Shadow admins

This topic describes how shadow admins can expand the attack surface of your cloud platform.

What is a shadow admin?

Shadow admins are users with specific sensitive permissions that grant them the ability to escalate privileges in the cloud. Attackers and malicious insiders can exploit these permissions to gain access to critical cloud infrastructure, steal or alter sensitive data, or interrupt cloud-hosted service.

The sections below describe how shadow admin permissions can be exploited on each cloud platform.

The following table describes how shadow admin permissions can expand your attack surface on the AWS cloud platform:

Activity

AWS permission(s)

An attacker can exploit this permission by...

Create access key

iam-CreateAccessKey

Creating a new access key to another IAM admin account.

Attach user policy

iam- AttachUserPolicy

Attaching an existing admin policy to any other entity to which they have permissions.

Attach group policy

iam-AttachGroupPolicy

Attaching an existing admin policy to any other entity to which they have permissions.

Attach role policy

iam-AttachRolePolicy

Attaching an existing admin policy to any other entity to which they have permissions.

Attach user inline policies

iam-PutUserPolicy

Adding “inline” policies to other entities, which enables granting additional privileges to already compromised entities.

Attach group inline policies

iam-PutGroupPolicy

Adding “inline” policies to other entities, which enables granting additional privileges to already compromised entities.

Attach role inline policies

iam-PutRolePolicy

Adding “inline” policies to other entities, which enables granting additional privileges to already compromised entities.

Create policy

iam-CreatePolicy

Adding a stealthy admin policy and marking it as “ReadOnly” so it appears harmless.

Update login profiles

iam-UpdateLoginProfile

Changing the password used to sign in to the AWS console for any user with a login profile.

Create login profiles

iam-CreateLoginProfile

Changing the password used to sign in to the AWS console for any user with a login profile.

Add users to a group

iam-AddUserToGroup

Adding their user to the organization’s admin group.

A policy defines which users can assume a role, typically referred to as the “role trust policy”.

Assume role policy

iam-UpdateAssumeRolePolicy

Adding themselves to a privileged role but assume it with a non-privileged account.

Create policy version

iam-CreatePolicyVersion

Modifying customer-managed policies to elevate a non-privileged entity to a privileged one.

Set default policy version

iam-SetDefaultPolicyVersion

Modifying customer-managed policies to elevate a non-privileged entity to a privileged one.

Attach a privileged instance profile

iam-PassRole

ec2-AssociateIamInstanceProfile

Attaching a privileged instance profile to their compromised EC2 instance.

Create a privileged instance profile

iam-PassRole

iam-CreateInstanceProfile

iam-AddRoleToInstanceProfile

Creating a privileged instance profile and escalating the privileges of their compromised EC2 instance.

Modify a privileged instance profile

iam-PassRole

iam-RemoveRoleFromInstanceProfile

iam-AddRoleToInstanceProfile

Creating a privileged instance profile and escalating the privileges of their compromised EC2 instance.

The following table describes how shadow admin permissions can expand your attack surface on the Azure cloud platform:

Activity

Azure permission(s)

Description

Elevate access

Microsoft.Authorization -elevateAccess/Action

An attacker can exploit these permissions by elevating themselves to admin.

Modify role definition

Microsoft.Authorization-roleDefinitions/write

An attacker can exploit these permissions by modifying roles to create admin entities.

Grant admin rights

Microsoft.Authorization-roleAssignments/write

An attacker can exploit these permissions by granting privileged roles the ability to create admin entities.

The following table describes how shadow admin permissions can expand your attack surface on the GCP cloud platform:

Activity

GCP permission(s)

Description

Modify resource policies

resourcemanager-folders.setIamPolicy

resourcemanager-organizations.setIamPolicy

resourcemanager-projects.setIamPolicy

An attacker can exploit these permissions by modifying resource IAM policies to create admin entities.

Modify IAM roles

iam-roles.create

iam-roles.undelete

iam-roles.update

iam-serviceaccounts.setIamPolicy

iam-serviceaccountkeys.create

An attacker can exploit these permissions by modifying resource IAM roles to create admin entities.

Set IAM policy on managed identities

managedidentities-domains.setIamPolicy

An attacker can exploit these permissions by modifying resource IAM roles to create admin entities.

Modify secrets

secretmanager-secrets.setIamPolicy

secretmanager-secrets.create

An attacker can exploit these permissions by modifying a secret to provide access to privileged entities not originally included.