Shadow Roles: AWS Defaults Can Lead to Service Takeover

Aqua Security research reveals that default AWS service roles (e.g., SageMaker, Glue, EMR) and some open-source deployment defaults (e.g., Ray) were provisioned with overly broad S3 privileges (effectively AmazonS3FullAccess). Attackers can abuse these roles to locate and modify service-linked S3 assets (CloudFormation/CDK/Glue/SageMaker/EMR), enabling remote code execution, lateral movement, and potential full account takeover; the report includes PoC scenarios, coordinated disclosure to AWS, and remediation recommendations to scope IAM roles and limit S3 access.