A recent session at Black Hat USA 2024 brought attention to six critical vulnerabilities in AWS services, as well as a new attack vector dubbed “shadow resources” by Aqua Security researchers. These vulnerabilities, which were promptly patched by AWS after being reported, shed light on potential threats and attack techniques that could jeopardize customer data and resources, potentially leading to a complete account takeover.
During the session, titled “Breaching AWS Accounts Through Shadow Resources,” Aqua’s Nautilus team members Yakir Kadkoda and Ofek Itach, alongside former Aqua employee and current Microsoft researcher Michael Katchinskiy, discussed how they uncovered the vulnerabilities and the shadow resource vector while utilizing CloudFormation. The team observed that when customers create a CloudFormation service for the first time in a new region using the AWS Management Console, an S3 bucket is automatically generated to store their CloudFormation templates.
Interestingly, the researchers discovered that the names of these automatically deployed S3 buckets follow a specific pattern, making them somewhat predictable. By leveraging various reconnaissance techniques, threat actors could potentially guess the names of these buckets prior to their creation and engage in what the researchers referred to as “Bucket Monopoly.” This tactic involves creating malicious S3 buckets before AWS does, exploiting the permissions to gain access to sensitive data and even establishing a backdoor for future attacks.
Moreover, the researchers highlighted a critical flaw in the S3 bucket naming process, where AWS occasionally uses the account ID as a unique identifier instead of a hash. This vulnerability could be exploited by attackers to target specific organizations and launch malicious activities within their cloud environment.
In their report, the research team detailed how they leveraged AWS Lambda to read CloudFormation templates from a compromised S3 bucket and insert a new administrator role, essentially granting them full control over the victim’s account. This severe vulnerability underscores the importance of securing cloud resources and ensuring robust access controls to prevent unauthorized access.
While AWS quickly remediated five of the six vulnerabilities identified by Aqua researchers, the threat of Bucket Monopoly attacks persists across various AWS services. The session also shed light on the potential impact of these attacks on open-source projects, further emphasizing the need for heightened security measures in cloud environments.
Overall, the findings presented during the Black Hat session serve as a stark reminder of the evolving threat landscape in cloud computing and the importance of proactive security measures to safeguard sensitive data and resources from malicious actors. As organizations increasingly rely on cloud services, it is critical to stay vigilant against emerging threats and vulnerabilities to maintain a secure and resilient infrastructure.