AWS API calls indicating Glue privilege escalation
Description
AlphaSOC detected an IAM policy change that grants a principal permissions
enabling privilege escalation through AWS Glue development endpoints. This
detection identifies two escalation patterns: the combination of iam:PassRole
with glue:CreateDevEndpoint and glue:GetDevEndpoint, or the combination of
glue:UpdateDevEndpoint with glue:GetDevEndpoint.
AWS Glue is a serverless ETL (Extract, Transform, Load) service for data integration. Development endpoints are Apache Zeppelin notebook environments that data engineers use for interactive development and testing of ETL scripts. These endpoints provide SSH access and run with attached IAM roles that typically have broad permissions to read from data sources and write to data lakes.
The first escalation path combines iam:PassRole, glue:CreateDevEndpoint, and
glue:GetDevEndpoint. This allows an attacker to create a new Glue development
endpoint and attach an IAM role with higher privileges than they currently hold.
Once created, the development endpoint is essentially a managed Apache Zeppelin
server with SSH access. The attacker can connect via SSH or the Zeppelin web
interface and execute arbitrary code (Python, Scala, or SQL) with the
permissions of the attached role. Development endpoints often have roles with
broad data access permissions, making them attractive targets.
The second escalation path uses glue:UpdateDevEndpoint with
glue:GetDevEndpoint. This allows an attacker to modify an existing development
endpoint's configuration, such as adding their SSH public key to the endpoint's
authorized keys or updating the endpoint's properties. Once updated, the
attacker can access the endpoint and inherit the permissions of the endpoint's
attached IAM role without needing iam:PassRole permissions.
Both paths provide interactive access to a compute environment running with elevated AWS permissions, enabling credential theft, data exfiltration, or lateral movement across the AWS environment.
This detection triggers on IAM policy creation or modification events
(CreatePolicy, CreatePolicyVersion, PutUserPolicy, PutGroupPolicy,
PutRolePolicy, AttachUserPolicy, AttachRolePolicy, AttachGroupPolicy)
that introduce these Glue privilege escalation patterns.
Impact
If exploited, the attacker gains interactive access to a development environment running with the permissions of privileged Glue execution roles. This enables access to data sources and data lakes, credential theft from the role or environment variables, execution of arbitrary ETL code to exfiltrate data, or use of the endpoint as a pivot point for lateral movement. Glue development endpoints often have broad permissions across S3, databases, and other data services.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating Glue privilege escalation |
Investigation and Remediation
Check CloudTrail for the specific PutUserPolicy, PutGroupPolicy,
PutRolePolicy, or Attach*Policy event that added Glue development endpoint
permissions. Identify the target principal (user, role, or group) and review the
requestParameters field to examine the exact permissions granted.
Determine whether the principal requires these permissions for legitimate data engineering work. Glue development endpoint permissions should typically be restricted to data engineering teams with specific data integration responsibilities.
If the permissions were unauthorized, immediately detach or delete the policy.
Review CloudTrail for any CreateDevEndpoint, UpdateDevEndpoint, or
GetDevEndpoint actions performed by the affected principal after the policy
change.
Check AWS Glue for any development endpoints created or modified by the principal. Review the endpoints' attached IAM roles, SSH public keys, security configurations, and network settings. Examine CloudWatch Logs for endpoint activity and check what AWS resources were accessed during sessions.
If suspicious endpoints are found, delete them immediately and review their execution logs to identify what resources they accessed. Check for SSH connection logs and Zeppelin notebook activity. Review the attached IAM role's CloudTrail activity to see what actions were performed with the role's credentials.
Rotate credentials for the affected principal and any Glue execution roles that may have been exploited. Review S3, database, and data catalog access patterns for unusual activity.
Known False Positives
- Authorized data engineers provisioning Glue permissions for ETL development and testing
- Infrastructure-as-code deployments creating service roles for data pipeline orchestration
- Data platform teams setting up development environments for analytics workflows
- DevOps teams building automated data integration frameworks