On June 27, 2023, Aqua discovered a critical security flaw affecting the Amazon Web Services (AWS) Cloud Development Kit (CDK) which, under particular circumstances, can lead to complete account takeover. This vulnerability, affecting CDK versions v2.148.1 and earlier, currently impacts around 1% of CDK users, as acknowledged by AWS. The flaw centers around name-squatting on AWS Simple Storage Service (S3) staging buckets, which cloud applications use during deployment to temporarily store data for later processing.
The core of the issue is embedded in the CDK bootstrapping process, which automatically generates a CloudFormation template file designed to deploy vital infrastructure components. The root of the problem lies in the predictability of names assigned to S3 staging buckets. These bucket names follow a specific pattern: cdk-{qualifier}-assets-{account-ID}-{Region}. By default, the ‘qualifier’ is set to ‘hnb659fds’ and is seldom changed by users, which makes it easier for attackers to guess the name of the S3 bucket once they have access to the AWS Account ID and the Region. This predictability vulnerability allows attackers to preemptively create an S3 bucket with the same name, effectively blocking users from creating their own bucket and potentially escalating this Denial of Service (DoS) condition to a full account takeover.
How the Vulnerability is Exploited
The potential for an attacker to achieve a full account takeover hinges on the CDK’s interaction with the compromised S3 bucket. If the CDK reads from or writes data to a bucket that the attacker has preemptively created, the door is open for numerous malicious actions. By manipulating the data within the CloudFormation template stored in the S3 bucket, an attacker can execute unauthorized actions inside the victim’s AWS account. Essentially, this means an attacker could gain the same level of access and control as the legitimate account owner, executing commands, reading sensitive data, and deploying harmful code.
AWS has been quick to respond to this issue by urging all CDK users to apply the latest fixes to safeguard their accounts from this exploit. Version v2.149.0 of the CDK has introduced a critical update to the bootstrap FilePublishRole, which now includes a condition that prevents data from being pushed to buckets the user does not own. This update is vital for protecting against these types of attacks. Furthermore, AWS has updated its documentation to emphasize the importance of customizing bootstrapping resources. One key recommendation is to change the default ‘qualifier’ to unique values, rather than relying on the easily guessable default setting.
Steps to Protect Your AWS Account
Users who have employed the CDK bootstrapping process with versions earlier than v2.149.0 are strongly advised to update their configurations immediately. These older versions remain vulnerable, and the only sure protection is to upgrade to the latest version and customize the bootstrapping resources as advised by AWS. This includes modifying the default ‘qualifier’ and closely following other recommended security practices to ensure that their AWS environments are not left exposed.
In addition to these immediate steps, there is an emphasized recommendation from AWS and Aqua that users actively monitor for potential misconfigurations. This vigilance and proactive step are crucial as the fixes and guidelines provided by AWS can only protect against name-squatting attacks if users actively apply and maintain them. Ensuring customized configurations and the regular application of AWS security patches is essential to maintaining a secure cloud environment.
The technical vulnerability discussed here is part of a broader category of attacks, which Aqua terms “Bucket Monopoly.” These types of attacks involve critical vulnerabilities not just in the CDK, but in other AWS services including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. This broader trend shows a vital need for organizations to regularly update their security practices and tailor configurations to avoid leaving exploitable gaps that could be used for malicious purposes.
Broader Implications and Final Thoughts
On June 27, 2023, Aqua found a critical security flaw in the Amazon Web Services (AWS) Cloud Development Kit (CDK), which, under certain conditions, can lead to full account takeover. This vulnerability affects CDK versions v2.148.1 and earlier, impacting about 1% of CDK users, as confirmed by AWS. The flaw involves name-squatting on AWS Simple Storage Service (S3) staging buckets, used by cloud applications for temporary data storage during deployment.
The problem originates in the CDK bootstrapping process, which creates a CloudFormation template file to deploy essential infrastructure components. The issue lies in the predictable names assigned to S3 staging buckets. These bucket names follow the pattern: cdk-{qualifier}-assets-{account-ID}-{Region}. By default, the ‘qualifier’ is set to ‘hnb659fds’ and is rarely changed, making it easier for attackers to guess the name once they obtain the AWS Account ID and Region. This predictability allows attackers to preemptively create an S3 bucket with the same name, preventing users from creating their buckets. This can escalate from a Denial of Service (DoS) condition to a complete account takeover.