Critical AWS Tool Flaw: Privilege Escalation Vulnerability
2025-05-05
Security firm Token Security uncovered a critical vulnerability in AWS's Account Assessment tool. Intended to audit cross-account access, its deployment instructions inadvertently encouraged users to deploy the hub role in less secure accounts (like development), creating dangerous trust paths from insecure to highly sensitive environments (like production). This allowed for privilege escalation, potentially granting attackers control over the entire AWS organization. AWS fixed the issue on January 28, 2025, updating documentation to recommend deploying the hub role in an account as secure as the management account. Affected organizations should check their deployments and remediate accordingly.