保護DataHogo
Security Encyclopedia/Serverless & Cloud
mediumCWE-269A01:2021

Over-privileged IAM Roles

Giving serverless functions or services more IAM permissions than they need turns a minor breach into a full account compromise.

How It Works

If a function only reads from an S3 bucket but has AdministratorAccess, a code injection in that function gives the attacker full AWS account control. Attackers specifically look for Lambda functions with over-broad roles because they're a reliable privilege escalation path.

Vulnerable Code
// BAD: Lambda function with admin access when it only needs S3 reads
{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*"
}
Secure Code
// GOOD: grant only the exact actions on the exact resources needed
{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::my-bucket/reports/*"
}

Real-World Example

The Capital One breach (2019) involved an SSRF vulnerability in an EC2 instance with an over-privileged IAM role. The attacker queried the metadata service and used the role to download 100 million customer records from S3.

How to Prevent It

  • Follow the principle of least privilege — grant only the permissions the function actually uses
  • Use IAM Access Analyzer to identify overly permissive policies
  • Review and tighten IAM roles every quarter using AWS IAM credential reports
  • Never use AdministratorAccess or Action: '*' for application roles

Affected Technologies

AWSGCPAzure

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Function Timeout Abuse

medium

Serverless functions without a configured timeout can be kept running indefinitely by malicious or malformed requests, draining your budget.

CWE-400A05:2021

Environment Variables in Logs

high

Logging process.env dumps all your secrets — API keys, database passwords, signing keys — directly into your log system.

CWE-532A09:2021

Shared /tmp State

medium

Serverless functions reuse execution environments between invocations, so sensitive files written to /tmp can be read by later requests from different users.

CWE-377A02:2021

Cold Start State Leak

medium

Global variables in serverless functions persist across invocations in the same execution environment, leaking user data between requests.

CWE-400A02:2021