AWS's Predictable Bucket Names Make Accounts Easier to Crack

The Amazon Web Services Cloud Development Kit (CDK), a popular open source tool, allows cyber teams to conveniently build software-defined cloud infrastructure with widely used programming languages, such as Python and JavaScript. But here's the problem: During deployment and by default, AWS CDK creates a "staging" S3 bucket with a dangerously predictable naming convention that, if exploited by threat actors, could lead to total administrative access to the associated account.

In a new report, researchers from Aqua said AWS confirmed the vulnerability affected about 1% of CDK users. AWS subsequently notified those effected by the issue in mid-October. Versions of CDK v2.148.1 or earlier require users to take action.

"A key takeaway for open source projects that rely on AWS is to ensure they don't use predictable bucket names," says Yakir Kadkoda, lead security researcher with Aqua. "They should provide an option for users to modify the bucket name that the open source project creates for its operation or implement a check on the bucket owner to avoid such vulnerabilities."

There's no way to know if the vulnerability, which doesn't have an associated CVE number, has been exploited in the wild, Kadkoda adds.

What Is S3 Bucket Namesquatting and Bucket Sniping?

The vuln is introduced during the bootstrapping process, the report explained, during which AWS creates an S3 staging bucket for storing a variety of deployment assets. Because the name of these AWS S3 buckets follow a pattern: cdk-{qualifier}-assets-{account-ID}-{Region}, the team found all adversaries need to break into any of these buckets is the account identification number, and region — the only fields that change from bucket to bucket.

Not only does this let attackers break into an existing S3 bucket, they can also create an entirely new S3 bucket.

"If the attacker sets up the bucket ahead of time, when the user later tries to bootstrap the CDK from a specific region, they will encounter an error during the process because the CDK bucket that the bootstrap process attempts to create already exists," the Aqua report added. "The documentation advises selecting a non-default qualifier."

This is a tactic the report calls "S3 bucket namesquatting" or "bucket sniping" and gives the threat actor the ability to execute malicious code inside the target AWS account.

"As a reminder, the CDK staging bucket contains CloudFormation templates," the report added. "If an attacker gains access to the CDK staging bucket of other users, these files can be easily tampered with and backdoored, enabling the injection of malicious resources into the victim’s account during deployment."

This latest report expands on Aqua's previous analysis of the danger of configuring S3 buckets with easily guessed names into open source tools.

"This research emphasizes the importance of not using predictable bucket names and keeping the AWS account ID secret to avoid being vulnerable to these types of issues in the future," Kadkoda advises.