Cybersecurity researchers have uncovered several critical vulnerabilities in Amazon Web Services (AWS) offerings that could result in remote code execution (RCE), data theft, and full-service takeovers. The flaws, identified by the cloud security firm Aqua, pose a significant risk to organizations relying on AWS services, potentially granting attackers unauthorized access to sensitive data and administrative controls. These vulnerabilities were responsibly disclosed to Amazon in February 2024, and the company has since implemented fixes over several months, with the full details presented at Black Hat USA 2024.
The primary concern revolves around an attack vector named Bucket Monopoly, which exploits a mechanism known as Shadow Resource. This attack vector takes advantage of the automatic creation of AWS S3 buckets when using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. By preemptively creating S3 buckets in unused AWS regions, attackers can gain covert access to the contents of these buckets when a legitimate user activates one of the vulnerable services, leading to potential RCE, data manipulation, or complete account takeovers.
The vulnerability extends to five other AWS services that follow a similar naming convention for S3 buckets, further increasing the scope of the threat. These services include AWS Glue, Elastic MapReduce (EMR), SageMaker, CodeStar, and Service Catalog. The predictable nature of S3 bucket names, which often incorporate AWS account IDs, makes it easier for attackers to stage such attacks. Aqua’s researchers have emphasized the importance of treating AWS account IDs as secrets and advised against using static identifiers in bucket names.
To mitigate the risk of exploitation, organizations are encouraged to adopt more secure practices when naming S3 buckets, such as generating unique hashes or random identifiers for each region and account. This approach can help prevent attackers from claiming buckets prematurely and reduce the likelihood of a successful attack. The discovery of these vulnerabilities underscores the critical need for robust cloud security practices, especially as more organizations continue to migrate their operations to cloud-based platforms like AWS.
Reference:
