{"id":1179,"date":"2024-04-16T11:22:00","date_gmt":"2024-04-16T11:22:00","guid":{"rendered":"https:\/\/badbadger.tech\/?p=1179"},"modified":"2025-02-24T23:48:37","modified_gmt":"2025-02-24T23:48:37","slug":"iam-shadow-permissions-02","status":"publish","type":"post","link":"https:\/\/badbadger.tech\/?p=1179","title":{"rendered":"How to Detect IAM Policy Shadowing in AWS Using Native Tools"},"content":{"rendered":"\n<p>In December 2022, security researchers at Sysdig <a href=\"https:\/\/sysdig.com\/blog\/iam-security-misconfiguration\/\" target=\"_blank\" rel=\"noopener\" title=\"\">uncovered real-world cases<\/a> of <strong>privilege escalation via IAM misconfiguration<\/strong>. An attacker exploited an overlooked permission in an AWS environment, allowing them to modify IAM policies. By leveraging the ability to create new policy versions, they granted themselves full administrative access\u2014bypassing intended security controls. This type of <strong>shadow IAM permission<\/strong> is exactly what we aim to detect before it becomes a security incident.<\/p>\n\n\n\n<p>In our <a href=\"https:\/\/badbadger.tech\/?p=1173\" target=\"_blank\" rel=\"noopener\" title=\"What Lurks in the Shadows of IAM? The Hidden Risk  of Shadow Permissions\">last post<\/a>, we introduced IAM Policy Shadowing\u2014when overlapping AWS IAM policies unintentionally override each other, leading to excessive or unintended permissions. Now, let\u2019s take the next step: <strong>How do you detect these conflicts before they cause a security incident?<\/strong><\/p>\n\n\n\n<p>This post will walk through AWS-native tools that help identify IAM policy shadowing, ensuring your access controls work as expected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. Understanding How AWS Evaluates Policies<\/strong><\/h3>\n\n\n\n<p>Before jumping into detection, let\u2019s quickly review <strong>how AWS IAM evaluates policies<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Explicit Deny<\/strong> always takes precedence.<\/li>\n\n\n\n<li><strong>Allow permissions<\/strong> are granted if no explicit deny exists.<\/li>\n\n\n\n<li><strong>Multiple attached policies are merged<\/strong>, which can result in shadowing.<\/li>\n\n\n\n<li><strong>SCPs and Permission Boundaries<\/strong> add another layer of complexity.<\/li>\n<\/ul>\n\n\n\n<p>Understanding these rules is crucial for spotting unexpected behavior.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. AWS Tools to Detect IAM Policy Shadowing<\/strong><\/h3>\n\n\n\n<p>AWS provides several built-in tools to analyze IAM policies and their effects:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>IAM Policy Simulator<\/strong><\/h4>\n\n\n\n<p>\ud83c\udfaf <strong>Best for:<\/strong> Testing how policies apply to a specific user, role, or group.<\/p>\n\n\n\n<p>\u2705 <strong>Steps to Use:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Navigate to <strong>IAM Console > Policy Simulator<\/strong>.<\/li>\n\n\n\n<li>Select a user, role, or group.<\/li>\n\n\n\n<li>Add actions (e.g., <code>s3:DeleteBucket<\/code>).<\/li>\n\n\n\n<li>Run the simulation and check which policy allows or denies the action.<\/li>\n\n\n\n<li>Look for unexpected overrides.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udd0e <strong>Pro Tip:<\/strong> Test actions across multiple accounts and roles to uncover unintended permissions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>IAM Access Analyzer<\/strong><\/h4>\n\n\n\n<p>\ud83c\udfaf <strong>Best for:<\/strong> Identifying excessive permissions and external access risks.<\/p>\n\n\n\n<p>\u2705 <strong>Steps to Use:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Open <strong>AWS IAM > Access Analyzer<\/strong>.<\/li>\n\n\n\n<li>Create an analyzer for your organization or account.<\/li>\n\n\n\n<li>Review the findings to detect <strong>unintended access paths<\/strong>.<\/li>\n\n\n\n<li>Investigate policies granting broader-than-expected access.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udd0e <strong>Pro Tip:<\/strong> Set up continuous Access Analyzer monitoring to receive alerts on new shadowed permissions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS Config Rules for IAM Policies<\/strong><\/h4>\n\n\n\n<p>\ud83c\udfaf <strong>Best for:<\/strong> Continuous compliance checks on IAM policies.<\/p>\n\n\n\n<p>\u2705 <strong>Steps to Use:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Open <strong>AWS Config<\/strong> and enable rules.<\/li>\n\n\n\n<li>Select built-in IAM compliance rules (e.g., <code>iam-policy-no-statements-with-admin-access<\/code>).<\/li>\n\n\n\n<li>Monitor compliance status and investigate failures.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udd0e <strong>Pro Tip:<\/strong> Create custom Config rules to flag conflicting IAM policies.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS CloudTrail \u2013 Tracking Unauthorized Actions<\/strong><\/h4>\n\n\n\n<p>\ud83c\udfaf <strong>Best for:<\/strong> Auditing IAM policy shadowing incidents.<\/p>\n\n\n\n<p>\u2705 <strong>Steps to Use:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Navigate to <strong>AWS CloudTrail > Event History<\/strong>.<\/li>\n\n\n\n<li>Filter by <strong>IAM or security-related actions<\/strong>.<\/li>\n\n\n\n<li>Look for denied requests that should have been allowed\u2014or vice versa.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udd0e <strong>Pro Tip:<\/strong> Set up <strong>CloudWatch Alarms<\/strong> for high-risk IAM actions like <code>AssumeRole<\/code>, <code>AttachPolicy<\/code>, and <code>DetachPolicy<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Real-World Example: Diagnosing a Policy Conflict<\/strong><\/h3>\n\n\n\n<p>Imagine you have an IAM Role assigned to engineers. A <strong>Service Control Policy (SCP)<\/strong> explicitly denies S3 bucket deletion, but an inline policy attached to their role allows it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>How to Identify the Conflict:<\/strong><\/h4>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Use the IAM Policy Simulator<\/strong> to test <code>s3:DeleteBucket<\/code> for the role.<\/li>\n\n\n\n<li><strong>Run AWS Access Analyzer<\/strong> to check if an attached policy overrides the SCP.<\/li>\n\n\n\n<li><strong>Check AWS Config Rules<\/strong> for compliance violations.<\/li>\n\n\n\n<li><strong>Review CloudTrail logs<\/strong> to see if S3 deletions have occurred unexpectedly.<\/li>\n<\/ol>\n\n\n\n<p>By correlating findings across these tools, you can <strong>pinpoint policy shadowing issues<\/strong> before they lead to security breaches.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4. Proactive Measures to Prevent IAM Policy Shadowing<\/strong><\/h3>\n\n\n\n<p>\u2705 <strong>Use least privilege principles<\/strong> \u2013 Avoid overly broad permissions in managed policies. \u2705 <strong>Regularly audit IAM roles and permissions<\/strong> \u2013 Use IAM Access Analyzer for automated checks. \u2705 <strong>Document IAM policy changes<\/strong> \u2013 Maintain version control and track updates. \u2705 <strong>Enable AWS Config and CloudTrail alerts<\/strong> \u2013 Detect unauthorized changes in real-time.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What\u2019s Next?<\/strong><\/h3>\n\n\n\n<p>We\u2019ve covered <strong>how to detect IAM Policy Shadowing<\/strong> using AWS-native tools. In our next post, we\u2019ll dive into <strong>writing secure IAM policies that prevent conflicts from the start<\/strong>.<\/p>\n\n\n\n<p>Stay tuned, and let\u2019s keep our AWS environments secure!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In December 2022, security researchers at Sysdig uncovered real-world cases of privilege escalation via IAM misconfiguration. An attacker exploited an overlooked permission in an AWS environment, allowing them to modify IAM policies. By leveraging the ability to create new policy versions, they granted themselves full administrative access\u2014bypassing intended security controls. This type of shadow IAM&#8230;<\/p>\n","protected":false},"author":2,"featured_media":1180,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12,17],"tags":[41,46,52,58,48,45,42,47,71,44],"class_list":["post-1179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techniques","category-tools","tag-aws-iam","tag-aws-iam-best-practices","tag-aws-iam-policy-conflicts","tag-aws-iam-policy-evaluation","tag-aws-identity-and-access-management","tag-aws-permissions","tag-aws-security","tag-cloud-security","tag-detecting-aws-iam-misconfigurations","tag-iam-policy-shadowing"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/posts\/1179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/badbadger.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1179"}],"version-history":[{"count":1,"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/posts\/1179\/revisions"}],"predecessor-version":[{"id":1181,"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/posts\/1179\/revisions\/1181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/badbadger.tech\/index.php?rest_route=\/wp\/v2\/media\/1180"}],"wp:attachment":[{"href":"https:\/\/badbadger.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbadger.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbadger.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}