Researchers from Israeli security firm Lightspin have identified an issue with configuring identity and access control services on Amazon Web Services (AWS) that could leave many organisations vulnerable to attack.
The issues raised not only illustrate how easy it is to misconfigure AWS, but also highlight a gap between mature Active Directory deployments and how to migrate to cloud-native IT architectures.
Lightspin said it had discovered that AWS identity and access management (IAM) rules do not work the same way as rules in Microsoft Active Directory for Windows-based security or other authorisation mechanisms.
In a blog post describing the risks, CTO Or Azarzar described how a security administrator can set up explicit permissions for Windows Groups, which cannot be overridden by users of that group. “We then look at IAM, where this is not the case,” he said.
This means that even if the admin explicitly configures the group to deny access to certain people, the configuration only impacts group actions and not members of the group. The implication of group policies not propagating down to individual users opens organisations up to misconfiguration and vulnerabilities, Azarzar warned.
The risk is that security admins may wrongly assume the process of configuring IAM on AWS is the same as for Active Directory on Windows.
This gap between AWS IAM user and group policies could be exploited by an attacker to take over accounts, delete group members, steal data and shut down services. Lightspin claimed its research team was able to compromise dozens of accounts by using this technique.
AWS said the approach it takes in IAM is by design, and not an error. AWS treats groups as separate objects. A spokesperson that this means IAM does not treat a user as part of a group when it comes to deny rules.
The differences between AWS IAM and Active Directory means organisations need to pay close attention when replicating rules.
From a straw poll Lightspin ran, the majority of organisations had not taken into account the different way AWS IAM behaves compared to Active Directory, which suggests that most businesses need to take a close look at their AWS identity and access controls.
“Initially, we believed this vulnerability was an isolated case,” said Vladi Sandler, CEO at Lightspin. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes users’ accounts that were believed to be safe, easy to infiltrate.”
Lightspin found that half the organisations contacted had incorrect AWS IAM configurations, which could be compromised if a user’s account was hacked.
The IT industry generally recognises the difficulty in migrating a mature on-premise Active Directory deployment to the public cloud. Transferring user profiles and retaining access and policy controls can be error-fraught. The Lightspin example illustrates just how easily a migration assumption can leave organisations at risk.
The company has developed an open-source scanner that reports when user permissions are loosely defined, opening up an attack path for hackers.