A critical security vulnerability in AWS Organizations has been discovered that could allow attackers to achieve complete control over entire multi-account AWS environments through a mis-scoped managed policy.<\/p>\n
The flaw, identified in the AmazonGuardDutyFullAccess managed policy version 1, enables privilege escalation from a compromised member account to full organizational takeover, including potential control of the management account itself.<\/p>\n
The vulnerability stems from an improperly scoped permission within the AWS-managed policy that grants the This oversight allows attackers who compromise a user or role in the management account with the vulnerable policy attached to register any account within the organization as a delegated administrator for sensitive services, effectively bypassing intended security boundaries.<\/p>\n The attack vector leverages AWS Organizations\u2019 delegated administrator feature, which was designed to reduce reliance on highly privileged management accounts by allowing specific member accounts to administer services organization-wide.<\/p>\n However, the mis-scoped policy transforms this security feature into a powerful escalation mechanism<\/a>.<\/p>\n An attacker can chain delegation privileges with control over a member account to gain administrative access to critical services such as AWS Identity and Access Management Identity Center (formerly SSO) or CloudFormation StackSets across all organizational accounts.<\/p>\n Cymulate researchers identified<\/a> this vulnerability during their investigation of AWS Organizations cross-account pivoting and compromise scenarios.<\/p>\n The research team, led by Ben Zamir, discovered that the policy\u2019s overly permissive structure could enable attackers to delegate sensitive services to accounts under their control, subsequently manipulating organization-wide identity management or deploying malicious infrastructure across the entire environment.<\/p>\n The technical exploitation process involves several critical steps that demonstrate the severity of this vulnerability.<\/p>\n Once an attacker compromises a management account identity with the vulnerable policy, they can execute the following command to register a controlled account as a delegated administrator:-<\/p>\n The most concerning aspect of this vulnerability lies in its ability to establish persistent<\/a>, organization-wide access through legitimate AWS features.<\/p>\n When an attacker successfully registers a compromised account as a delegated administrator for AWS Identity Center, they gain the ability to manipulate permission sets, user groups, and access configurations across all organizational accounts.<\/p>\n This capability allows them to add malicious identities to high-privilege<\/a> groups or reset passwords of users with administrative access to the management account.<\/p>\n The persistence mechanism is particularly insidious because it operates through legitimate delegation channels that may not trigger traditional security alerts.<\/p>\n Attackers can modify existing permission sets or create new ones with elevated privileges, ensuring continued access even if the initial compromise vector is discovered and remediated.<\/p>\n Additionally, the read-only organizational access granted to delegated administrators provides complete visibility into the environment structure, enabling attackers to identify high-value targets and plan sophisticated multi-account attacks<\/a>.<\/p>\n AWS has responded to this discovery by releasing version 2 of the AmazonGuardDutyFullAccess managed policy with stricter resource constraints that eliminate the escalation path.<\/p>\n However, existing roles and users attached to version 1 remain vulnerable until administrators manually upgrade to the corrected policy.<\/p>\n Organizations should immediately audit all principals using the vulnerable policy and implement the updated version to prevent potential exploitation of this critical security flaw.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post AWS Organizations Mis-scoped Managed Policy Let Hackers To Take Full AWS Organization Control<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\norganizations:RegisterDelegatedAdministrator<\/code> action with unrestricted resource access.<\/p>\naws organizations register-delegated-administrator --account-id --service-principal <\/code><\/pre>\nPersistence and Privilege Escalation Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjLyo3O0SPar91y6-dDo5vnvIM9MvPXNI8TlA5F9LPN8VVCin0YcUafhof24V7Awl5fbLrV8WW05DH6JZhoMzSN6A8g0F-8wqL_CAhke0h2rW6GSG1NlVdwiURYPzg_C3A4iqjV5pvso-20faKQ0tiPhiF1cc6XHa6XgwdfaICQbGEcKywlkabCqQlaT00\/s16000\/Persistence%2520and%2520Privilege%2520Escalation%2520%28Source%2520-%2520Cymulate%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhvTNbGEf9r7PG2apdWniri84fK1KdittBMC-CCzlohhisgLuDIzyo5tD4llTMHbiR4wCya8ZQkh3yIUXhLx0qpXHFdOFqIR4AqMtoF_csCSeNAQxEXEqvhrfZWloHNAynLlSRPujaVPNs9OQbOCeHQcpaQYU180VkPnzmX7lAZlQqPISidmhlavW1TID4\/s16000\/Attack%2520flow%2520%28Source%2520-%2520Cymulate%29.webp?ssl=1\")