Skip to main content

Entitlement Risks

This topic lists all possible entitlement risks grouped by category.

Allows Access

Allows Full Admin

A cloud user admin account typically has extensive access and control over the cloud environment. It often has the ability to create, modify, and delete resources, configure security settings, manage user accounts, and make critical changes to the infrastructure.

With such broad privileges, an admin account becoming compromised can have severe consequences, including unauthorized access, data breaches, or malicious activities.

Allows IAM Write

Risks associated with allowing IAM write permissions include unauthorized modifications, escalation of privileges, data leakage and loss.

Allows Compute Execute

Control over computation resources is a typical target for attacks such as crypto-mining. This control can lead to unintended damages and cloud spend.

Controlling compute resources may also lead to executing attacker-controlled code on existing resources.

Allows Privilege Passing

Roles may be unintentionally passed and used through a combination of allowed actions types: pass, update, execute. This can lead to unintentional privilege escalation.

When roles allow passing, the destination role should have fewer or equal permissions when compared to the source.

Allows Secrets Read

Secrets, such as access keys, passwords, or cryptographic keys, often provide privileged access to systems, services, or data.

Granting read access to secrets to unauthorized users can lead to the exposure of sensitive information. Malicious actors or unauthorized users with access to secrets can misuse or abuse these credentials, leading to unauthorized access, data breaches, or other security incidents.

Allows Storage Write

Write access to storage can allow data deletion, tampering, or denial of service through exceeding quotas.

Unauthorized individuals may exploit this access to remove or hide sensitive information.

Allows Storage Read

Read access to storage can enable unauthorized users to copy, download, or extract data from the storage system.

Malicious actors or unauthorized individuals may exploit this access to exfiltrate data for unauthorized purposes, such as selling or exposing the data to external parties. This can result in reputational damage, financial losses, or compliance violations.

Allows Exposure

Allows Credential Exposure

Credentials often provide privileged access to systems, databases, or other resources within the cloud environment.

Exposing credentials increases the risk of compromising sensitive information, including usernames, passwords, access keys, or cryptographic keys. This can lead to unauthorized access to confidential data, financial loss, or reputation damage.

Allows Resource Exposure

A user is capable of performing actions that would lead to an Exposure Public finding. Allowing resource exposure permissions may grant users access to sensitive resources or data that they should not have access to.

This can result in unauthorized modification, deletion, or extraction of data, leading to data breaches or unauthorized access to critical systems or services.

Externally Exposed

Exposure Public

A resource is currently exposed to the internet. Publicly exposing resources or services increases the risk of unauthorized access.

Malicious actors can discover and exploit vulnerabilities in exposed systems, leading to unauthorized access to sensitive data, systems, or infrastructure.

Cross-account Trust Exposure

Single principal exposure in a cloud environment allows for users outside of your trust domain (for example your account or organization) to potentially access or control critical resources.

Password Access

Password Login No MFA

Without the additional layer of MFA, password-only authentication becomes more susceptible to various password attacks. These include brute-force attacks, dictionary attacks, or credential stuffing attacks, where attackers attempt to guess or crack user passwords. If successful, attackers can gain unauthorized access to user accounts and potentially compromise sensitive data or resources.

Root User

Root User Access Key

Root User Password Login No MFA

Root user access keys and login passwords, if not adequately protected, can be a valuable target for attackers.

Root users have unrestricted access and control over all resources and settings within the cloud environment. This level of privilege can lead to unauthorized modifications, accidental misconfigurations, or unrestricted access to sensitive data. Any compromise or misuse of the root user's secret access keys can have severe consequences, potentially impacting the entire infrastructure.

Hardcoded Access Key

Hardcoded Active Access Key

Hardcoded Inactive Access Key

Hardcoded access keys may be discovered by attackers through reverse engineering, code analysis, or by gaining unauthorized access to the application's code or configuration files.

Once obtained, these keys may be used by malicious actors to access sensitive resources, perform unauthorized actions, or compromise the security of the API.


Unused Active Access Key

Unused Inactive Access Key

Hardcoded and unused access keys may be discovered by attackers through reverse engineering, code analysis, or by gaining unauthorized access to the application's code or configuration files.

Unused User

An identity that has not been used recently is a risk because it may have been forgotten or neglected, leaving it vulnerable to discovery and exploitation by attackers. Unused identities may still have access to sensitive information or resources. It's important to regularly review and manage all identities, even if they are not frequently used.