Cybersecurity researchers have identified multiple critical vulnerabilities in Amazon Web Services (AWS) that could be exploited to cause severe damage, including remote code execution (RCE), full-service takeovers, data theft, and denial-of-service (DoS) attacks. The flaws, disclosed in a report by Aqua Security and presented at Black Hat USA 2024, stem from an attack vector dubbed Bucket Monopoly, which leverages a method known as Shadow Resource to exploit automatic S3 bucket creation in various AWS services. AWS addressed these vulnerabilities through patches deployed between March and June 2024 following responsible disclosure.
Bucket Monopoly: Shadow Resource Attack Vector
Description:
- Bucket Monopoly involves exploiting AWS services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar, which automatically generate S3 buckets using predictable naming conventions (e.g., cf-templates-{Hash}-{Region}). Attackers can create S3 buckets in unused regions, waiting for legitimate AWS customers to trigger these services, allowing unauthorized access to bucket contents.
Potential Impact:
- Remote Code Execution (RCE): Attackers can insert malicious code into S3 buckets, which could be executed unknowingly by the target when deploying resources, leading to potential system compromise.
- Full-Service Takeovers: Through this attack, an attacker could create a rogue admin user, gaining full control over the victim’s AWS account.
- Data Theft and Manipulation: Unauthorized access to S3 buckets could result in data exfiltration or tampering with stored data.
- Denial-of-Service (DoS): Attackers could exploit the vulnerabilities to disrupt services by triggering DoS conditions.
Affected Services:
- AWS Glue: aws-glue-assets-{Account-ID}-{Region}
- AWS Elastic MapReduce (EMR): aws-emr-studio-{Account-ID}-{Region}
- AWS SageMaker: sagemaker-{Region}-{Account-ID}
- AWS CodeStar: aws-codestar-{Region}-{Account-ID}
- AWS Service Catalog: cf-templates-{Hash}-{Region}
Mitigation and Recommendations
AWS Patches and Response:
- AWS deployed patches for the identified vulnerabilities between March and June 2024, after the responsible disclosure by Aqua Security in February 2024.
Recommended Actions:
- Update AWS Configurations: Ensure all AWS environments are running the latest updates and patches provided by AWS.
- Secure S3 Bucket Naming: Avoid using predictable or static identifiers in S3 bucket names. Instead, generate unique hashes or random identifiers for each region and account to prevent attackers from claiming buckets prematurely.
- Protect AWS Account IDs: Treat AWS account IDs as sensitive information, contrary to previous guidance, to prevent their use in staging similar attacks.
Conclusion
The discovery of these severe AWS flaws highlights the importance of securing cloud environments against increasingly sophisticated attack vectors like Bucket Monopoly. Organizations using AWS are strongly advised to apply the latest updates and review their cloud security practices to protect against potential exploitation.
