In a recent discovery, AWS's Account Assessment for AWS Organizations tool, intended to audit resource-based policies for risky cross-account access, inadvertently introduced a significant security risk through its deployment instructions. This risk stemmed from encouraging customers to deploy the tool in lower-sensitivity accounts, creating vulnerable trust paths that could allow attackers to escalate privileges from less secure environments to more sensitive ones. The Discovery While investigating a critical privilege escalation risk in a customer’s AWS environment, it was found that a specific IAM role was present in both the production and management accounts and trusted roles in the development account. The role had extensive permissions, including access to sensitive IAM and data-related API calls, such as managing user identities, accessing S3 buckets, and using KMS keys. These permissions were granted on all resources, making the role highly dangerous if compromised. The Misconfiguration The misconfiguration was concerning because the development account typically has weaker security controls compared to production and management accounts. If an attacker gained access to a role in the development account, they could exploit the trust relationship to assume the same role in more sensitive accounts. This could lead to a full compromise of the organization's most critical environments, including production, PCI-DSS environments, and even the management account. The Account Assessment Tool The peculiar names of these roles suggested they were part of an automated system, leading to the discovery of AWS's Account Assessment for AWS Organizations tool. According to AWS, this tool helps users centrally evaluate and manage AWS accounts within their AWS Organizations, useful for security audits, mergers and acquisitions, and policy management. However, the deployment instructions were the real problem. Flawed Deployment Guidance The official deployment guidance recommended not deploying the hub stack in the management account, stating: "Hub stack - Deploy to any member account in your AWS Organization except the Organizations management account." Without proper security context, this advice directed customers to deploy the hub in a development or similar low-sensitivity account. This setup created a direct trust path from a less secure account to more sensitive ones, significantly increasing the risk of privilege escalation. Implications and Risks For organizations that followed AWS’s initial deployment instructions, the hub account became a high-value target. If compromised, attackers could assume roles in all linked accounts, gaining access to sensitive environments where they could: Modify or extract data from S3 buckets Manipulate IAM configurations Access KMS keys Pivot into the management account, potentially taking control of the entire AWS organization The predefined role names in the tool made it even easier for attackers to identify and exploit these vulnerabilities, reducing the effort needed to escalate privileges. Detection and Remediation To determine if your organization is affected: Check Deployment Date: Examine the CreateDate property of the roles. If the tool was deployed before January 28, 2025, it is advised to remove the current deployment unless the hub role is in a high-security account. Remove the Tool: Uninstall the tool by deleting the CloudFormation stacks for the Hub, Spoke, and Org-Management components. Follow AWS’s official uninstallation guide for detailed instructions. Redeploy Carefully: If the tool is still needed, redeploy the hub role in an account with security equivalent to the management account to prevent privilege escalation risks. Reporting and Resolution Upon identifying the issue, it was reported to the AWS Security team, which promptly acknowledged the risk. AWS revised the documentation to explicitly advise customers to deploy the hub role in a high-security account that matches the sensitivity of the accounts being assessed. The updated documentation now clearly states: "Deploy the hub in an account as secure as all scanned accounts." Industry Feedback Industry insiders praise AWS for their responsiveness and commitment to improving security. The incident highlights the importance of comprehensive and clear security guidance, especially for tools designed to enhance security. AWS's swift action in addressing the issue underscores their dedication to maintaining the trust of their customers. Company Profile Token Security is a leading provider of machine-first identity security platforms that detect and mitigate trust policy risks. Their platform identifies risky cross-account trust policies, whether caused by AWS tooling, human error, or overlooked configurations. To learn more, interested parties can book a demo to see how Token Security helps organizations stay ahead of these security challenges. This series has illustrated the nuanced challenges of securing trust relationships in AWS environments, emphasizing the need for a deeper understanding of trust mechanisms rather than relying solely on checklists.