AWS Security ChangesHomeSearch

AWS securityhub high security documentation change

Service: securityhub · 2026-07-10 · Security-related high

File: securityhub/latest/userguide/exposure-ec2-instance.md

Summary

Added 'Impact traits for EC2 instances' section detailing privilege escalation patterns and blast radius analysis. Restructured existing content about IMDSv1/IAM roles and removed specific administrative policy subsections.

Security assessment

The added 'Impact traits' section explicitly documents 15 specific privilege escalation attack vectors (e.g., credential minting, trust policy hijack, disable audit trail) that could occur if an EC2 instance is compromised. This constitutes concrete security documentation about potential vulnerabilities and attack paths. The changes help users understand security risks from excessive permissions.

Diff

diff --git a/securityhub/latest/userguide/exposure-ec2-instance.md b/securityhub/latest/userguide/exposure-ec2-instance.md
index cfe9aef95..c9597141e 100644
--- a//securityhub/latest/userguide/exposure-ec2-instance.md
+++ b//securityhub/latest/userguide/exposure-ec2-instance.md
@@ -7 +7 @@
-Misconfiguration traits for EC2 instancesReachability traits for EC2 instancesVulnerability traits for EC2 instances
+Misconfiguration traits for EC2 instancesReachability traits for EC2 instancesVulnerability traits for EC2 instancesImpact traits for EC2 instances
@@ -29,4 +28,0 @@ The remediation guidance provided in this topic might require additional consult
-    * [The IAM role associated with the Amazon EC2 instance has an administrative access policy](./exposure-ec2-instance.html#administrative-access-policy)
-
-    * [The IAM role associated with the Amazon EC2 instance has a service admin policy](./exposure-ec2-instance.html#service-admin-policy)
-
@@ -52,0 +49 @@ The remediation guidance provided in this topic might require additional consult
+  * [Impact traits for EC2 instances](./exposure-ec2-instance.html#ec2-impact)
@@ -53,0 +51 @@ The remediation guidance provided in this topic might require additional consult
+    * [Full control privileged executor](./exposure-ec2-instance.html#full-control-privileged-executor)
@@ -54,0 +53 @@ The remediation guidance provided in this topic might require additional consult
+    * [Direct policy escalation](./exposure-ec2-instance.html#direct-policy-escalation)
@@ -56,35 +55 @@ The remediation guidance provided in this topic might require additional consult
-## Misconfiguration traits for EC2 instances
-
-Here are misconfiguration traits for EC2 instances and suggested remediation steps.
-
-### The EC2 instance allows access to IMDS using version 1
-
-Instance metadata is data about your Amazon EC2 instance that applications can use to configure or manage the running instance. The instance metadata service (IMDS) is an on-instance component that code on the instance uses to securely access instance metadata. If IMDS is not properly secured, it can become a potential attack vector, as it provides access to temporary credentials and other sensitive configuration data. IMDSv2 provides stronger protection against exploitation through session-oriented authentication, requiring a session token for metadata requests and limiting session duration. Following standard security principles, AWS recommends that you configure Amazon EC2 instances to use IMDSv2 and disable IMDSv1. 
-
-###### Test application compatibility
-
-Before implementing IMDSv2, test your instance to ensure its compatibility with IMDSv2. Some applications or scripts may require IMDSv1 for core functionality and require additional configuration. For more information about tools and recommended paths for testing application compatibility, [Transition to using Instance Metadata Service Version 2 ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html) in the _Amazon Elastic Compute Cloud User Guide_. 
-
-###### Update instance to use IMDSv2
-
-Modify existing instances to use IMDSv2. For more information, see [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html) in the _Amazon Elastic Compute Cloud User Guide_. 
-
-###### Apply updates to instances in an Auto Scaling group
-
-If your instance is part of an Auto Scaling group, update your launch template or launch configuration with a new configuration, and perform an instance refresh. 
-
-### The IAM role associated with the Amazon EC2 instance has an administrative access policy
-
-Administrative access policies provide Amazon EC2 instances with broad permissions to AWS services and resources. These policies typically include permissions not required for instance functionality. Providing an IAM identity with an administrative access policy on an Amazon EC2 instance (instead of the minimum set of permissions the role attached to your instance profile needs) can increase the scope of an attack if the Amazon EC2 instance is compromised. If an instance is compromised, attackers could utilize these excessive permissions to move laterally across your environment, access data, or manipulate resources. Following standard security principles, we recommend you grant least privileges, which means you only grant the permissions required to perform a task. 
-
-###### Review and identify administrative policies
-
-In the IAM dashboard, find the role with the role name. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements with `"Effect": "Allow", "Action": "*"`, and `"Resource": "*"`. 
-
-###### Implement least privilege access
-
-Replace administrative policies with policies that grant only the specific permissions required for the instance to function. For more information about security best practices for IAM roles, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in Security best practices in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. Alternatively, you can create a new IAM role to avoid impacting other applications using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. For instructions on replacing an IAM role for an instance, see [Attach an IAM role to an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attach-iam-role.html) in the _Amazon Elastic Compute Cloud User Guide_. 
-
-###### Secure configuration considerations
-
-If service-level administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: 
+    * [Trust policy hijack](./exposure-ec2-instance.html#trust-policy-hijack)
@@ -92 +57 @@ If service-level administrative permissions are necessary for the instance, cons
-  * **Secure configuration considerations**
+    * [Data ransomware](./exposure-ec2-instance.html#data-ransomware)
@@ -94 +59 @@ If service-level administrative permissions are necessary for the instance, cons
-    * **Multi-factor authentication (MFA)** – MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. For more information, see [Require multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users) in the _AWS Identity and Access Management User Guide_. 
+    * [Remove restriction](./exposure-ec2-instance.html#remove-restriction)
@@ -96 +61 @@ If service-level administrative permissions are necessary for the instance, cons
-    * **IAM conditions** – Setting up condition elements allow you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. For more information, see [Use conditions in IAM policies to further restrict access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the _AWS Identity and Access Management User Guide_. 
+    * [Pass role create executor](./exposure-ec2-instance.html#pass-role-create-executor)
@@ -98 +63 @@ If service-level administrative permissions are necessary for the instance, cons
-    * **Permissions boundaries** – Permission boundaries establish the maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _AWS Identity and Access Management User Guide_. 
+    * [Swap role existing executor](./exposure-ec2-instance.html#swap-role-existing-executor)
@@ -99,0 +65 @@ If service-level administrative permissions are necessary for the instance, cons
+    * [Role chain escalation](./exposure-ec2-instance.html#role-chain-escalation)
@@ -100,0 +67 @@ If service-level administrative permissions are necessary for the instance, cons
+    * [Inject code privileged executor](./exposure-ec2-instance.html#inject-code-privileged-executor)
@@ -101,0 +69 @@ If service-level administrative permissions are necessary for the instance, cons
+    * [Disable audit trail](./exposure-ec2-instance.html#disable-audit-trail)
@@ -103 +71 @@ If service-level administrative permissions are necessary for the instance, cons
-###### Apply updates to instances in an auto scaling group
+    * [Access existing executor](./exposure-ec2-instance.html#access-existing-executor)
@@ -105 +73 @@ If service-level administrative permissions are necessary for the instance, cons
-For Amazon EC2 instances in an AWS auto scaling group, update the launch template or launch configuration with the new instance profile, and perform an instance refresh. For information about updating a launch template, see [Modify a launch template (manage launch template versions)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-launch-template-versions.html) in the _Amazon Elastic Compute Cloud User Guide_. For more information, see [Use an instance refresh to update instances in an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html). For more information about using IAM roles with Auto Scaling groups, see [IAM role for applications that run on Amazon EC2](https://docs.aws.amazon.com/autoscaling/ec2/userguide/us-iam-role.html) instances in the _Amazon EC2 Auto Scaling User Guide_. 
+    * [Credential minting](./exposure-ec2-instance.html#credential-minting)
@@ -107 +75 @@ For Amazon EC2 instances in an AWS auto scaling group, update the launch templat
-### The IAM role associated with the Amazon EC2 instance has a service admin policy
+    * [Pass role data access](./exposure-ec2-instance.html#pass-role-data-access)
@@ -109 +77 @@ For Amazon EC2 instances in an AWS auto scaling group, update the launch templat
-Service access policies provide Amazon EC2 instances with broad permissions to AWS services and resources. These policies typically include permissions that are not required for instance functionality. Providing an IAM identity with an administrative access policy on an Amazon EC2 instance instead of the minimum set of permissions the role attached to your instance profile needs can increase the scope of an attack if an instance is compromised. Following standard security principles, we recommend that you grant least privileges, which means that you grant only the permissions required to perform a task. 
+    * [Pass role task hijack](./exposure-ec2-instance.html#pass-role-task-hijack)
@@ -111 +79 @@ Service access policies provide Amazon EC2 instances with broad permissions to A
-###### Review and identify administrative policies
+    * [Single hop data access](./exposure-ec2-instance.html#single-hop-data-access)
@@ -113 +81 @@ Service access policies provide Amazon EC2 instances with broad permissions to A
-In the IAM dashboard, find the role with the role name. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements with `"Effect": "Allow", "Action": "*"`, and `"Resource": "*"`. 
+    * [Capability advancing](./exposure-ec2-instance.html#capability-advancing)
@@ -115 +82,0 @@ In the IAM dashboard, find the role with the role name. Review the permissions p
-###### Implement least privilege access
@@ -117 +83,0 @@ In the IAM dashboard, find the role with the role name. Review the permissions p
-Replace service admin policies with those that grant only the specific permissions required for the instance to function. For more information on security best practices for IAM roles, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in Security best practices in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. Alternatively, you can create a new IAM role to avoid impacting other applications that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. For information about replacing an IAM role for an instance, see [Attach an IAM role to an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attach-iam-role.html) in the _Amazon Elastic Compute Cloud User Guide_
@@ -119 +84,0 @@ Replace service admin policies with those that grant only the specific permissio
-###### Secure configuration considerations
@@ -121,3 +86 @@ Replace service admin policies with those that grant only the specific permissio
-If service-level administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: 
-
-###### Secure configuration considerations
+## Misconfiguration traits for EC2 instances
@@ -125 +88 @@ If service-level administrative permissions are necessary for the instance, cons
-If service-level administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: 
+Here are misconfiguration traits for EC2 instances and suggested remediation steps.
@@ -127 +90 @@ If service-level administrative permissions are necessary for the instance, cons
-  * **Multi-factor authentication (MFA)** – MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. For more information, see [Require multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users) in the _AWS Identity and Access Management User Guide_. 
+### The EC2 instance allows access to IMDS using version 1
@@ -129 +92 @@ If service-level administrative permissions are necessary for the instance, cons
-  * **IAM conditions** – Setting up condition elements allows you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. For more information, see [Use conditions in IAM policies to further restrict access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the _AWS Identity and Access Management User Guide_. 
+Instance metadata is data about your Amazon EC2 instance that applications can use to configure or manage the running instance. The instance metadata service (IMDS) is an on-instance component that code on the instance uses to securely access instance metadata. If IMDS is not properly secured, it can become a potential attack vector, as it provides access to temporary credentials and other sensitive configuration data. IMDSv2 provides stronger protection against exploitation through session-oriented authentication, requiring a session token for metadata requests and limiting session duration. Following standard security principles, AWS recommends that you configure Amazon EC2 instances to use IMDSv2 and disable IMDSv1. 
@@ -131 +94 @@ If service-level administrative permissions are necessary for the instance, cons
-  * **Permissions boundaries** – Permission boundaries establish the maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _AWS Identity and Access Management User Guide_. 
+###### Test application compatibility
@@ -132,0 +96 @@ If service-level administrative permissions are necessary for the instance, cons
+Before implementing IMDSv2, test your instance to ensure its compatibility with IMDSv2. Some applications or scripts may require IMDSv1 for core functionality and require additional configuration. For more information about tools and recommended paths for testing application compatibility, [Transition to using Instance Metadata Service Version 2 ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html) in the _Amazon Elastic Compute Cloud User Guide_. 
@@ -133,0 +98 @@ If service-level administrative permissions are necessary for the instance, cons
+###### Update instance to use IMDSv2
@@ -134,0 +100 @@ If service-level administrative permissions are necessary for the instance, cons
+Modify existing instances to use IMDSv2. For more information, see [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html) in the _Amazon Elastic Compute Cloud User Guide_. 
@@ -136 +102 @@ If service-level administrative permissions are necessary for the instance, cons
-###### Apply updates to instances in Auto Scaling group
+###### Apply updates to instances in an Auto Scaling group
@@ -138 +104 @@ If service-level administrative permissions are necessary for the instance, cons
-For Amazon EC2 instances in an AWS auto scaling group, update the launch template or launch configuration with the new instance profile, and perform an instance refresh. For information about updating a launch template, see [Modify a launch template (manage launch template versions)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-launch-template-versions.html) in the _Amazon Elastic Compute Cloud User Guide_. For more information, see [Use an instance refresh to update instances in an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html). For more information about using IAM roles with Auto Scaling groups, see [IAM role for applications that run on Amazon EC2](https://docs.aws.amazon.com/autoscaling/ec2/userguide/us-iam-role.html) instances in the _Amazon EC2 Auto Scaling User Guide_. 
+If your instance is part of an Auto Scaling group, update your launch template or launch configuration with a new configuration, and perform an instance refresh. 
@@ -259,0 +226,70 @@ To identify the specific Amazon Elastic Block Store (Amazon EBS) volume that has
+## Impact traits for EC2 instances
+
+Impact traits describe the potential blast radius of an exposure. Security Hub analyzes the effective permissions of the AWS Identity and Access Management principal associated with the EC2 instance to determine the downstream resources an attacker could reach if the instance is compromised. Each impact trait identifies a specific privilege escalation pattern. To reduce your blast radius, review the permission paths described in each trait and remove any unnecessary privileges.
+
+Following standard security principles, AWS recommends that you grant least privilege — only the permissions required to perform a task. Replace broad policies with scoped-down policies that grant only the specific actions and resources needed. To identify unused permissions to remove, use IAM Access Analyzer to generate recommendations based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) and [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _IAM User Guide_.
+
+### Full control privileged executor
+
+The associated principal can pass a role to and inject code into a compute resource that already has elevated permissions. This allows the principal to gain full control over the executor and perform any action that the executor's role permits.
+
+### Direct policy escalation
+
+The associated principal can directly modify IAM policies to grant itself additional permissions, escalating its own privileges without intermediate resources.
+
+### Trust policy hijack
+
+The associated principal can modify the trust policy of an IAM role to allow itself to assume that role, gaining the role's permissions.
+
+### Data ransomware
+
+The associated principal can encrypt or delete data in a way that could be used for ransomware, such as encrypting Amazon S3 objects with a customer-managed AWS KMS key and then modifying the key policy.
+
+### Remove restriction
+
+The associated principal can remove security restrictions such as permission boundaries, service control policies, or resource-based policy deny statements, expanding what other principals or the resource itself can do.
+
+### Pass role create executor
+
+The associated principal can create a new compute resource (such as a Lambda function or Amazon EC2 instance) and pass it a privileged role, effectively laundering its own permissions through the new resource.
+
+### Swap role existing executor
+
+The associated principal can change the IAM role attached to an existing compute resource, replacing it with a more privileged role to escalate access.
+
+### Role chain escalation
+
+The associated principal can assume a sequence of roles, where each role in the chain has progressively broader permissions, ultimately reaching a highly privileged role.
+
+### Inject code privileged executor
+
+The associated principal can inject code into a running compute resource that has elevated permissions, executing arbitrary operations under that resource's privileged role.
+
+### Disable audit trail
+
+The associated principal can disable logging or monitoring services such as CloudTrail, effectively covering its tracks during or after an escalation.
+
+### Access existing executor
+
+The associated principal can invoke or connect to an existing compute resource and use its attached role to perform privileged actions.
+
+### Credential minting
+
+The associated principal can create new long-term credentials (such as access keys or login profiles) for other principals, establishing persistent access paths that survive password rotations or session expirations.
+
+### Pass role data access
+
+The associated principal can create a service resource and pass it a role that has access to sensitive data, gaining indirect access to that data through the new resource.
+
+### Pass role task hijack
+
+The associated principal can pass a role to a scheduled or event-driven task (such as a Lambda function triggered by an event), allowing it to execute arbitrary code with that role's permissions.
+
+### Single hop data access
+
+The associated principal can directly access sensitive data resources (such as Amazon S3 buckets or DynamoDB tables) through its existing permissions, without needing intermediate escalation steps.
+
+### Capability advancing
+
+The associated principal has a privilege escalation path that advances its overall capabilities beyond what its directly assigned permissions would suggest. This is a general classification for paths that do not match a more specific pattern.
+