AWS Defaults Open Stealthy Attack Paths Enabling Privilege Escalation and Account Compromise

A recent investigation by security researchers has exposed critical vulnerabilities in the default IAM roles of several Amazon Web Services (AWS) offerings, including SageMaker, Glue, and EMR, as well as open-source projects like Ray.

These roles, often automatically created or recommended during service setup, come with overly permissive policies such as AmazonS3FullAccess.

This broad access, intended to simplify user onboarding, inadvertently creates silent attack paths that enable privilege escalation, cross-service tampering, and even full account compromise.

Uncovering Hidden Risks in AWS Default Roles

The research, responsibly disclosed to AWS, prompted swift action to revise default policies and issue updated security guidance.

The core issue lies in the excessive permissions granted by default roles like AWSGlueServiceRole, AmazonSageMaker-ExecutionRole, and AmazonEMRStudio_RuntimeRole, which often include unrestricted S3 access.

With AmazonS3FullAccess, a compromised role can read from and write to every S3 ...