Predictable AWS cloud deployment resources allow full account takeover – Source: www.csoonline.com

Amazon Web Services (AWS) is urging its open-source Cloud Development Kit (CDK) users to apply fixes now available for a flaw that, under certain circumstances, can allow complete account takeover.

The issue allows attackers to perform name-squatting on AWS S3 (simple storage service) staging buckets, a temporary storage location within an organization’s cloud application deployment infrastructure to hold data for later processing.

Discovered by Aqua on June 27, the flaw affects CDK versions v2.148.1 and earlier impacting, as confirmed by AWS, 1% of total CDK users.

S3 bucket name-squatting

CDK is AWS’ open-source framework organizations use to define their infrastructure as code (IaC), the process of provisioning and managing computing resources by using code rather than configuring physical hardware manually, using programming languages like Python, TypeScript, or JavaScript.

In order to be able to use the AWS CDK, users need to bootstrap their environment to prepare it for CDK stack deployments. CDK bootstrapping creates a CloudFormation template file that deploys the essential infrastructure components, including access roles, configurations, policies, and an S3 staging bucket.

The created staging S3 bucket follows a specific naming pattern: cdk-{qualifier}-assets-(account-ID}-{Region}. The issue stems from the fact that users running the CDK bootstrap command rarely customize the “qualifier,” which is defaulted by AWS to “hnb659fds.” 

This allows attackers to predict the user’s CDK staging bucket name by simply having access to their AWS Account ID and the “Region” where the CDK was deployed. When an attacker creates a staging bucket by doing that the user is blocked from creating one of their own, as it already exists, creating a denial of service (DoS) situation, according to an Aqua blog.

The DoS scenario can be escalated to a full account takeover if the victim’s CDK both writes and reads data. By manipulating data within the CloudFormation template from an attacker-controlled staging S3 bucket, malicious actions within the victim’s AWS account are possible, Aqua researchers added in the blog.

Customizing CDK bootstrap can help

AWS recently updated one of its documentation to emphasize the importance of customizing bootstrapping resources. In this particular instance, if the user changed the “qualifier” used in CDK bootstrapping, they could defend against this exploit.

Additionally, starting from CDK version v2.149.0, AWS has added a fix in the form of a condition within the bootstrap FilePublishRole, that prevents CDK from pushing data to buckets not owned by the account initiating the bootstrapping process.

While the patch and the ‘custom’ workaround can protect new CDK bootstraps, the older ones (bootstrapped with CDK versions v2.148.1 or earlier) remain vulnerable even after updating to a fixed version. Aqua categorized the issue within the attack method it previously dubbed as “Bucket Monopoly,” with similar critical vulnerabilities in six other AWS services, including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.