AWS Cloud Development Kit Vulnerability: Risks and Solutions

AWS Cloud Development Kit
Account takeover in AWS possible

Providers on the topic

A vulnerability in the AWS Cloud Development Kit allows attackers to compromise AWS accounts when users delete previously created S3 buckets. The misconfiguration in the CDK allows for a predictable bucket name, creating risks for users using default configurations.

Due to a vulnerability in the AWS Cloud Development Kit, DoS attacks or even account takeover are possible. (Image: Dall-E / AI-generated) — Due to a vulnerability in the AWS Cloud Development Kit, DoS attacks or even account takeover are possible.

(Image: Dall-E / AI-generated)

Security researchers at Aquasec have discovered a serious security flaw in the AWS Cloud Development Kit (CDK).. The gap allows full takeover of AWS accounts. The vulnerability affects the open CDK project and is based on the creation of S3 buckets during the bootstrapping process. The process automatically generates infrastructure components such as IAM roles and S3 buckets that are essential for the CDK to function.

Not all cloud incidents lead to operational disruptions and many cloud attacks are not even detected and therefore not prevented. (Image: Gorodenkoff - stock.adobe.com)

AWS CDK vulnerability details

The vulnerability mainly occurs when users delete the created S3 bucket after the initial bootstrapping. Due to the bucket’s fixed naming structure – by default it is cdk-hnb659fds-assets-{Account-ID}-{Region} – an attacker can guess the name of the bucket and secure it. If an attacker knows the target’s account ID and region, they can use this information in combination with the standard qualifier configuration to take over the bucket.

In this case, the victim will encounter an error during the next CDK deployment because the necessary bucket already exists but is now under the attacker’s control. This control opens up opportunities for a denial of service (DoS) attack or, in severe cases, account takeover.

The experts at Aquasec have developed an automated scanning tool that checks over 38,000 accounts for CDK installation and the existence of the CDK bucket. The analysis found that about one percent of CDK users are vulnerable to this type of attack. AWS later confirmed this figure and took mitigation steps.

Further analysis showed that in around ten percent of the accounts checked, the previously created CDK bucket was deleted, allowing attackers to take over and control the S3 buckets. This bucket control allows the attacker to manipulate files in the CDK bucket using a specially configured Lambda script. This may result in CloudFormation templates containing malicious content being uploaded and executed on the target account. Since the permissions in the CDK bootstrap process are very broad by default, this allows the attacker to, for example, create an IAM Admin role and use it to take over the account.

Most companies do not adequately secure their identities, which creates security gaps. (Image: Dall-E / AI-generated)

CDK receives update

AWS responded to this discovery with an update to the CDK in version 2.149.0, which ensured that the necessary S3 buckets reside exclusively within the user’s account. However, this security measure only applies to accounts that are rebootstrapped after the update. Users who continue to work with older CDK versions such as 2.148.1 must intervene manually and either perform an update or specifically make an IAM role adjustment to prevent access to untrusted buckets.

The adoption of cloud and edge technologies is still being slowed down by security issues and data protection concerns; Now there are also concerns about the use of the AI generator. (Image: Suresh Anchan)

Other existing risks

Another risk of this vulnerability is the availability of the AWS account ID, which often appears in publicly accessible code repositories. Knowing this ID, combined with the region and predictable S3 bucket name, allows an attacker to effectively carry out the attack. Security experts therefore recommend treating AWS account IDs as sensitive information and anonymizing them in public repositories.

To prevent future security incidents, security researchers emphasize the importance of individual configurations in the CDK bootstrapping process. AWS recommends using a unique qualifier instead of the default value to avoid the predictable bucket name and thus prevent bucket naming attacks.

A study by AppOmni shows that many companies are not yet effectively securing their SaaS environments. (Image: Who is Danny – stock.adobe.com)

(ID:50218199)

As of October 30, 2020

It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our data protection declaration.

Consent to the use of data for advertising purposes

I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 ff. AktG (hereinafter: Vogel Communications Group), my E -Email address used to send editorial newsletters. Lists of the respective companies can be accessed here.

The newsletter content covers products and services from all of the companies mentioned above, including, for example, specialist magazines and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline areas, subject-specific web portals and e-learning offers. If my personal telephone number has also been collected, it may be used to make offers for the aforementioned products and services from the aforementioned companies and for market research.

If I access protected content on the Internet on portals of the Vogel Communications Group, including its affiliated companies within the meaning of Sections 15 ff. AktG, I must register with additional data to access this content. In return for this free access to editorial content, my data may be used for the purposes stated here in accordance with this consent.

Right to withdraw

I am aware that I can revoke this consent at any time in the future. My revocation will not affect the lawfulness of the processing carried out based on my consent up to the time of revocation. To declare my revocation, I can also use the contact form available at https://support.vogel.de. If I no longer wish to receive individual newsletters that I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information about my right of withdrawal and its exercise as well as the consequences of my withdrawal can be found in the data protection declaration, section Editorial newsletter.

AWS Cloud Development Kit Account takeover in AWS possible

AWS CDK vulnerability details

CDK receives update

Other existing risks

Consent to the use of data for advertising purposes

AWS Cloud Development Kit
Account takeover in AWS possible