This oversight allows attackers who compromise a user or role in the management account with the vulnerable policy attached to register any account within the organization as a delegated administrator for sensitive services, effectively bypassing intended security boundaries. An attacker can chain delegation privileges with control over a member account to gain administrative access to critical services such as AWS Identity and Access Management Identity Center (formerly SSO) or CloudFormation StackSets across all organizational accounts. A critical security vulnerability in AWS Organizations has been discovered that could allow attackers to achieve complete control over entire multi-account AWS environments through a mis-scoped managed policy. The flaw, identified in the AmazonGuardDutyFullAccess managed policy version 1, enables privilege escalation from a compromised member account to full organizational takeover, including potential control of the management account itself. When an attacker successfully registers a compromised account as a delegated administrator for AWS Identity Center, they gain the ability to manipulate permission sets, user groups, and access configurations across all organizational accounts. The research team, led by Ben Zamir, discovered that the policy’s overly permissive structure could enable attackers to delegate sensitive services to accounts under their control, subsequently manipulating organization-wide identity management or deploying malicious infrastructure across the entire environment. The attack vector leverages AWS Organizations’ delegated administrator feature, which was designed to reduce reliance on highly privileged management accounts by allowing specific member accounts to administer services organization-wide. Additionally, the read-only organizational access granted to delegated administrators provides complete visibility into the environment structure, enabling attackers to identify high-value targets and plan sophisticated multi-account attacks. Organizations should immediately audit all principals using the vulnerable policy and implement the updated version to prevent potential exploitation of this critical security flaw. Attackers can modify existing permission sets or create new ones with elevated privileges, ensuring continued access even if the initial compromise vector is discovered and remediated. This capability allows them to add malicious identities to high-privilege groups or reset passwords of users with administrative access to the management account. The vulnerability stems from an improperly scoped permission within the AWS-managed policy that grants the organizations:RegisterDelegatedAdministrator action with unrestricted resource access. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Jul 2025 06:40:12 +0000