This misconfiguration highlights a detailed aspect of the MITRE ATT&CK matrix and describes a security gap in misconfigured cloud policy.

Policies are the driving force in the world of cloud. As such it is important to ensure that good practices are followed with regards to the creation and use of policies within identity management. Policies are entities that can be attached to other identity-based entities, to allow or deny them access to various resources. These policies can also be attached at different levels, such as the account level, group level or resource level. Policies can also be attached to the target resource, rather than the source that requires access.

Applying overly permissive policies to a resource, either directly or indirectly, could make it much easier for a malicious actor to abuse that permission set, in the event they gain access to the overprivileged identity. When attaching policies to resources, it is often recommended that the policy be attached to a group that the resource belongs to and not attached directly to the resource. Attaching a policy directly to the resource could make it difficult to audit and manage.

Mitigation: Follow the documented best practices when creating and applying policies to cloud resources. Make use of the various different policy types, and ensure that they are attached to the most suitable resource as per architecture requirements.