AWS Cloud Development Kit flaw exposed accounts to full takeover
Amazon Web Services has fixed a flaw in its open source Cloud Development Kit that, under the right conditions, could allow an attacker to hijack a user's account completely.
The Cloud Development Kit (CDK) is an open source framework, developed by AWS, that allows developers to define cloud application infrastructure as code using programming languages such as Python, TypeScript, JavaScript, Go and others, and then provision these resources through AWS CloudFormation.
Bug hunters at Aqua spotted the CDK issue on June 27, according to the firm's security researchers Ofek Itach and Yakir Kadkoda. About two weeks later, the cloud giant patched the flaw with CDK version v2.149.0.
AWS confirmed that about one percent of CDK users were susceptible to this security issue, and assured The Register that it "investigated and resolved all reported concerns." In an emailed statement, an AWS spokesperson wrote that the business unit appreciated Aqua's work in reporting the flaw and collaborating with AWS, and added:
On July 12, 2024, AWS released an update to the AWS Cloud Development Kit (AWS CDK) CLI that implemented additional security controls to mitigate the potential for data disclosure for customers performing CDK deployments. Customers using the latest version will need to perform a one-time action to upgrade their bootstrap resources. AWS has reached out to potentially affected customers directly to notify them of the need to upgrade, and has added additional checks to the CLI to remind users to upgrade.
