A severe weakness in AWS Organizations’ delegation procedures was discovered in a groundbreaking revelation by Cymulate Research Labs, which has users of Amazon’s multi-account cloud management service on edge.
The research demonstrates that attackers could abuse misconfigured delegation architectures and a high-impact IAM policy oversight to pivot laterally, escalate privileges, and ultimately seize control over an entire AWS Organization including the prized management account.
Critical AWS Delegation Flaw Unveiled
The core of the issue revolves around AWS Organizations’ delegated administrator feature.
Designed as a security and scalability best practice, this capability allows the organization’s management account to offload service-specific administrative duties to designated member accounts.
However, when delegation is misconfigured, or over-scoped policies are applied, this architectural approach can become a powerful tool for adversaries.
Cymulate’s investigation shows that a compromised user or role in a member account, particularly if classified incorrectly in terms of sensitivity or granted over-permissive access, could be weaponized to exploit trusted delegation mechanisms.
This, in turn, allows for persistent lateral movement and privilege escalation throughout all accounts under the organization’s governance.
The research further spotlights a critical flaw in the first version of Amazon’s managed policy, AmazonGuardDutyFullAccess.
The policy inadvertently granted the organizations:RegisterDelegatedAdministrator verb with unrestricted scope Resource: * without appropriate limiting conditions.
This meant that any principal in the management account with this policy could register any account as a delegated administrator for any supported AWS service, not just GuardDuty.
In the presence of a compromised management-account user or role, this exposed the entire organization’s structure.
Attackers could assign themselves control of sensitive services like IAM Identity Center (formerly SSO) or CloudFormation StackSets, which would allow them to manipulate organizational SSO groups, inject backdoors, or even escalate their privileges to become full organizational administrators.
Exposes Multi-Account Cloud Environments
The impact of this loophole is profound. With the right combination of misconfiguration and compromise, adversaries could gain and maintain organizational persistence, execute stealthy operations mimicking legitimate administrative behavior, and bypass conventional detection measures.
The attack chain illustrated by Cymulate includes steps such as registering a compromised account as a delegated administrator for a sensitive service, leveraging this access to modify identities and permissions at scale, and ultimately hijacking the organization’s most privileged accounts.
AWS responded to the disclosure by issuing a new, more tightly scoped version (v2) of the affected policy, restricting the dangerous verb to only allow GuardDuty-specific delegation.
Administrators are now urged to identify and detach the old AmazonGuardDutyFullAccess policy from all users and roles, replacing it with the updated version or a carefully crafted least-privilege policy.
Notably, AWS will prevent new attachments of the older policy starting August 26, 2025, but pre-existing assignments must be remediated manually to eliminate the lingering risk.
AWS has also proactively notified affected customers through email and the Health Dashboard.
This episode serves as a stark reminder that even security best practices like account delegation and managed policies require vigilant configuration and regular audits.
Organizations are now encouraged to map all delegated admin accounts, classify them by risk tier, monitor delegation-related events via CloudTrail, and conduct simulated attack exercises to identify visibility and response gaps.
The vulnerability uncovered in AmazonGuardDutyFullAccess underscores the reality that even managed security frameworks can harbor hidden escalation paths if not rigorously maintained.
As attackers increasingly target the operational fabric of cloud environments, defenders must treat delegated administrator accounts, and the policies governing them, as high-value assets warranting the highest level of scrutiny and segregation.
The findings from Cymulate reinforce the need for continuous, proactive defense in the ever-evolving cloud threat landscape.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
