This article is grasping pretty hard. You mean to tell me if a role was misconfigured to allow anyone to assume it, and someone guesses that role name, then they'll be able to assume it?!
The only part of the article that is interesting is the difference in error messages that allows you to confirm whether a role exists or not, but I suspect that wasn't enough content for a blog post so the scary implications of misconfiguring security policies was thrown in.
If the policy has AssumeRole with principal "AWS:*" then yes, anyone can assume it and get temporary credentials to resources. Normally you would put an account number there but what if you want all your accounts to be able to assume the role and want a quick solution? I think a lot of people didn't realize that anyone on AWS can assume the role if they do this.
I think it's quite common for people to just put something in the policy that works on order to quickly proceed with whatever they are doing. Article says they found about 50 policies like this.
Exactly, it's the equivalent of saying "did you know if you have an admin account with blank password and I guessed the username then I can do some serious damage?"
I’ve been evaluating AWS and other cloud services and I think their control planes are a really interesting and not well explored area from a security perspective. My guess is we will see many future security incidents that seem like rehashes or old 90s type exploits or user/admin failures due to complexity.
The difficult line between being helpful to normal users and malicious users...
This reminds me of the classic enumeration attacks in the 90s where you could figure out usernames in machines by various remote services they had running.
Many CI server configurations will rely on running jobs under a role which can only assume other roles. Individual jobs will then assume the role they need.
Something like this infecting a popular Node.js / Python / Ruby package could potentially do a lot of damage.
The only part of the article that is interesting is the difference in error messages that allows you to confirm whether a role exists or not, but I suspect that wasn't enough content for a blog post so the scary implications of misconfiguring security policies was thrown in.