Recently, several critical vulnerabilities have been discovered in Amazon Web Services, which have shaken the cybersecurity community and raised the discussion about the complexities of cloud security in the age of pervasive digital transformation.
These vulnerabilities were detected by a team operating under the name Nautilus, working for Aqua Security, and showed serious flaws in six important AWS services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. If exploited, those issues would have resulted catastrophically, triggering remote code execution attacks, data exfiltration, full-service takeovers, and denial of services.
The Attack Vectors: Shadow Resource and Bucket Monopoly
Central to the findings were two newly identified attack vectors: "Shadow Resource" and "Bucket Monopoly." The former exploits automatically created AWS resources, like S3 buckets, often set up without explicit user directions. In essence, the attack vectors leverage the predictability of the naming conventions of AWS resources for executing a takeover of user accounts, manipulation of AI modules, or even exposing sensitive data.
For example, the "Bucket Monopoly" method uses the automatic creation of S3 buckets in virtually all regions. Now, if these buckets are created beforehand in the overlooked regions, he can intercept or influence the interactions with the resources up to full account takeovers. This method of attack showcases the risk that public exposure of AWS Account IDs and predictable resource names brings to the assumptions currently made on security in the cloud.
Shadow Resource Vulnerability: Exploiting Predictable S3 Bucket Names
The Shadow Resource vulnerability arises from the predictable naming convention of S3 buckets created by AWS services like CloudFormation. This predictability allows attackers to exploit a "Bucket Monopoly" strategy.
Attack Scenario:
- Bucket Creation: An attacker identifies the predictable S3 bucket naming pattern used by a target organization (e.g.,
cf-templates-{hash}-{region}
). - Region Scanning: The attacker creates S3 buckets with these predictable names in multiple AWS regions, anticipating the target organization's future expansion.
- Victim Expansion: When the target organization creates a new CloudFormation stack in a previously unused region, the attacker's pre-created bucket is used instead of creating a new one.
- Malicious Code Injection: The attacker can then populate the bucket with malicious code or configuration files, which will be used by the victim's CloudFormation stack, potentially leading to remote code execution or data exfiltration.
Glue Job Injection Vulnerability
The Glue job injection vulnerability stems from the predictable S3 bucket naming convention used to store Glue job scripts.
Attack Scenario:
- Bucket Identification: An attacker determines the predictable S3 bucket naming pattern for Glue jobs (e.g.,
aws-glue-assets-{account-id}-{region}
). - Bucket Creation: The attacker creates an S3 bucket with the target organization's account ID and a specific region.
- Malicious Script Upload: The attacker uploads a malicious Python script to the created S3 bucket.
- Glue Job Execution: When the target organization creates a Glue job in the specified region, the malicious script is inadvertently used, leading to potential remote code execution or data access.
Bucket Monopoly Attack
This Python code outlines a basic approach to creating shadow buckets based on a target account ID and a list of regions.
Glue Job Injection Attack
This code demonstrates how an attacker might upload a malicious Python script to a compromised Glue job S3 bucket.
Note: These code snippets are simplified for illustrative purposes and do not represent actual attack code. Real-world attacks would involve more complex logic and evasion techniques.
Timeline of Discovery and Mitigation
The vulnerabilities were responsibly disclosed to AWS in February 2024, and the cloud giant worked fast to fix them, rolling out fixes between March and June. But the exercise has highlighted quite starkly the difficulty of securing cloud environments in which thousands of services interoperate, coexist, and share resources. The findings were presented in public at some of the most recognized cybersecurity conferences—Black Hat USA and DEF CON 32—in August 2024, illustrating even wider implications for cloud security.
The Wider Implications to Cloud Security
These vulnerabilities act as a strong reminder of the paradigm shift in threats in the cloud space. With mission-critical workloads moving to the cloud, there is an unparalleled increase in the volume of the attack surface, which creates greater potential for security lapses.
The findings of Aqua Security vividly illustrate that such old, established cloud providers like AWS are not free from vulnerabilities and, on the whole, the safety of the cloud environment should be constantly watched and taken care of.
The results did not remain unnoticed by the broader cybersecurity community. Some researchers have commented that it should be a call for more scoped policies, introducing bucket ownership verification and not using predictable resource names. This has also opened a can of worms related to the classification of AWS account IDs in terms of sensitivity, and some researchers are advocating a stance on handling these IDs as such.
Learning for the Cloud Security Practitioner
From a security practitioner's standpoint, the lesson in effect is to respect the complexity of cloud service configurations and the risk associated with automation.
Essentially, the vectors "Shadow Resource" and "Bucket Monopoly" ground the risks of default settings with a call for a custom configuration facility that is nested on security.
Moreover, the incident shows how the knowledge of new threats and vulnerabilities must be kept abreast. Cloud services evolve, as do the tactics of the attackers. That implies organizations need high agility, constant improvement, and readiness to carry the risks in the cloud down to a tolerable level at all times.
Conclusion
Critical vulnerabilities in Amazon Web Services provide a wake-up call across the board to the general cloud ecosystem: while cloud providers like AWS may have good security frameworks, the ultimate responsibility for securing a cloud environment rests on organizations making use of those services.
These efforts, through proper risk comprehension, best practice implementations, and continuous pursuance of emerging threats, shield organizations' cloud assets and guarantee the security of their digital operations.