low

MWAA logs leak tokens and hostnames

Published Tue, May 31st, 2022
Platforms

Summary

Two API calls used by Amazon Managed Workflows for Apache Airflow (MWAA) to convert AWS IAM credentials into tokens that can be used to login to Airflow (CreateCliToken and CreateWebLoginToken) were logging the tokens to Cloudtrail. The event included the hostname for the airflow server, so everything required to login to Airflow was in the event. However, the issue was largely mitigated by the fact that the tokens are only valid for 60 seconds and CloudTrail delivers logs on average about every 15 minutes, so the chance of receiving a valid token were low.

Affected Services

MWAA

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Wed, May 11th, 2022
Exploitablity Period
by 2022/05/22
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Ben Reser, Vibes