Summary
Researchers discovered critical vulnerabilities in 6 AWS services that could allow attackers to breach accounts through malicious S3 buckets. By claiming predictable bucket names, attackers could inject code, steal data, or gain admin access. AWS has since fixed the issues, but the attack vector may still apply to other services and open source projects.
Affected Services
CloudFormation, Glue, EMR, SageMaker, CodeStar, ServiceCatalog
Remediation
Use aws:ResourceAccount condition in IAM policies to restrict access to trusted buckets. Verify S3 bucket ownership. Use unique identifiers when naming buckets instead of predictable patterns.
Tracked CVEs
No tracked CVEs
References
https://www.aquasec.com/news/critical-vulnerabilities-aws/https://www.aquasec.com/blog/bucket-monopoly-breaching-aws-accounts-through-shadow-resources/
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Fri, Feb 16th, 2024
Exploitablity Period
Until 2024/06/26
Known ITW Exploitation
-
Detection Methods
Check for unexpected S3 buckets matching patterns like "aws-glue-assets-{AccountID}-{Region}". Verify bucket ownership across all regions. Monitor for unauthorized cross-account S3 access.
Piercing Index Rating
-
Discovered by
Yakir Kadkoda, Ofek Itach, Michael Katchinskiy, Aqua Security
