AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-07-10 · Documentation medium

File: securityhub/latest/userguide/exposure-iam-user.md

Summary

Added new 'Impact traits for IAM users' section with 15 privilege escalation patterns and removed two administrative policy subsections

Security assessment

The change adds extensive documentation about privilege escalation risks and impact analysis patterns (e.g., trust policy hijack, credential minting, disable audit trail) but doesn't indicate a specific security vulnerability being fixed. It enhances security awareness by detailing potential attack vectors.

Diff

diff --git a/securityhub/latest/userguide/exposure-iam-user.md b/securityhub/latest/userguide/exposure-iam-user.md
index 8f59de6db..e954e431d 100644
--- a//securityhub/latest/userguide/exposure-iam-user.md
+++ b//securityhub/latest/userguide/exposure-iam-user.md
@@ -7 +7 @@
-Misconfiguration traits for IAM usersUnused access traits for IAM users
+Misconfiguration traits for IAM usersUnused access traits for IAM usersImpact traits for IAM users
@@ -29,2 +28,0 @@ IAM best practices recommend that you create IAM roles or use federation with an
-    * [The IAM user has a policy with administrative access](./exposure-iam-user.html#administrative-access-policy)
-
@@ -33,2 +30,0 @@ IAM best practices recommend that you create IAM roles or use federation with an
-    * [The IAM user has a policy with administrative access to an AWS service](./exposure-iam-user.html#service-admin-policy)
-
@@ -42,0 +39 @@ IAM best practices recommend that you create IAM roles or use federation with an
+  * [Impact traits for IAM users](./exposure-iam-user.html#iam-user-impact)
@@ -43,0 +41 @@ IAM best practices recommend that you create IAM roles or use federation with an
+    * [Full control privileged executor](./exposure-iam-user.html#full-control-privileged-executor)
@@ -44,0 +43 @@ IAM best practices recommend that you create IAM roles or use federation with an
+    * [Direct policy escalation](./exposure-iam-user.html#direct-policy-escalation)
@@ -46 +45 @@ IAM best practices recommend that you create IAM roles or use federation with an
-## Misconfiguration traits for IAM users
+    * [Trust policy hijack](./exposure-iam-user.html#trust-policy-hijack)
@@ -48 +47,9 @@ IAM best practices recommend that you create IAM roles or use federation with an
-Here are misconfiguration traits for IAM users and suggested remediation steps.
+    * [Data ransomware](./exposure-iam-user.html#data-ransomware)
+
+    * [Remove restriction](./exposure-iam-user.html#remove-restriction)
+
+    * [Pass role create executor](./exposure-iam-user.html#pass-role-create-executor)
+
+    * [Swap role existing executor](./exposure-iam-user.html#swap-role-existing-executor)
+
+    * [Role chain escalation](./exposure-iam-user.html#role-chain-escalation)
@@ -50 +57 @@ Here are misconfiguration traits for IAM users and suggested remediation steps.
-### The IAM user has a policy with administrative access
+    * [Inject code privileged executor](./exposure-iam-user.html#inject-code-privileged-executor)
@@ -52 +59 @@ Here are misconfiguration traits for IAM users and suggested remediation steps.
-IAM policies grant a set of privileges to IAM users when accessing resources. Administrative policies provide IAM users with broad permissions to AWS services and resources. Providing full administrative privileges, instead of the minimum set of permissions that the user needs, can increase the scope of an attack if credentials are compromised. Following standard security principles, AWS recommends that you grant least privileges, which means that you grant only the permissions required to perform a task. 
+    * [Disable audit trail](./exposure-iam-user.html#disable-audit-trail)
@@ -54 +61 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-  1. **Review and identify administrative policies** – In the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and select the identified role. Review the permissions policy attached to the IAM user. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect":` `"Allow"` with `"Action": "*"` over `"Resource": "*"`. 
+    * [Access existing executor](./exposure-iam-user.html#access-existing-executor)
@@ -56 +63 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-  2. **Implement least privilege access** – Replace service administrative policies with those that grant only the specific permissions required for the user to function. For more information on security best practices for IAM policies, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. 
+    * [Credential minting](./exposure-iam-user.html#credential-minting)
@@ -58 +65 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-  3. **Secure configuration considerations** – If service administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: 
+    * [Pass role data access](./exposure-iam-user.html#pass-role-data-access)
@@ -60 +67 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-     * **Multi-factor authentication (MFA)** – MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. For more information, see [Require multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users) in the _AWS Identity and Access Management User Guide_. 
+    * [Pass role task hijack](./exposure-iam-user.html#pass-role-task-hijack)
@@ -62 +69 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-     * **IAM conditions** – Setting up condition elements allow you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. For more information, see [Use conditions in IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) to further restrict access in the _AWS Identity and Access Management User Guide_. 
+    * [Single hop data access](./exposure-iam-user.html#single-hop-data-access)
@@ -64 +71 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
-     * **Permission boundaries** – Permission boundaries establish the maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _AWS Identity and Access Management User Guide_. 
+    * [Capability advancing](./exposure-iam-user.html#capability-advancing)
@@ -68,0 +76,4 @@ IAM policies grant a set of privileges to IAM users when accessing resources. Ad
+## Misconfiguration traits for IAM users
+
+Here are misconfiguration traits for IAM users and suggested remediation steps.
+
@@ -92,25 +102,0 @@ To enable the MFA type that suits your requirements, see [AWS multi-factor authe
-### The IAM user has a policy with administrative access to an AWS service
-
-Service admin policies provide IAM users with permissions to perform all actions within a specific AWS service. These policies typically include permissions that are not required for users to perform their job functions. Providing an IAM user with service administrator privileges, instead of the minimum set of permissions needed, increases the scope of an attack if credentials are compromised. Following standard security principles, AWS recommends that you grant least privileges, which means that you grant only the permissions required to perform a task. 
-
-###### Review and identify service admin policies
-
-In the **Resource ID** , identify the IAM role name. Go to the IAM dashboard and select the identified role. Review the permissions policy attached to the IAM user. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements that have the statements "`Effect": "Allow" with "Action": "*" over "Resource": "*"`.
-
-###### Implement least privilege access
-
-Replace service administrative policies with those that grant only the specific permissions required for the user to function. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. 
-
-###### Secure configuration considerations
-
-If service administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate exposure: 
-
-  * MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. 
-
-  * Use condition elements to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. 
-
-  * Use permission boundaries to establish the maximum permissions a role can have, providing guardrails for roles with administrative access. 
-
-
-
-
@@ -176,0 +163,70 @@ For unused permissions specifically, you can generate a least-privilege policy r
+## Impact traits for IAM users
+
+Impact traits describe the potential blast radius of an exposure. Security Hub analyzes the effective permissions of the AWS Identity and Access Management principal associated with the IAM user to determine the downstream resources an attacker could reach if the IAM user is compromised. Each impact trait identifies a specific privilege escalation pattern. To reduce your blast radius, review the permission paths described in each trait and remove any unnecessary privileges.
+
+Following standard security principles, AWS recommends that you grant least privilege — only the permissions required to perform a task. Replace broad policies with scoped-down policies that grant only the specific actions and resources needed. To identify unused permissions to remove, use IAM Access Analyzer to generate recommendations based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) and [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _IAM User Guide_.
+
+### Full control privileged executor
+
+The associated principal can pass a role to and inject code into a compute resource that already has elevated permissions. This allows the principal to gain full control over the executor and perform any action that the executor's role permits.
+
+### Direct policy escalation
+
+The associated principal can directly modify IAM policies to grant itself additional permissions, escalating its own privileges without intermediate resources.
+
+### Trust policy hijack
+
+The associated principal can modify the trust policy of an IAM role to allow itself to assume that role, gaining the role's permissions.
+
+### Data ransomware
+
+The associated principal can encrypt or delete data in a way that could be used for ransomware, such as encrypting Amazon S3 objects with a customer-managed AWS KMS key and then modifying the key policy.
+
+### Remove restriction
+
+The associated principal can remove security restrictions such as permission boundaries, service control policies, or resource-based policy deny statements, expanding what other principals or the resource itself can do.
+
+### Pass role create executor
+
+The associated principal can create a new compute resource (such as a Lambda function or Amazon EC2 instance) and pass it a privileged role, effectively laundering its own permissions through the new resource.
+
+### Swap role existing executor
+
+The associated principal can change the IAM role attached to an existing compute resource, replacing it with a more privileged role to escalate access.
+
+### Role chain escalation
+
+The associated principal can assume a sequence of roles, where each role in the chain has progressively broader permissions, ultimately reaching a highly privileged role.
+
+### Inject code privileged executor
+
+The associated principal can inject code into a running compute resource that has elevated permissions, executing arbitrary operations under that resource's privileged role.
+
+### Disable audit trail
+
+The associated principal can disable logging or monitoring services such as CloudTrail, effectively covering its tracks during or after an escalation.
+
+### Access existing executor
+
+The associated principal can invoke or connect to an existing compute resource and use its attached role to perform privileged actions.
+
+### Credential minting
+
+The associated principal can create new long-term credentials (such as access keys or login profiles) for other principals, establishing persistent access paths that survive password rotations or session expirations.
+
+### Pass role data access
+
+The associated principal can create a service resource and pass it a role that has access to sensitive data, gaining indirect access to that data through the new resource.
+
+### Pass role task hijack
+
+The associated principal can pass a role to a scheduled or event-driven task (such as a Lambda function triggered by an event), allowing it to execute arbitrary code with that role's permissions.
+
+### Single hop data access
+
+The associated principal can directly access sensitive data resources (such as Amazon S3 buckets or DynamoDB tables) through its existing permissions, without needing intermediate escalation steps.
+
+### Capability advancing
+
+The associated principal has a privilege escalation path that advances its overall capabilities beyond what its directly assigned permissions would suggest. This is a general classification for paths that do not match a more specific pattern.
+