AWS Amplify IAM role publicly assumable exposure

Published Mon, Apr 15th, 2024


The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Amplify Studio and the Amplify CLI exhibited this behavior. Any Amplify project created using the Amplify CLI built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by anyone in the world. The same was true if the authentication component was removed from an Amplify project using the Amplify CLI or Amplify Studio built between August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to STS and IAM, and also released a patch for the Amplify CLI to ensure that newly created roles are properly configured in accordance with these changes.

Affected Services

Amplify, Cognito


None required, but customers should upgrade to Amplify CLI 12.10.1 or higher to ensure that newly created roles are compatible with the backend mitigations.

Tracked CVEs



Disclosure Date
Tue, Jan 9th, 2024
Exploitablity Period
Between July 2018 and January 2024
Known ITW Exploitation
Detection Methods
Review CloudTrail logs for suspicious sts:AssumeRoleWithWebIdentity API calls in which the identity pool ID is not owned by an identity pool in the same account.
Piercing Index Rating
Discovered by
Nick Frichette, Datadog