Closed korniko98 closed 1 year ago
When you configure an AWS service to use an IAM role on your behalf, you need to have the iam:PassRole permission in addition to the permissions required to configure and/or use the service. Due to the bug we reported, AWS Directory Service didn’t verify the presence of those permissions when assigning users or groups to an existing IAM role. This allowed users with the ds:EnableRoleAccess permission to assign users to any role in their account that has a trust relationship with AWS Directory service. Additionally, we found some actions that were not logged to CloudTrail and a validation that’s only done client-side
When you configure an AWS service to use an IAM role on your behalf, you need to have the iam:PassRole permission in addition to the permissions required to configure and/or use the service.
Due to the bug we reported, AWS Directory Service didn’t verify the presence of those permissions when assigning users or groups to an existing IAM role. This allowed users with the ds:EnableRoleAccess permission to assign users to any role in their account that has a trust relationship with AWS Directory service.
Additionally, we found some actions that were not logged to CloudTrail and a validation that’s only done client-side
https://cloudar.be/awsblog/spotted-privilege-escalation-in-aws-directory-service/
Summary (give a brief description of the issue)
References (provide links to blogposts, etc.)
https://cloudar.be/awsblog/spotted-privilege-escalation-in-aws-directory-service/