To create environments we need to assign an instance profile.
The KK lab user is able to create it (AWS EC2 instance profile)
Also KK lab user is able to attach any AWS managed Policy to that Role. For example, admin access policy.
That’s a security issue.
KK lab user is able to create AWS EC2 Key pairs which also is possible to attach to EC2 instances when creating the environment.
I’d adjust the lab so no body can’t do that but only choose the instance role that allows s3 access for example.
Thank you for reporting this @Luis-Ramirez
Have you tried a privilege escalation using the method you describe? All the lab environments should be protected by a Service Control Policy. SCPs restrict the access of account-local roles, effectively removing permissions, thus assigning an Admin Access role to the instance profile should not in reality provide full admin access. The resulting access would be the intersection of what is allowed by the SCP and by the local role. Anything not permitted by the SCP will result in a permission denied error.