AWS Amplify IAM role publicly assumable exposure
Published Mon, Apr 15th, 2024
Platforms
Summary
The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Amplify Studio and the Amplify CLI exhibited this behavior. Any Amplify project created using the Amplify CLI built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by anyone in the world. The same was true if the authentication component was removed from an Amplify project using the Amplify CLI or Amplify Studio built between August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to STS and IAM, and also released a patch for the Amplify CLI to ensure that newly created roles are properly configured in accordance with these changes.
Affected Services
Amplify, Cognito
Remediation
None required, but customers should upgrade to Amplify CLI 12.10.1 or higher to ensure that newly created roles are compatible with the backend mitigations.
Tracked CVEs
CVE-2024-28056
References
Contributed by https://github.com/frichetten
Entry Status
Finalized
Disclosure Date
Tue, Jan 9th, 2024
Exploitability Period
Between July 2018 and January 2024
Known ITW Exploitation
-
Detection Methods
Review CloudTrail logs for suspicious sts:AssumeRoleWithWebIdentity API calls in which the identity pool ID is not owned by an identity pool in the same account.
Piercing Index Rating
8.93
(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:1)
Discovered by
Nick Frichette, Datadog
