Initial Publication Date: 06/14/2023 4:30PM PDT
A researcher recently reported an issue in AWS Directory Service which would have enabled customer’s IAM principals, who are allowed to call the “EnableRoleAccess” API, to enable role access on the directory user even if that IAM principal did not have the “iam:passrole” permission. This specific issue would only occur if the calling IAM principal had permissions to call “EnableRoleAccess” API and would be limited to the customer’s account.
The issue has been remediated by enforcing the requirement to have IAM “iam:passrole“ permission in order to enable role access in addition to having IAM permissions to call the ”EnableRoleAccess“ API. Customers using the recommended policy for the feature would not have been impacted by this issue and no customer action is required.
We like to thank Cloudar Security for responsibly disclosing this issue and working with us on its resolution. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.