H3-2024-0046¶

Over-Privileged StackSet Execution Role

Description¶

The AWSCloudFormationStackSetExecutionRole was identified to have a policy attached that grants administrative access. This role, used by AWS CloudFormation as part of its StackSets feature, is granted permissions to perform any action on any resource within an AWS account. An attacker would exploit this misconfiguration by compromising the role, which would allow them to assume its extensive permissions.

Impact¶

By exploiting this misconfiguration, an attacker can gain full control over the affected AWS account. They would be able to create, modify, and delete any resource, leading to potential data breaches, service disruptions, or unauthorized access to sensitive data.

References¶

• CloudFormation StackSets - Grant self-managed permissions
• MITRE ATT&CK Technique: T1078.004: Valid Accounts: Cloud Accounts