OpenSecOps Installer v2.7.0 addresses privilege escalation vulnerabilities in the Service Control Policy (SCP) layer that enforces IAM permissions boundary integrity. Update strongly recommended for all installations.

What was affected

The SCPs require-boundary-permissions.json and protect-foundations.json contained gaps that could allow a user with an SSO role—particularly DeveloperAccess—to bypass permissions boundary enforcement and escalate privileges. Exploitation required deliberate, multi-step action by an authenticated insider; no external attack surface was exposed.

All installations running Installer v2.6.0 or earlier are affected. v2.6.1 addressed one of the vectors; v2.7.0 completes the hardening.

What was fixed

require-boundary-permissions.json

• Permissions boundary replacement is now denied alongside role creation—users cannot swap an approved boundary for an attacker-controlled policy on existing roles
• A universal catch-all statement now enforces boundary requirements on all non-admin principals, not only direct SSO sessions
• Boundary deletion is denied unconditionally for non-admin principals

protect-foundations.json

• Admin role trust policies are now protected from modification by non-admin principals
• IAM credential management and group manipulation operations are now denied for non-admin, non-security-admin principals

Affected versions

Action required

Copy the following files from apps.example/ to apps/ and redeploy your SCPs:

• foundation/SCPs/require-boundary-permissions.json
• foundation/SCPs/protect-foundations.json

No other configuration changes are needed. The fixes do not affect any legitimate workflow—all standard developer, network administrator, and security administrator operations continue to work exactly as before.

Deployment: Copy the two updated SCP files and redeploy using standard procedures. Verify the updated SCPs are active in your AWS Organizations console.