Backdoors and Privilege Escalation Via Cloud Account Users

ACM.134 Preventing a user from leveraging another user with permissions they don’t have

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Privilege Escalation | AWS Security | Application Security | Data Breaches | IAM

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In my last few posts I’ve been trying to outline an IAM architecture that prevents IAM administrators (or an attacker who obtains their credentials or an active session) from escalating privileges. In other words, how can we prevent an IAM administrator from simply granting themselves additional permissions they don’t already have and be able to do some thing they should not be allowed to do?

In the last post, we look at how to prevent an IAM user from leveraging a compute resource and granting a role to it that the IAM user should not be allowed to assume themselves.