AWS Cloud Development Kit flaw exposed accounts to full takeover Amazon Web Services has fixed a flaw in its open source Cloud Development Kit that, under the right conditions, could allow an attacker to hijack a user's account completely. The Cloud Development Kit (CDK) is an open source framework, developed by AWS, that allows developers to define cloud application infrastructure as code …
Even better. This is a known risky, and some of their tools have gotten it right for a long time. In fact, I first learned about this risk when I observed a tool adding a random string on the back, and got to wondering...
Seriously, though, globally addressable S3 bucket names have been nothing but trouble since the start. This has blown right past the "farce" stage of history repetition.
This post has been deleted by its author
This post has been deleted by its author
Well, technically Oracle has them globally unique too, it just includes the account ID automatically in some way and (hopefully?) won't let you add stuff to someone else's namespace.
AWS and GCP started out as their own internal platforms, so to begin with there was only one account.
There are 'advantages' to being able to use buckets owned by others, eg if you've outsourced something you can just point straight at theirs.
Seems crazy to let anyone pollute someone else's namespace. Even worse to use existing buckets owned by someone else by default.
Yet another example of how horrifically bad the documentation is for these "modern" systems.
> in which criminals could predict AWS S3 bucket names, pre-load malicious code into a bucket,
Can anyone elaborate on this for me please?
How can the criminals load data into a bucket that hasn't yet been created? Or does it mean the crims poll for bucket creation and load the malware after creation but before security policies can be applied? Surely AWS doesn't create open buckets and then secure them as a later step, allowing a small window of opportunity?
And, aren't users a bit surprised to find malware (aka data generating billing charges) present in newly created buckets?
The crims create a bucket in their own account with the predicted name/s. They upload some dodgy code into that bucket. presumably obfuscated. You bootstrap your CDK. you don't supply a custom bucket name, because many ppl don't. CDK either creates _or_ uses the default bucket. CDK didnt crash out if the bucket already existed and was owned by someone else. <- this seems like an obvious risk to me, but what do I know?
since buckets names are global, it turns out you are now using a bucket you don't own, with code present that you are likely to accidentally execute.
The fix is to require CDK bootstrapping to only use buckets within the user's account. And in future to also not use a predictable name.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
