A potential risk in the amazon-ebs-migration-utility which can be used to leak sensitive data.

[zolaer9527]

Hello! I discovered a potential security risk in the amazon-ebs-migration-utility application when I deployed it in the AWS Serverless Application Repository.

Detailed Analysis:

The amazon-ebs-migration-utility application creates a function named EBSVolumeConverter, and the associated role is LambdaRole with permissions such as "iam:GetRole" and "iam:ListRoles" for "*" resources. These permissions could be exploited by a malicious user to gain access to all the roles in the account, resulting in information leakage.

Mitigation Discussion:

Roles should not be granted any permissions regarding IAM resources. If it does not affect the normal function of the application, you can remove these two permissions. Or you can use the specific resource names to restrict the permissions.

Questions:

1. Is this a confirmed issue with the amazon-ebs-migration-utility application?
2. If it is indeed an issue, can any of the suggested mitigation measures be implemented to address this problem?
3. If there are plans to rectify this issue, could you give me a CVE as a reward for my findings?

I'm looking forward to hearing back from you.