Back to Research
Security Alert

How a Deleted S3 Bucket Could Hand Over Your Entire AWS Account to Attackers

AWS CDK Security Vulnerability
Cipher Weekly TeamJuly 2, 2024

A critical security vulnerability in AWS Cloud Development Kit (CDK) has been discovered that could allow attackers to gain full administrative access to targeted AWS accounts. The issue, uncovered in June 2024, affects users who manually deleted their CDK deployment artifact S3 buckets after initial setup and continued using older CDK versions.

The Vulnerability

The vulnerability stems from CDK's predictable naming pattern for its staging buckets, combined with the default administrative privileges granted to CDK's CloudFormation execution role. If a user deletes their CDK staging bucket and an attacker claims the same bucket name, they can inject malicious code into CloudFormation templates when the victim deploys new infrastructure.

Impact and Scope

Research across 38,000 AWS accounts revealed that approximately 10% of CDK users were potentially vulnerable to this attack vector. Since these templates are executed with administrative privileges, attackers can create backdoor admin roles and effectively take over the entire account.

Mitigation and Patches

AWS has since patched the issue in CDK version v2.149.0 by ensuring assets are only uploaded to buckets within the user's own account. However, users of earlier versions must take action to protect themselves by either upgrading their CDK installation or modifying their IAM policies.

Key Takeaways

  • Always treat AWS Account IDs as sensitive information
  • Use IAM policy conditions to restrict resource access to specific AWS accounts
  • Avoid predictable naming patterns for S3 buckets
  • Regularly update CDK and other infrastructure tools to receive security patches

Conclusion

This vulnerability brings attention to how seemingly innocuous actions like bucket cleanup can create serious security vulnerabilities in cloud infrastructure. For affected users, AWS has released patches and directly notified potentially impacted customers, emphasising the importance of proper security measures in infrastructure-as-code deployments.

Share this article
Skip to main content