Aqua Finds 6 Critical AWS Cloud Services Vulnerabilities
Aqua Security, the pioneer in cloud-native security, today unveiled new research by its cyber research team, Nautilus, addressing critical vulnerabilities in six AWS services. The potential impacts include remote code execution (RCE), full-service user takeover which might provide powerful administrative access, manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service. The vulnerabilities were quickly acknowledged and fixed by AWS.
“When creating a new service in AWS, there are internal dependencies and complexities that cloud users and developers might not be aware of,” said Yakir Kadkoda, Lead Researcher at Aqua Security. “We found that under some conditions, an attacker could exploit gaps to gain access to and even take over AWS accounts.”
The Vulnerabilities Found by Aqua Security
The vulnerabilities were found in the following AWS services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar. When creating any of these services in a new region for the first time, an S3 bucket is automatically created with a certain name. This name is divided into the name of the service of the AWS account ID (in most services mentioned above) and the name of the region. Thus, across all AWS regions, the bucket name remains the same, differing only by the region name.
Aqua Nautilus uncovered how attackers could discover the buckets’ names or guess predictable parts of the bucket name. Subsequently, using a method dubbed “Bucket Monopoly,” the attackers can create these buckets in advance in all available regions, essentially performing a landgrab, and then storing malicious code in the bucket.
When the targeted organisation enables the service in a new region for the first time, the malicious code will be unknowingly executed by the targeted organisation, potentially resulting in the creation of an admin user in the targeted organisation granting control to the attackers.
“Because S3 bucket names are unique across all of AWS, if you capture a bucket, it’s yours and no one else can claim that name,” said Ofek Itach, Aqua Nautilus Security Researcher. “We demonstrated how S3 can become a ‘shadow resource,’ and how easily attackers can discover or guess it and exploit it.”
“This finding is a significant part of Nautilus and Aqua’s mission,” said Kadkoda. “Our aim is to improve the security of the cloud and enable organisations to use it safely. Our responsible disclosure of findings to the AWS security team, and their professional response, prevented what could have been a massive initial access point for attackers, protecting the cloud environments of many organisations.”