high

Confused Deputy Vulnerability in Amazon DataZone

Published Fri, Nov 1st, 2024

Platforms

Summary

A vulnerability in Amazon DataZone allowed potential attackers to assume roles in AWS accounts by exploiting a confused deputy problem. This could have granted unauthorized access to sensitive data managed by DataZone or other AWS services accessible by the IAM role trusting DataZone. The issue has been resolved, with no customers reportedly impacted.

Affected Services

Amazon DataZone

Remediation

Ensure AWS accounts associated with a domain are properly vetted, review and audit IAM roles and their trust relationships, and enforce least privilege access principles.

Tracked CVEs

No tracked CVEs

References

https://trustoncloud.com/blog/confused-deputy-vulnerability-in-amazon-datazone/

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Thu, Aug 29th, 2024

Exploitablity Period

Until 2024/09/25

Known ITW Exploitation

Detection Methods

Monitor for unexpected AssumeRole events from datazone.amazonaws.com in CloudTrail logs, especially for roles not explicitly associated with your DataZone environments.

Piercing Index Rating

Discovered by

Carlos Mora, TrustOnCloud

More vulnerabilities...

medium

AWS CDK Bucket Squatting Risk

The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format (cdk-{Qualifier}-assets-{Account-ID...

Ofek Itach, Yakir Kadkoda, ...

Thu, Oct 24th, 2024

Missing JWT issuer and signer validation in ALB middleware

Miggo Security

Mon, Oct 21st, 2024

low

Data exfil via VPC endpoint denials in CloudTrail

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases...

Sam Cox, Tracebit

Tue, Oct 15th, 2024

View all