Listen to this Post
In a recent discovery, Daniel Bohannon and Abian Morina uncovered a CloudTrail logging evasion vulnerability related to AWS IAM policy size manipulation. By exploiting JSON whitespace rules, attackers can create oversized policies that evade CloudTrail logging while still being accepted by AWS.
Key Findings:
- Whitespace Manipulation: Use standard JSON whitespace (not Unicode) to inflate policy size without exceeding deserialized limits.
2. Policy Size Limits:
- Serialized (with whitespace): Must be between 102,401–131,072 characters.
- Deserialized (actual policy): Must stay under 2,048–10,240 characters (depending on policy type).
- SDK Selection: Use an SDK that doesn’t pre-serialize inputs before sending to AWS.
Proof of Concept (PoC) Command:
New-IAMPolicy -PolicyName "BigPolicyRetest_OpNjeri_1" -PolicyDocument ('{"Version":"2012-10-17","Statement":[{"Sid":"VisualEditor0","Effect":"Allow","Action":"iam:CreateUser","Resource":""}]}' + ' ' 123456)
You Should Know:
How to Detect & Mitigate This Evasion
1. Monitoring CloudTrail Gaps
- AWS CLI Command to Check Recent IAM Policy Changes:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreatePolicy --max-items 10
- Check for Missing Logs:
aws cloudtrail get-event-selectors --trail-name <your-trail-name>
2. Enforcing Policy Size Limits
- AWS Config Rule to Detect Oversized Policies:
aws configservice put-config-rule --config-rule file://oversized-policy-rule.json
Example JSON rule:
{
"ConfigRuleName": "oversized-iam-policy-check",
"Description": "Checks if IAM policies exceed deserialized size limits.",
"Scope": { "ComplianceResourceTypes": ["AWS::IAM::Policy"] },
"Source": {
"Owner": "AWS",
"SourceIdentifier": "IAM_POLICY_SIZE"
}
}
- Using Permiso Security’s Detection (as Shown in Original Post)
– Their platform detects policy evasion attempts in real-time.
4. Manual Verification of Policy Size
- Extract and Count Policy Characters:
aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id> | jq '.PolicyVersion.Document | tostring | length'
What Undercode Say:
This evasion technique highlights a critical gap in AWS logging mechanisms. While AWS enforces deserialized policy size limits, serialized size manipulation allows attackers to bypass CloudTrail logging.
Mitigation Steps:
- Enable AWS Organizations SCPs to restrict IAM policy creation.
- Deploy custom Lambda functions to scan for oversized policies.
- Monitor API activity for unusual IAM policy creation patterns.
Expected Linux & Windows Commands for Detection:
Linux (Bash) One-Liners:
Check for large IAM policies aws iam list-policies --query 'Policies[?length(DefaultVersion.Document) > <code>10240</code>].Arn' Extract and analyze policy sizes for policy in $(aws iam list-policies --query 'Policies[].Arn' --output text); do size=$(aws iam get-policy-version --policy-arn $policy --version-id v1 | jq '.PolicyVersion.Document | tostring | length') if [ $size -gt 10240 ]; then echo "$policy: $size chars"; fi done
Windows (PowerShell) Detection:
List oversized policies
Get-IAMPolicyList | ForEach-Object {
$policy = Get-IAMPolicyVersion -PolicyArn $<em>.Arn -VersionId $</em>.DefaultVersionId
if ($policy.Document.Length -gt 10240) { Write-Output "$($_.Arn): $($policy.Document.Length) chars" }
}
Expected Output:
- AWS CLI: Lists policies exceeding 10,240 characters.
- CloudTrail Alerts: Missing `CreatePolicy` logs for oversized policies.
- Permiso Security Platform: Real-time evasion alerts.
Prediction:
AWS will likely patch this by enforcing serialized policy size checks in CloudTrail. Until then, security teams should implement custom monitoring to detect such evasions.
Original Blog Post: https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters
IT/Security Reporter URL:
Reported By: Danielhbohannon Cloudtrail – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
