Unknown

AWS SOC 2 type 2 failure (Fall 2020)

Published Sun, Dec 20th, 2020

Platforms

Summary

Information about this issue is under NDA, but AWS customers can read about it on pages 120-121 of the report, which is available for download through AWS Artifact. Note: This issue is outside the scope of this database's usual criteria for inclusion, but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://aws.amazon.com/blogs/security/fall-2020-soc-reports-now-available-with-124-services-in-scope/

Contributed by https://github.com/0xdabbad00

Disclosure Date

Sun, Dec 20th, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

More vulnerabilities...

high

IAM privilege escalation in multiple GCP services

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAc...

Allison Donovan, Dylan Ayrey

Sun, Nov 22nd, 2020

medium

GCP Default compute account is project Editor

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privile...

Anonymous discoverer

Sun, Nov 22nd, 2020

medium

SSRF in Google Cloud Monitoring

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta

Thu, Nov 12th, 2020

View all