AWS SOC 2 type 2 failure (Fall 2020)

Published Sun, Dec 20th, 2020

Platforms

aws

Summary

Information about this issue is under NDA, but AWS customers can read about it on pages 120-121 of the report, which is available for download through AWS Artifact. Note: This issue is outside the scope of this database's usual criteria for inclusion, but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://aws.amazon.com/blogs/security/fall-2020-soc-reports-now-available-with-124-services-in-scope/

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Sun, Dec 20th, 2020

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

-

More vulnerabilities...

high

IAM privilege escalation in multiple GCP services

gcp

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAc...

Allison Donovan, Dylan Ayrey
medium

GCP Default compute account is project Editor

gcp

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privile...

Louis Duruflé-Seta
medium

SSRF in Google Cloud Monitoring

gcp

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta
View all