Not necessarily a security vulnerability per se, but I was able to fill up the AWS account with CloudWatch log groups by doing the following:
1. "env | grep AWS"
2. Export those creds locally where you have the CLI installed. They'll work for at least 15-30 minutes depending on the IAM config.
3. Run "aws sts get-caller-identity" to see the role info.
Which seems to imply it has the default Lambda basic execution policy. That policy has the permission "logs:CreateLogGroup" which means you can then run:
Repeat x5000 and hit the AWS limit for log groups in an account. This isn't necessarily a security risk in and of itself, but it could cause issues if anything else were running in the account that needs logs, or could prevent new services from spinning up.
1. "env | grep AWS" 2. Export those creds locally where you have the CLI installed. They'll work for at least 15-30 minutes depending on the IAM config. 3. Run "aws sts get-caller-identity" to see the role info.
This prints:
123260633446 arn:aws:sts::123260633446:assumed-role/lambda_basic_execution/exec
Which seems to imply it has the default Lambda basic execution policy. That policy has the permission "logs:CreateLogGroup" which means you can then run:
aws logs create-log-group --log-group-name <random name>
Repeat x5000 and hit the AWS limit for log groups in an account. This isn't necessarily a security risk in and of itself, but it could cause issues if anything else were running in the account that needs logs, or could prevent new services from spinning up.