AWS fixes cloud development kit security flaw that could allow for complete account takeover

Predictable naming pattern in the bootstrap process could have been abused

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

AmazonWeb Services (AWS) has fixed a security flaw in its Cloud Development Kit (CDK) which could have allowed threat actors to fully take over people’s accounts.

The AWS Cloud Development Kit (CDK) is anopen sourcesoftware development framework that allows developers to define cloud infrastructure using familiar programming languages like TypeScript, Python, and Java. It simplifies the process of creating and managing AWS resources by converting code into AWS CloudFormation templates, enabling infrastructure as code (IaC) practices.

In order to deploy an app, users are first required to bootstrap the environment, which includes creating necessary components such as identity and access management (IAM) ropes, permissions, policies, and an S3 staging bucket. The S3 staging buckets follow the same naming pattern: “cdk-{Qualifier}-{Description}-{Account-ID}-{Region}”. That means, crooks can easily predict the name, as long as they know the AWS Account-ID, and the region in which the CDK is deployed.

Thousands of instances

Thousands of instances

“Since the Prefix is always cdk, the Qualifier is by default hnb659fds, and assets is a constant string in the bucket name, the only variables that change are the Account ID and the Region,” explained cybersecurity researchers from Aqua, who first spotted the flaw.

This means crooks could claim someone else’s CDK staging bucket name in advance, preload it with malware, and then just wait for the victim to run it.

To make matters worse, Aqua says there are “thousands” of instances with the default qualifier being used in the bootstrap process, making it super easy to claim another user’s CDK staging bucket name. In fact, the problem could “allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover,” the pros explained.

Aqua reported the flaw to Amazon, who patched it in early July this year, it was said. The first clean CDK version is v2.149.0.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaThe Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Google Gemini is set to finally reach its full potential – and take over from Google Assistant – thanks to a major upgrade