AWS’s Predictable Bucket Names Make Accounts Insecure

The Amazon Internet Providers Cloud Improvement Package (CDK), a preferred open supply instrument, permits cyber groups to conveniently construct software-defined cloud infrastructure with extensively used programming languages, comparable to Python and JavaScript. However here is the issue: Throughout deployment and by default, AWS CDK creates a “staging” S3 bucket with a dangerously predictable naming conference that, if exploited by risk actors, might result in whole administrative entry to the related account.

In a new report, researchers from Aqua mentioned AWS confirmed the vulnerability affected about 1% of CDK customers. AWS subsequently notified these effected by the problem in mid-October. Variations of CDK v2.148.1 or earlier require customers to take motion.

“A key takeaway for open supply initiatives that depend on AWS is to make sure they do not use predictable bucket names,” says Yakir Kadkoda, lead safety researcher with Aqua. “They need to present an choice for customers to switch the bucket title that the open supply mission creates for its operation or implement a test on the bucket proprietor to keep away from such vulnerabilities.”

There is no solution to know if the vulnerability, which does not have an related CVE quantity, has been exploited within the wild, Kadkoda provides.

What Is S3 Bucket Namesquatting and Bucket Sniping?

The vuln is launched throughout the bootstrapping course of, the report defined, throughout which AWS creates an S3 staging bucket for storing a wide range of deployment belongings. As a result of the title of those AWS S3 buckets observe a sample: cdk-{qualifier}-assets-{account-ID}-{Area}, the staff discovered all adversaries want to interrupt into any of those buckets is the account identification quantity, and area — the one fields that change from bucket to bucket.

Not solely does this let attackers break into an present S3 bucket, they’ll additionally create a wholly new S3 bucket.

“If the attacker units up the bucket forward of time, when the person later tries to bootstrap the CDK from a selected area, they may encounter an error throughout the course of as a result of the CDK bucket that the bootstrap course of makes an attempt to create already exists,” the Aqua report added. “The documentation advises choosing a non-default qualifier.”

It is a tactic the report calls “S3 bucket namesquatting” or “bucket sniping” and offers the risk actor the power to execute malicious code contained in the goal AWS account.

“As a reminder, the CDK staging bucket incorporates CloudFormation templates,” the report added. “If an attacker features entry to the CDK staging bucket of different customers, these information may be simply tampered with and backdoored, enabling the injection of malicious assets into the sufferer’s account throughout deployment.”

This newest report expands on Aqua’s earlier evaluation of the hazard of configuring S3 buckets with simply guessed names into open supply instruments.

“This analysis emphasizes the significance of not utilizing predictable bucket names and preserving the AWS account ID secret to keep away from being weak to all these points sooner or later,” Kadkoda advises.