Summary:
In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code. The issue stems from the default behavior of CDK, which creates S3 buckets with predictable names during deployment. These predictable names can be exploited by attackers to gain unauthorized access to the bucket and its contents, including sensitive information and deployment scripts. By manipulating these buckets, attackers could inject malicious code into the target account's infrastructure. Aqua recommends that users of AWS CDK avoid using default bucket names and implement measures to protect their AWS accounts. The issue was reported to AWS on June 27, 2024, AWS completed remediation and updated documentation on August 9, 2024, and impacted customers were notified on October 15, 2024. AWS recently confirmed that approximately only 1% of accounts with CDK installed were impacted.

Security Officer Comments:
The recent discovery of a vulnerability in the AWS CDK highlights the importance of careful configuration and the principle of least privilege when using open-source tools. While the CDK is a powerful tool for automating cloud infrastructure deployments, it's essential to be aware of potential security risks posed by leaked AWS Account IDs and using predictable S3 bucket naming. This report expands on another previously published Aqua analysis of the dangers of overly simple S3 bucket naming conventions, especially when utilizing open-source software. By following the recommendations provided by Aqua, organizations can significantly reduce their exposure to this and similar threats. It is crucial to stay informed about the latest security advisories to proactively protect AWS environments. Regular security assessments and penetration testing can also help identify and address potential weaknesses or flaws in current cloud infrastructure configurations.

Suggested Corrections:

• Starting from CDK version v2.149.0, AWS added a condition to the bootstrap file-publish role (FilePublishingRole), ensuring it only trusts S3 buckets within the user's account. This prevents the CDK from pushing data to buckets not owned by the account that initiated the bootstrapping process.
• AWS also updated the documentation to highlight the importance of customizing bootstrapping resources, encouraging users to use a custom qualifier instead of the default hnb659fds.

While the AWS patch resolves the issue for new CDK users, it only applies to new bootstraps.

This means users who bootstrapped with an older version, such as CDK v2.148.1 (July 11, 2024) or earlier, will remain susceptible, even if they update their CDK.

AWS added messages to the CLI terminal, alerting users to upgrade their bootstrap resources and directly notified potentially affected customers.

To mitigate this risk, user action is required:

• If you're using CDK version v2.148.1 or earlier, upgrade to version v2.149.0 or later. After upgrading, re-run the cdk bootstrap command.
• Alternatively, instead of upgrading the CDK version, you can apply an IAM policy condition to the FilePublishingRole CDK role: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region}, similar to the AWS patch.

Link(s):
https://www.darkreading.com/threat-intelligence/aws-cdk-default-s3-bucket-naming-pattern-lets-adversaries-waltz-into-admin-access

https://www.aquasec.com/blog/aws-cdk-risk-exploiting-a-missing-s3-bucket-allowed-account-takeover/