AWS Built a Security Tool. It Introduced a Security Risk

(If you missed the previous parts of this trust policy blog series, we recommend reading parts one and two first) In the previous post of this series, we explored four dangerous misconceptions regarding how to securely set up cross-account access in AWS environments. In this final post of the series, we’ll walk through a real-world case where even AWS got it wrong. Their Account Assessment for AWS Organizations tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions. Specifically, customers were effectively encouraged to deploy the tool in lower-sensitivity accounts, creating risky trust paths from insecure environments into highly sensitive ones. We’ll share how we discovered the issue, the risks it introduced, how AWS fixed it, and what affected organizations should do to detect and remediate it. How it started While investigating a critical privilege esca ... Read full article.