Introduction

A critical security vulnerability has been identified in the Amazon Web Services (AWS) Cloud Development Kit (CDK), which could potentially allow attackers to gain administrative access to AWS accounts [2] [4]. This vulnerability, linked to the handling of AWS Simple Storage Service (S3) buckets during the CDK bootstrapping process, poses a significant risk of account takeover.

Description

A security vulnerability in the Amazon Web Services (AWS) Cloud Development Kit (CDK) has been identified [2], potentially allowing attackers to gain administrative access to AWS accounts and execute a full account takeover [2] [4]. Disclosed on June 27, 2024 [2], this vulnerability is linked to the handling of AWS Simple Storage Service (S3) buckets during the CDK bootstrapping process, which automatically creates a “staging” S3 bucket with predictable naming patterns [5], including the account ID and region [3]. Attackers can exploit this flaw through techniques such as “bucket monopoly,” where they create a bucket with the same name as a deleted staging bucket, leading the CDK to trust the rogue bucket [4]. This enables them to manipulate CloudFormation templates and deploy malicious resources with administrative privileges.

The predictable naming structure of IAM roles and S3 buckets created by AWS CDK makes it easier for attackers to anticipate bucket names. Aqua Security researchers found that thousands of S3 buckets with default qualifiers are discoverable online [5], increasing the risk of successful attacks [5]. If an attacker gains access to a victim’s CDK staging bucket [5], they could manipulate data and execute malicious actions within the victim’s AWS account [5]. For instance [5], if a CloudFormation template is mistakenly written to an attacker-controlled bucket [5], it could be deployed with admin privileges [5], allowing the attacker to create privileged resources [5].

AWS addressed this vulnerability in CDK version 2.149.0 [4], released on July 12, 2024 [5], which ensures that assets are only uploaded to buckets owned by the user’s account [4], thereby preventing unauthorized data uploads to external buckets [4]. This update closed the shadow resource attack vector and mitigated several related vulnerabilities affecting services such as CloudFormation, Service Catalog [5], Glue [5], EMR [5], SageMaker [5], and CodeStar [5]. Users are advised to update their CDK and implement custom qualifiers for enhanced security [1]. However, the fix only applies to new CDK bootstraps [5], leaving prior bootstraps vulnerable [5]. Aqua’s analysis indicated that only about 1% of CDK users are affected, with 782 out of 38,560 accounts analyzed having CDK installed [5], and 81 of those accounts identified as vulnerable [5]. AWS notified impacted users in mid-October [3], urging those on CDK versions v2.148.1 or earlier to upgrade to the new version and rerun the CDK bootstrap command or implement IAM policies to further mitigate the risk.

The report emphasizes the need for open-source projects to avoid predictable bucket names and to keep AWS account IDs confidential to prevent such vulnerabilities [3]. Additionally, it has been noted that other applications may also mishandle cloud credentials, highlighting a broader concern in cloud security practices. Recommendations to mitigate risks include defining scoped IAM policies and using unique hashes or random identifiers for S3 bucket names instead of predictable naming conventions [4].

Conclusion

The discovery of this vulnerability underscores the critical importance of secure naming conventions and the safeguarding of AWS account information. While AWS has released a patch to address the issue, it is imperative for users to update their systems and adopt best practices to mitigate potential risks. This incident highlights the broader need for vigilance in cloud security, particularly in the management of credentials and resource naming. Future efforts should focus on enhancing security protocols and ensuring that similar vulnerabilities are proactively identified and addressed.

References

[1] https://thenimblenerd.com/article/aws-s3-bucket-blunder-how-a-predictable-flaw-almost-turned-hackers-into-admins/
[2] https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.html
[3] https://www.darkreading.com/threat-intelligence/aws-cdk-default-s3-bucket-naming-pattern-lets-adversaries-waltz-into-admin-access
[4] https://vulners.com/thn/THN:5D55104FB36F8DDDE23C19F8A1369705
[5] https://www.techtarget.com/searchSecurity/news/366614325/AWS-CDK-security-issue-could-lead-to-account-takeovers