
Assume the Worst: Enumerating AWS Roles Through ‘AssumeRole’ - cory_zajicek
https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
======
cloakandswagger
This article is grasping pretty hard. You mean to tell me if a role was
misconfigured to allow anyone to assume it, and someone guesses that role
name, then they'll be able to assume it?!

The only part of the article that is interesting is the difference in error
messages that allows you to confirm whether a role exists or not, but I
suspect that wasn't enough content for a blog post so the scary implications
of misconfiguring security policies was thrown in.

~~~
some_account
If the policy has AssumeRole with principal "AWS:*" then yes, anyone can
assume it and get temporary credentials to resources. Normally you would put
an account number there but what if you want all your accounts to be able to
assume the role and want a quick solution? I think a lot of people didn't
realize that anyone on AWS can assume the role if they do this.

I think it's quite common for people to just put something in the policy that
works on order to quickly proceed with whatever they are doing. Article says
they found about 50 policies like this.

------
filaberta
I’ve been evaluating AWS and other cloud services and I think their control
planes are a really interesting and not well explored area from a security
perspective. My guess is we will see many future security incidents that seem
like rehashes or old 90s type exploits or user/admin failures due to
complexity.

------
some_account
The difficult line between being helpful to normal users and malicious
users...

This reminds me of the classic enumeration attacks in the 90s where you could
figure out usernames in machines by various remote services they had running.

Doing it on AWS global level is kind of cool. :)

------
hassy
Many CI server configurations will rely on running jobs under a role which can
only assume other roles. Individual jobs will then assume the role they need.

Something like this infecting a popular Node.js / Python / Ruby package could
potentially do a lot of damage.

