Security researchers from Aquasec recently discovered a critical vulnerability in the AWS Cloud Development Kit (CDK) that could allow attackers to gain full administrative access to targeted AWS accounts.
The issue, reported to AWS in June 2024, affects CDK users who have used version v2.148.1 or earlier.
The vulnerability stems from the predictable naming convention used by AWS CDK when creating resources during the bootstrapping process.
By default, CDK creates an S3 bucket with a name following the pattern cdk-hnb659fds-assets-{account-ID}-{Region}.
If a user deletes this bucket after bootstrapping, an attacker can claim the bucket by creating one with the same name in their own account.
Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here
When the victim runscdk deploy, their CDK instance will trust the attacker-controlled bucket and write CloudFormation templates to it.
The attacker can then modify these templates, injecting malicious resources such as an admin role they can assume.
Since the victim’s CloudFormation service deploys resources with administrative privileges by default, the backdoored template is executed in the victim’s account, granting the attacker full control.
Research covering over 38,000 well-known account IDs revealed that approximately 1% of CDK users were susceptible to this attack vector.
Out of 782 accounts identified as having CDK installed, 81 (10%) were vulnerable due to missing staging buckets.
AWS has released fixes starting from CDK version v2.149.0, adding conditions to ensure roles only trust buckets within the user’s account.
However, users of older versions must take action by upgrading and re-running the cdk bootstrap command.
Security experts recommend treating AWS account IDs as sensitive information, using conditions in IAM policies to restrict access to trusted resources, and avoiding predictable S3 bucket names.
This discovery highlights the importance of staying updated with the latest security patches and following best practices when using cloud infrastructure tools like AWS CDK.
As more organizations adopt Infrastructure as Code (IaC) practices, it is crucial to remain vigilant against potential vulnerabilities that could lead to costly breaches.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here