An attacker might be able to modify a CloudFormation template just before its being deployed, allowing the attacker to inject malicious resource in the template (e.g., Role with Admin permissions that can be assumed by the attacker’s account).
The attacker relies on a compromised IAM identity that has the following permissions: s3:PutBucketNotification, s3:GetObject, s3:PutObject
Attack phases:
The attacker executes the s3:PutBucketNotification on the bucket that the template will be uploaded to in order to to trigger a Lambda function in his own account. Once the template is uploaded to the bucket, the Lambda function is triggered and it will download the CloudFormation template (s3:GetObject), inject the malicious resource into it and finally upload it back to the victim’s bucket (s3:PutObject).
Related sequence of CT events: s3:PutBucketNotification, s3:GetObject, s3:PutObject