top of page

AWS Organizations Mis-scoped Policy Exposes Entire Cloud Infrastructure to Attackers

July 15th, 2025

Severity Level: Medium

Technical Details

  • Affected Component: AWS Organizations - Delegated Administrator Functionality and Managed Policies.

  • Severity: Medium.

  • Affected Services: AWS IAM Identity Center (formerly SSO), AWS CloudFormation StackSets, Amazon GuardDuty.

  • Vulnerability Type: Misconfiguration, Abuse, and Overly Permissive Policies.

Exploitation Method:

  • Leverages access to a compromised delegated administrator account to enumerate all accounts and organizational units (OUs) within the AWS Organization.

  • Abuses the overly permissive AmazonGuardDutyFullAccess (v1) managed policy to register delegated administrators for multiple AWS services beyond GuardDuty.

  • Escalates privileges by assigning IAM Identity Center permissions or deploying malicious CloudFormation StackSets across member accounts.

Attack Outcome:

  • Enables organization-wide compromise, including the management account.

  • Facilitates persistent backdoor deployment, lateral movement, and evasion through abuse of legitimate AWS services.

Patch Status:

  • AWS has released AmazonGuardDutyFullAccess_v2, which restricts delegation to GuardDuty only.

  • Starting August 26, 2025, attachments to version 1 will be blocked; however, existing users must update manually to mitigate the risk entirely.

Dependencies: Requires initial access via compromised credentials or leaked access keys tied to the management or delegated account.

Our Cyber Threat Intelligence Unit has identified a cloud-focused exploit attackers abuse AWS Organizations' legitimate delegation features to escalate privileges, move laterally across multiple accounts, and gain complete administrative control of an entire AWS Organization. By exploiting misconfigured delegated administrator roles and overly permissive managed policies, adversaries can gain organization-wide access, maintain persistence, and evade detection. This method allows threat actors to compromise entire AWS environments, posing a significant risk to cloud infrastructure and administrative control.

Image by ThisisEngineering

Impact

  • Complete administrative takeover of the AWS Organization, including the management account.

  • Misuse of cross-account services such as IAM Identity Center, GuardDuty, AWS Config, and other integrated services.

  • Silent, programmatic escalation via AWS CLI/API, with no MFA prompt or manual admin interaction required.

  • Persistent and stealthy administrator-level access, which may evade detection for extended periods.

  • Loss of control over service delegation, potentially allowing unauthorized services or users to manage critical configurations.

  • Disruption of governance and compliance frameworks, especially in regulated industries that rely on strict account boundaries.

  • Tampering with security controls, including service control policies (SCPs), overly permissive role creation, and audit log manipulation.

  • Undetected lateral movement across accounts via legitimate delegation pathways.

  • Erosion of least-privilege principals, significantly increasing the potential blast radius of any internal or external compromise.

  • Severe reputational, financial, and regulatory risks, particularly if the misconfiguration is exploited before mitigation.

Detection Method

  • List principals assigned the AmazonGuardDutyFullAccess policy and identify any unintended assignments.

  • Monitor for RegisterDelegatedAdministrator API calls in CloudTrail originating from management accounts.

  • Check AWS Organization for unexpected service delegations (e.g., Identity Center, StackSets).

  • Audit IAM changes and delegation events across accounts, emphasizing those related to delegation.

  • Use automation or scripts, such as Cymulate’s Invoke-EnumDelegations tool, to detect and alert on newly registered delegated accounts.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Implement least-privilege access: avoid using broad managed policies in management account roles.

  • Enable logging and alerts for RegisterDelegatedAdministrator actions.

  • Implement proper delegation procedures: only assign delegated admin accounts for explicitly specified services.

  • Use Access Analyzer and IAM Access Advisor to identify and refine permissions based on actual usage.

  • Continuously review policy permissions, especially when updating or deploying AWS-managed policies.

Conclusion

This threat highlights how overlooked configurations within core cloud services create hidden pathways for privilege escalation. In this case, misconfiguring delegation rights in AWS Organizations exposed critical control planes, including IAM Identity Center and CloudFormation StackSets. Organizations running multi-account setups must implement a stricter permissions management approach, regularly auditing and validating delegation routes, especially when assigning administrative privileges. Proactively detecting sensitive API activities and updating policies promptly are essential for defending against sophisticated lateral movement techniques in the cloud. We urge organizations to implement measures to counter this threat and mitigate associated risks.

bottom of page