    }
  ]
}

// VULNERABLE: Dangerous action combinations enabling privilege escalation
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",  // Can create new access keys
        "iam:CreateLoginProfile", // Can create console access
        "iam:UpdateLoginProfile", // Can reset passwords
        "iam:AttachUserPolicy",   // Can attach any policy
        "iam:PutUserPolicy"       // Can create inline policies
      ],
      "Resource": "*"
    }
  ]
}

// VULNERABLE: Excessive S3 permissions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",  // DANGER: All S3 actions
      "Resource": [
        "arn:aws:s3:::*",     // All buckets
        "arn:aws:s3:::*/*"    // All objects
      ]
    }
  ]
}

// SECURE: Least privilege policy for specific use case
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListSpecificBucket",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::my-app-data",
      "Condition": {
        "StringLike": {
          "s3:prefix": ["uploads/*"]
        }
      }
    },
    {
      "Sid": "ReadWriteSpecificPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::my-app-data/uploads/*"
    }
  ]
}

Cross-account access misconfigurations create additional risks. Trust relationships intended for specific services might be exploitable by attackers who compromise those services. External ID requirements might be missing or use predictable values. Confused deputy vulnerabilities occur when services can be tricked into using their permissions on behalf of attackers.