Security Vulnerability Discovered in AWS Cloud Development Kit
Cybersecurity researchers have unveiled a significant vulnerability within the Amazon Web Services (AWS) Cloud Development Kit (CDK), which may allow for account takeovers under certain conditions. The findings, disclosed by Aqua researchers Ofek Itach and Yakir Kadkoda, indicate that an attacker could potentially gain administrative access to a targeted AWS account, leading to a full account compromise.
The vulnerability was first responsibly disclosed on June 27, 2024, which prompted rapid action from AWS maintainers. The issue was subsequently addressed in the CDK version 2.149.0, released in July. This toolkit is an open-source framework that assists developers in defining cloud application resources using programming languages such as Python, TypeScript, or JavaScript, with a focus on provisioning via CloudFormation.
This security flaw builds on prior research by Aqua regarding shadow resources within AWS, wherein predefined naming conventions for AWS Simple Storage Service (S3) buckets could be exploited in orchestrating attacks aimed at accessing sensitive data. When preparing an AWS environment to utilize the CDK, a process known as bootstrapping is employed to provision essential resources like S3 buckets and IAM roles. Notably, the IAM roles established during bootstrapping provide capabilities for both asset uploading and stack deployment, which include extensive administrative permissions.
The naming conventions for the created IAM roles follow a predictable structure—specifically the format “cdk-{Qualifier}-{Description}-{Account-ID}-{Region}.” Many users fail to customize the default qualifier, resulting in a common naming pattern that can be easily guessed. This predictability opens avenues for what is termed S3 Bucket Namesquatting, allowing an attacker to claim an existing user’s CDK bucket if it is vacant, potentially leading to denial-of-service scenarios or more severe consequences if the victim’s CDK has permissions to modify the attacker’s bucket.
If exploited, this vulnerability could allow an attacker to gain read and write permissions to maliciously tamper with CloudFormation templates, enabling actions that could create privileged resources within the victim’s AWS account. The CloudFormation service deploys these templates with administrative privileges, further raising the stakes of the attack.
Researchers suggest that a hypothetical attacker could benefit from scenarios where a user previously initiated bootstrapping and later deleted their S3 bucket, facilitating conditions for claiming the associated bucket name. The attack would involve allowing public access to this bucket and embedding malicious code within templates uploaded by the victim.
AWS estimates that approximately 1% of CDK users were vulnerable to this exploit, underlining the importance of robust security practices. They encourage users to adopt a bespoke qualifier during bootstrapping and have implemented measures to ensure assets are uploaded exclusively to user-owned buckets. Users who previously bootstrapped with versions prior to v2.149.0 must either update to the latest CDK version or apply a specific IAM policy condition.
In response to concerns about unauthorized data exposure, AWS has emphasized the importance of maintaining the confidentiality of AWS account IDs and structuring IAM policies carefully. They advocate for unique random identifiers in bucket names to deter preemptive claims by attackers.
This vulnerability highlights systemic issues in cloud resource management and accentuates the ongoing need for vigilance in cloud security protocols, particularly for businesses utilizing AWS services. The incident serves as a stark reminder of the risks associated with predictable configurations in cloud environments.
