AWS Cloud Development Kit flaw lets attackers gain Admin access to AWS accounts
Take action: If you are using AWS Cloud Development Kit, update it to version 2.148.1 or newer. After upgrading, users should re-run the cdk bootstrap command to enforce bootstrapping roles and resources are updated. If you can't upgrade, apply IAM polic to the FilePublishingRole to restrict access based on the bucket owner’s AWS account ID. Always make sure to keep your AWS account ID confidential, since it can be abused.
Learn More
A critical vulnerability in the AWS Cloud Development Kit (CDK) was identified by security researchers from Aqua Security.
This open-source tool allows developers to define cloud infrastructure using code. The flaw, tracked as CVE-2024-45037 (CVSS score 9.3), exposes risk to AWS CDK users. Under specific conditions, attackers could potentially gain administrative access to the target AWS account, leading to a full account takeover.
The vulnerability relates to the predictable naming of resources created during the CDK bootstrapping process, particularly S3 staging buckets, which store deployment assets like CloudFormation templates. The bootstrapping process creates resources with names following the pattern: cdk-{Qualifier}-{Description}-{Account-ID}-{Region}. The default qualifier value is "hnb659fds", making the bucket name predictable when users do not customize it. This predictability can be exploited through "S3 Bucket Namesquatting."
Exploitation Scenarios
- Bucket Namesquatting - An attacker could create a staging S3 bucket matching the naming pattern used by CDK in a specific region, especially if the user has deleted their CDK staging bucket after bootstrapping. When the victim reboots CDK or attempts a deployment, their CDK instance may write data to the attacker-controlled bucket. The attacker can then modify these templates to include malicious code or inject an admin role that the attacker can assume.
- Full Account Takeover - Because the CloudFormationExecutionRole created during bootstrapping has administrative privileges by default, the vulnerability can escalate from a partial denial-of-service (DoS) to a complete account takeover. If CDK reads from and writes to an attacker-controlled S3 bucket, malicious resources can be deployed in the target AWS account, resulting in unauthorized administrative access.
Affected Versions: CDK versions 2.142.0 through 2.148.0 are vulnerable. Approximately 1% of CDK users were susceptible, based on AWS's assessment. Out of 38,560 accounts analyzed, 782 (2%) were found to have CDK installed, and 81 accounts (10% of CDK users) were vulnerable due to missing staging buckets.
AWS patched the flaw starting from CDK version 2.148.1, which ensures that roles created during bootstrapping only trust S3 buckets within the user's AWS account. AWS added messages to the CDK CLI to notify users to upgrade their bootstrap resources.
AWS directly notified affected customers and updated documentation to emphasize the importance of using custom qualifiers and secure IAM policy configurations.
Users of versions 2.142.0 to 2.148.0 must upgrade to version 2.148.1 or newer. After upgrading, users should re-run the cdk bootstrap command to ensure that bootstrapping roles and resources are correctly updated. Users unable to upgrade immediately should apply IAM policy conditions to the FilePublishingRole to restrict access based on the bucket owner’s AWS account ID.
Users should always treat AWS Account IDs as Confidential - since attackers can exploit knowledge of account IDs i attacks like this.
