Cloud IAM Overprivileged Roles

Critical Risk Cloud Security
iamcloudawsazuregcpprivilege-escalationaccess-controlpermissions

What it is

Cloud Identity and Access Management (IAM) roles and policies configured with excessive permissions that violate the principle of least privilege. This includes roles with administrative access, wildcard permissions, or broad resource access that increases the attack surface and potential for privilege escalation across AWS, Azure, and Google Cloud Platform.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-app-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-app-bucket"
    }
  ]
}

💡 Why This Fix Works

The vulnerable policy grants wildcard permissions (s3:*) on all S3 resources (*), allowing unrestricted access to all S3 operations across all buckets. The secure policy follows the principle of least privilege by specifying only the exact actions needed (GetObject, PutObject, ListBucket) and restricting access to a specific bucket.

Why it happens

Assigning administrative roles (Admin, PowerUser, Owner) to users or services that only need limited access to specific resources

Root causes

Administrative Role Misuse

Assigning administrative roles (Admin, PowerUser, Owner) to users or services that only need limited access to specific resources

Wildcard Permission Policies

Creating IAM policies with wildcard (*) permissions that grant access to all resources or actions within a service

Cross-Account Trust Misconfiguration

Configuring overly broad cross-account trust relationships that allow unintended access from external accounts or principals

Legacy Permission Accumulation

Accumulating permissions over time without regular auditing and cleanup, resulting in users having access to resources they no longer need

Fixes

1

Implement Least Privilege IAM

Design IAM policies that grant only the minimum permissions required for each role, avoiding administrative or wildcard permissions

2

Use Condition-Based Access Control

Implement conditional access policies that restrict permissions based on factors like IP address, time, MFA status, and resource tags

3

Regular Access Reviews and Auditing

Establish automated processes to regularly review and audit IAM permissions, removing unused access and identifying overprivileged roles

4

Implement Just-In-Time Access

Deploy temporary access elevation systems that grant privileged access only when needed and for limited time periods

Detect This Vulnerability in Your Code

Sourcery automatically identifies cloud iam overprivileged roles and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities