AWS trust boundaries enable escalation

AWS security bulletins published from December 2025 through May 2026 point to a recurring class of cloud security failure: trust boundaries that let a lower-privileged principal reach a higher-privileged role or execution path. Amazon Web Services described that pattern in different ways across separate disclosures — an overly permissive IAM trust policy in an EKS-related reference architecture, and SageMaker SDK issues that exposed signing keys or let tampered artifacts run code. The common thread is not a single API action. It is the chain of delegation between identities, services and artifacts. ### Which AWS disclosures show the pattern most clearly? AWS bulletin AWS-2025-031, published on December 15, 2025, said Harmonix on AWS — an open-source developer platform built on Backstage — included an overly permissive IAM role trust policy. AWS said the sample code for an EKS environment provisioning role trusted the account root principal, which could let IAM principals in the same account with `sts:AssumeRole` permission assume that role with administrative privileges. (aws.amazon.com) AWS bulletin 2026-004-AWS, published on February 2, 2026, described a SageMaker Python SDK issue in which a per-job HMAC secret key was stored in environment variables and disclosed through the `DescribeTrainingJob` API. AWS said a party with `DescribeTrainingJob` permission could extract the key, forge cloud-pickled payloads with valid HMACs and overwrite S3 objects. AWS bulletin 2026-031-AWS, published on May 14, 2026, described another SageMaker Python SDK issue in which the ModelBuilder component stored an HMAC signing key in a container environment variable and returned it in plaintext through `DescribeModel`, `DescribeEndpointConfig` and `DescribeModelPackage`. (aws.amazon.com) AWS said a remote authenticated actor with those API permissions and S3 write access to the model artifact path could forge integrity signatures and achieve code execution in inference containers. (aws.amazon.com) ### Why do these look like trust-boundary failures instead of ordinary bugs? The December 2025 Harmonix bulletin centered on who a role trusted, not on a flaw in the `AssumeRole` API itself. AWS said the risk came from a trust policy that accepted the account root principal, widening the set of principals that could cross into an administrative role. The February and May 2026 SageMaker bulletins turned on credential and artifact chains. (aws.amazon.com) AWS said read-only style describe permissions could reveal a secret used to validate serialized jobs or models, and that S3 write access to the relevant artifact path could then be combined with the leaked key or missing verification to reach code execution in managed environments. ### What should defenders look at first? (aws.amazon.com) AWS’s own mitigations point to the first checks. In the Harmonix case, AWS recommended reviewing and restricting IAM role trust policies, especially the EKS provisioning role, and avoiding wildcard or overly broad `sts:AssumeRole` grants. AWS also said CloudTrail can be reviewed for `AssumeRole` events targeting the provisioning role ARN pattern. In the SageMaker cases, AWS recommended upgrading the SDK, rebuilding affected models, removing the `SAGEMAKER_SERVE_SECRET_KEY` variable from existing models where needed, and restricting S3 write access to model artifact paths to trusted principals only. (aws.amazon.com) Those steps focus on the full path from metadata APIs to artifact storage to runtime execution, rather than on a single permission in isolation. (aws.amazon.com) ### Why is “who can call what” not enough? AWS’s 2023 security guidance on IAM roles said `iam:PassRole` lets a principal delegate permissions to an AWS service by configuring a resource such as an EC2 instance or Lambda function with a role. AWS’s trust-policy guidance also warns that trust relationships govern which principals can assume a role. Those documents frame privilege escalation as a delegation problem as much as an action-authorization problem. (aws.amazon.com) The recent bulletins fit that model. A principal that appears limited on paper can still move upward if it can assume a broadly trusted role, read a leaked signing secret, or modify an artifact that a higher-trust service later executes. That is the connection AWS’s disclosures make across EKS and SageMaker. ### What changed after disclosure? AWS said the Harmonix issue was fixed in version 0.4.2, and it recommended patching any forked or derivative code. (aws.amazon.com) AWS said the February SageMaker HMAC issue was fixed in SageMaker Python SDK v3.2.0 and v2.256.0, while the May ModelBuilder issues were fixed in v2.257.2 and v3.8.0. AWS’s security bulletin page and RSS feed continue to publish new notices, including updated bulletins in May 2026. (aws.amazon.com) Customers tracking this issue set can monitor those pages for additional service-level fixes, version guidance and any follow-up disclosures tied to privilege escalation or credential exposure. (aws.amazon.com)