“Excessive permissions in cloud security occur when users or applications have more access than necessary to perform their tasks.
For instance, actions like deleting an S3 bucket or terminating an EC2 instance are considered high-privilege actions and are typically not granted to everyone with access to the AWS account. Instead, these permissions are reserved for a select few individuals, such as administrators or site owners. When managing these high-privilege actions among team members, there is a risk that a team member who is expected to have only read-only access may inadvertently be granted permissions to perform high-privilege actions. In this case, that team member is said to have excessive permissions.
Here’s a breakdown of the excessive permissions evaluated across the different cloud services:
Evaluated by AWS
Excessive Permission Categories that AWS evaluates when validating each AWS policy.
| Excessive Permission Category | Description |
|---|---|
| Insecure Principal Config | AWS IAM Principal include AWS Users (including Federated Users), AWS Groups, AWS Roles. These would be referenced in policies. Insecure statements in policies may grant those Principal entities to have overly broad or inappropriate permissions, potentially exposing resources to unauthorized access, leading to security vulnerabilities. |
| Invalid Arn | Amazon Resource Name (ARN) are universal unique id (UUID) for each resource in AWS. ARN that is improperly formatted, non-existent, or points to an unsupported resource, might unintentionally give access to incorrect or unintended resources in the future (once new resources are created and AWS would independently assign ARN that matches the ones in the policy). |
| Invalid Resource | The policy references a non-existent, unauthorized, or incorrectly defined resource, causing validation failure and limiting access control in the future, if not now. |
| Invalid Syntax | Incorrect policy formatting that could lead to unintended permissions being granted. |
| Invalid Service | Referencing unsupported or incorrect AWS services that might allow excessive actions. |
| Invalid Action | Misconfigured actions in policies, potentially granting broader permissions than required. |
| Insecure Condition Config | Weak policy conditions leading to excessive access based on broad or poorly configured parameters. |
| Invalid Data | Misconfigured data within the policy that can lead to wider access than intended. |
| Invalid Data Type | Incorrect data types in policies causing misinterpretations of access rights. |
| Insecure Variables Handling | Allowing user-controlled variables in policies, which might grant unintended permissions. |
| Invalid Network Config | Misconfigured network permissions that expose more resources than necessary. |
| Create Service Linked Role | Configurations that allow creation of service-linked roles through unintended access to iam:CreateServiceLinkedRole permission. Commonly, this occurs when wildcards ( * ) are used instead of resource ARNs in policies. |
| Insecure PassRole Config | Configurations that allow untrusted entities to assume roles (through indirectly invoking iam:PassRole) with excessive permissions. |
| Large Policy | Policies with too many actions/resources, increasing the likelihood of granted more permissions than required. |
| Insecure Federation | Weak federation setups allowing external identities to access more resources than needed, creating potential security risks. |
Evaluated by SecPod
Excessive permission categories provided by SecPod are evaluated whenever each AWS policy is validated through Saner CNAPP.
| Excessive Permission Category | Description |
|---|---|
| High Privilege Actions | Actions such as Delete S3 Bucket, Terminate EC2 instance, Update Security Group Rules, etc. are typically reserved for administrators or users with elevated privileges. Allowing these actions in a policy for general users or roles increases the risk of accidental or malicious disruptions. |
| Broad Policy | Policies that allow overly permissive actions over a potentially unrestricted resource scope. These policies can allow risky actions across a large number of resources in the AWS environment. This increases the security risk for service disruption and potential exposure of sensitive assets now or in the future. |
| Others | Any new Excessive Permission Category introduced by AWS in its validation process eventually reflects in Saner CNAPP after the appropriate update of Security Intelligence Content. Until then, policies evaluated under these new categories falls under the “Others” category. |
Excessive Permission Categories in Azure
Excessive Permissions for RBAC Roles and Entra Roles are evaluated.
| Excessive Permission Category | Description |
|---|---|
| Administrative Privileges | High-level permissions allowing full control over resources, increasing risk if misused. |
| Privileged Access Role | Includes elevated access to sensitive configurations, often with limited monitoring. |
| Elevated Actions | Involves temporary permissions granted for specific tasks, posing risks if not revoked promptly or monitored effectively. |
| Wide Access Policy | Refers to roles or permissions granted to users, groups, or applications with broad scope, potentially exposing critical resources. |
See Also
Cloud Infrastructure Entitlement Management(CIEM) User Guide
