AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover
In June 2024, we uncovered a security issue related to the AWS Cloud Development Kit (CDK), an open-source project . This discovery adds to the six other vulnerabilities we discovered within AWS services. The impact of this issue could, in certain scenarios (outlined in the blog), allow an attacker to gain administrative access to a target AWS account , resulting in a full account takeover.
Our research, covering over 38,000 well-known account IDs, identified several cases where AWS CDK users were susceptible to this attack vector due to the manual deletion of their deployment artifact S3 bucket(s). AWS later confirmed that approximately 1% of CDK users were susceptible to this security issue.
This blog post expands on the findings from our previous research, “Bucket Monopoly” , and examines how the techniques from our previous research are applicable to open-source projects.
We reported this security issue to AWS, and they promptly addressed it by ensuring that assets are only uploaded to buckets within the user’s account.
