Policy Perils: From Misconfigurations to Account Takeovers

AWS IAM becomes complicated when dealing with permissions for resources spread across different policies, roles and accounts. This opens the door for dangerous mistakes that allow for privilege escalation. In this talk, we show you real-life cases on how innocent-looking permissions can lead to full AWS account takeovers, even hop to accounts that should be out of reach.

The talk will include 2 case scenarios pertaining to privilege escalation through over-permissive policies and associated roles. The first scenario shows an example how the cross-service confused deputy problem can be exploited, while the second one extends a similar problem in combination with other over-permissive roles to escalate privileges. Both these case scenarios will consist of demos on a test AWS environment.

Learn and be amazed at what a normal low-privileged developer at your company can do if you don’t manage your AWS policies well.