Cloud security provider Lightspin developed a new open-source scanner Red-Shadow that reports when user permissions are loosely defined, which opens up an attack path for hackers. 

Lightspin released the scanner after it announced the results of its research that discovered a gap between AWS Identity and Access Management (IAM) user group policies that attackers can abuse to take over accounts, delete group members, steal data and shut down services.  

“Initially, we believed this vulnerability was an isolated case,” said Vladi Sandler, the CEO at Lightspin. “However, upon further investigation, we found that in many cases, users could perform actions that system administrators believed were denied when they configured group security configurations. This makes user accounts believed to be safe, easy to infiltrate.”

One error that made it easier for the vulnerability to proliferate was that many security administrators were unaware that AWS IAM rules do not work the same way as Azure Active Directory or other authorization mechanisms. More than half of the companies that Lightstep works with have unintentional loose permissions for their users, according to Lightspin’s research. 

To help with finding where permissions are loosely set, the IAM Scanner detects misconfigurations in many different policies: managed, users inline, groups inline, or roles inline.

Once the policies that are vulnerable to the authorization bypass have been found, users can remediate the vulnerability and fix the policy by defining all relevant users in the resource field instead of groups to avoid ineffective IAM actions. Another option is to use conditions in the policy with ‘iam:ResourceTag.’

Additional details on the IAM Scanner are available here.