A critical security vulnerability in AWS Organizations has been discovered that could allow attackers to achieve complete control over entire multi-account AWS environments through a mis-scoped managed policy.The flaw, identified in the AmazonGuardDutyFullAccess managed policy version 1, enables privilege escalation from a compromised member account to full organizational takeover, including potential control of the management account itself.The vulnerability stems from an improperly scoped permission within the AWS-managed policy that grants the `organizations:RegisterDelegatedAdministrator` action with unrestricted resource access.This oversight allows attackers who compromise a user or role in the management account with the vulnerable policy attached to register any account within the organization as a delegated administrator for sensitive services, effectively bypassing intended security boundaries.The attack vector leverages AWS Organizations’ delegated administrator feature, which was designed to reduce reliance on highly privileged management accounts by allowing specific member accounts to administer services organization-wide.However, the mis-scoped policy transforms this security feature into a powerful [escalation mechanism](https://cybersecuritynews.com/ms-patch-rce-privilege-escalation/).An attacker can chain delegation privileges with control over a member account to gain administrative access to critical services such as AWS Identity and Access Management Identity Center (formerly SSO) or CloudFormation StackSets across all organizational accounts.Cymulate researchers [identified](https://cymulate.com/blog/aws-delegated-admin-org-takeover/) this vulnerability during their investigation of AWS Organizations cross-account pivoting and compromise scenarios.The research team, led by Ben Zamir, discovered that the policy’s overly permissive structure could enable attackers to delegate sensitive services to accounts under their control, subsequently manipulating organization-wide identity management or deploying malicious infrastructure across the entire environment.The technical exploitation process involves several critical steps that demonstrate the severity of this vulnerability.Once an attacker compromises a management account identity with the vulnerable policy, they can execute the following command to register a controlled account as a delegated administrator:- aws organizations register-delegated-administrator –account-id –service-principal **Persistence and Privilege Escalation Mechanism**————————————————–The most concerning aspect of this vulnerability lies in its ability to establish [persistent](https://cybersecuritynews.com/using-threat-intelligence-to-combat-advanced-persistent-threats-apts/), organization-wide access through legitimate AWS features. .webp) Persistence and Privilege Escalation (Source — Cymulate)When an attacker successfully registers a compromised account as a delegated administrator for AWS Identity Center, they gain the ability to manipulate permission sets, user groups, and access configurations across all organizational accounts.This capability allows them to add malicious identities to [high-privilege](https://cybersecuritynews.com/microsoft-enhance-microsoft-365-security/) groups or reset passwords of users with administrative access to the management account.The persistence mechanism is particularly insidious because it operates through legitimate delegation channels that may not trigger traditional security alerts. .webp) Attack flow (Source — Cymulate)Attackers can modify existing permission sets or create new ones with elevated privileges, ensuring continued access even if the initial compromise vector is discovered and remediated.Additionally, the read-only organizational access granted to delegated administrators provides complete visibility into the environment structure, enabling attackers to identify high-value targets and plan sophisticated [multi-account attacks](https://cybersecuritynews.com/information-security-threats-for-business/).AWS has responded to this discovery by releasing version 2 of the AmazonGuardDutyFullAccess managed policy with stricter resource constraints that eliminate the escalation path.However, existing roles and users attached to version 1 remain vulnerable until administrators manually upgrade to the corrected policy.Organizations should immediately audit all principals using the vulnerable policy and implement the updated version to prevent potential exploitation of this critical security flaw.Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions –> [**Try ANY.RUN now**](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=braodo_stealer&utm_content=demo_1&utm_term=250625)The post [AWS Organizations Mis-scoped Managed Policy Let Hackers To Take Full AWS Organization Control](https://cybersecuritynews.com/aws-organizations-mis-scoped-managed-policy/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
Modify Cloud Resource Hierarchy
NAICS: 551 – Management Of Companies And Enterprises
NAICS: 55 – Management Of Companies And Enterprises
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: Cybersecurity News
Software Discovery: Security Software Discovery
Associated Indicators: