SOC Alert: Multiple AWS Service Vulnerabilities

If you're using Amazon Web Services (AWS), you need to be aware of significant vulnerabilities recently discovered in several key offerings. These issues could put your infrastructure at risk, with potential threats ranging from remote code execution (RCE) to full-service user takeovers, AI model manipulation, and data exfiltration.

The vulnerabilities affect the following AWS services you might be using:

• CloudFormation: Attackers could exploit predictable S3 bucket names to execute arbitrary code, manipulate or steal your data, and potentially gain full control over your account.
• Glue: A flaw allows the injection of malicious code into Glue jobs, leading to RCE and possibly a complete takeover of your account.
• EMR, SageMaker, ServiceCatalog: While specific details weren't disclosed, these services have been identified as vulnerable.
• CodeStar: This is considered mitigated as new projects can't be created, with the service set for deprecation in July 2024.

You should be aware of two primary attack vectors: "Shadow Resource" and "Bucket Monopoly". These techniques exploit automatically generated resources, like S3 buckets, that AWS creates without your explicit instructions. Attackers could pre-emptively create these resources in unused regions, potentially intercepting your data or account operations and leading to full account compromise.

AWS has acted quickly to address these vulnerabilities with patches and security improvements. For instance, they now add random sequences to bucket names or prompt you to choose a new name if the original is taken. CodeStar's issues are being addressed through the service's planned deprecation.

However, don't rely solely on AWS's fixes.

To protect your systems, consider these measures:

• Implement Scoped Policies: Use the 'aws:ResourceAccount' condition to ensure that only trusted accounts can access your resources.
• Verify Bucket Ownership: Regularly check your S3 bucket ownership, especially for buckets with predictable names, to ensure they belong to you.
• Use Unique Bucket Names: Avoid predictable names; opt for unique, randomised identifiers instead.

While AWS has mitigated these specific vulnerabilities, similar risks could exist in other services. To protect against emerging threats, make sure you're following best practices by keeping your systems updated, monitoring your environment diligently, regularly reviewing your AWS configurations and conducting penetration testing.

Bradleigh Bishop | SOC Team Lead