BOSTON—August 7, 2024—Aqua Security, the pioneer in cloud native security, today unveiled new research by its cyber research team, Nautilus, addressing critical vulnerabilities in six AWS services. The potential impacts include remote code execution (RCE), full-service user takeover which might provide powerful administrative access, manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service. The vulnerabilities were quickly acknowledged and fixed by AWS.
“When creating a new service in AWS, there are internal dependencies and complexities that cloud users and developers might not be aware of,” said Yakir Kadkoda, Lead Researcher at Aqua Security. “We found that under some conditions, an attacker could exploit gaps to gain access to and even take over AWS accounts.”
The vulnerabilities were found in the following AWS services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar. When creating any of these services in a new region for the first time, an S3 bucket is automatically created with a certain name. This name is divided into the name of the service of the AWS account ID (in most services mentioned above) and the name of the region. Thus, across all AWS regions, the bucket name remains the same, differing only by the region name.
Aqua Nautilus uncovered how attackers could discover the buckets’ names or guess predictable parts of the bucket name. Subsequently, using a method dubbed “Bucket Monopoly,” the attackers can create these buckets in advance in all available regions, essentially performing a landgrab, then store malicious code in the bucket.
When the targeted organization enables the service in a new region for the first time, the malicious code will be unknowingly executed by the targeted organization, potentially resulting in the creation of an admin user in the targeted organization granting control to the attackers.
“Because S3 bucket names are unique across all of AWS, if you capture a bucket, it’s yours and no one else can claim that name,” said Ofek Itach, Aqua Nautilus Security Researcher. “We demonstrated how S3 can become a ‘shadow resource,’ and how easily attackers can discover or guess it and exploit it.”
“This finding is a significant part of Nautilus and Aqua’s mission,” said Kadkoda. “Our aim is to improve the security of the cloud and enable organizations to use it safely. Our responsible disclosure of findings to the AWS security team, and their professional response, prevented what could have been a massive initial access point for attackers, protecting the cloud environments of many organizations.”
The research was first presented at Black Hat on Wednesday, August 7, and the blog with full details is available here.
About Aqua Nautilus
Aqua Nautilus is a security research team whose mission is to analyze the evolving cloud native threat landscape, uncovering new threats targeting containers, Kubernetes, serverless, applications’ software supply chains and cloud infrastructure. The team aims to help Aqua customers, and the community at large protect against the unknown, zero-day and emerging threats, turning insights from real-world attacks into powerful, intelligence-driven protection within the Aqua Platform.
About Aqua Security
Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua’s full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises. For more information, visit https://www.aquasec.com.