PowerUserAccess: The Hidden Path to Admin Control
Ever wonder how attackers see the AWS permissions you grant? This week, we gain a critical perspective from the trenches with PowerUserAccess vs. AdministratorAccess from an attacker’s perspective by Eduard Agavriloae, Director of Cloud R&D of OffensAI.
Eduard’s analysis challenges the common belief that PowerUserAccess is a “safer” default, demonstrating how environment complexity allows attackers to leverage this policy to achieve the same impact as having full administrator rights. This is a must-read perspective for cloud security teams seeking to understand the true effectiveness of their IAM policies in preventing unauthorized access and data breaches.
PowerUserAccess is (often) all attackers need
The most common privilege escalation paths exploit resources with excessive permissions. With PowerUserAccess, attackers can: modify then use Lambda functions with inappropriate IAM permissions, use SSM SendCommand to exfiltrate credentials from EC2 instances with overly permissive roles, or alter CloudFormation templates to include privilege escalation vectors.
Agavriloae notes that administrator roles are frequently attached directly to various resource types, and combined with roles that can be assumed, the supposed “power user” effectively becomes an administrator.
This means even without direct iam:* actions, an attacker can chain capabilities and gain full access by exploiting weak configurations.
Agavriloae recommends completely detaching PowerUserAccess from all identities.
For organizations with PowerUserAccess integrated into provisioning automation, he suggests:
- Eliminate PowerUserAccess from future deployments
- Evaluate use of PowerUserAccess in existing workflows and replace with (custom) policies scoped to the permissions actually being used
Best Practices From The Analysis
Eduard closes his article with seven takeaways that highlight both the false sense of security created by the gap between PowerUserAccess and AdministratorAccess, and essential best practices for organizations. We’d do well to apply Eduard’s advice to better protect our AWS environments from privilege escalation and sophisticated attacks.
Helpful Resources
- PowerUserAccess vs. AdministratorAccess article – Original analysis by Eduard Agavriloae
- AWS Permission Boundaries Documentation – Official guidance on implementing permission boundaries
IAM Fun Fact
The PowerUserAccess policy appears restrictive by denying iam:* actions, but actually allows seven specific IAM permissions including iam:CreateServiceLinkedRole and iam:ListRoles. In complex environments, these exceptions often open just enough of a door for skilled attackers to escalate privileges.
Attribution
🎩 Tip of the cap to Eduard Agavriloae for providing this practical analysis of how attackers view AWS permission boundaries and demonstrating why PowerUserAccess might not be providing the security you think it does.
Stay up to date with The Effective IAM Newsletter:
Recent Comments