Summary
The AWS Amplify service was found to be misconfiguring IAM roles associated
with Amplify projects. This misconfiguration caused these roles to be assumable
by any other AWS account. Both the Amplify Studio and the Amplify CLI
exhibited this behavior. Any Amplify project created using the Amplify CLI
built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by
anyone in the world. The same was true if the authentication component was removed
from an Amplify project using the Amplify CLI or Amplify Studio built between
August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to
STS and IAM, and also released a patch for the Amplify CLI to ensure that newly
created roles are properly configured in accordance with these changes.
Affected Services
Amplify, Cognito
Remediation
None required, but customers should upgrade to Amplify CLI 12.10.1 or higher to
ensure that newly created roles are compatible with the backend mitigations.
Tracked CVEs
CVE-2024-28056
References
https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
Contributed by https://github.com/frichetten
Disclosure Date
Tue, Jan 9th, 2024
Exploitablity Period
Between July 2018 and January 2024
Known ITW Exploitation
-
Detection Methods
Review CloudTrail logs for suspicious sts:AssumeRoleWithWebIdentity API calls in which
the identity pool ID is not owned by an identity pool in the same account.
Piercing Index Rating
8.93
(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:1)
Discovered by
Nick Frichette, Datadog
