Daily cloud and web hosting news coverage by HostingDiscussion.com

AWS secures CDK flaw to prevent S3 bucket takeovers amid growing concerns

Amazon Web Services (AWS) recently patched a security flaw in its Cloud Development Kit (CDK) that could have exposed some users to account takeovers. This vulnerability, discovered by Aqua Security, made it possible for attackers to hijack CDK staging buckets through a technique known as S3 Bucket Namesquatting, where attackers could predict and take over bucket names used in CDK deployments.

Aqua’s security researchers, Ofek Itach and Yakir Kadkoda, identified the flaw on June 27. AWS then released a fix with CDK version v2.149.0 on July 12, 2024. According to AWS, the flaw affected about 1% of CDK users, all of whom received direct notifications and update instructions.

The vulnerability stemmed from CDK’s default naming conventions, which make it easy for bad actors to guess S3 bucket names. Aqua’s earlier research on a similar issue, called “Bucket Monopoly,” had already exposed how predictable S3 bucket names could be exploited.

In both cases, attackers could predict and claim identical bucket names by knowing the AWS account ID and deployment region. This opened the door for account takeovers.

AWS has since strengthened security in the latest CDK version to stop data leaks during deployments. However, users with older versions must update and rerun the command.

Aqua advises CDK users to further protect themselves by adding unique identifiers to their S3 bucket names, preventing future namesquatting attempts.

AWS thanked Aqua for identifying the flaw, while Aqua reminds developers to avoid predictable bucket names as a standard security measure.

Share this post

Supporters

Dedicated Servers

Enterprise Dedicated Servers - Intel/AMD EPYC & RYZEN - 100% Uptime 24/7 Support

Save 37% Off Plesk License

Official Plesk Partner, Instant License Delivery, No Contract Commitment. Grab Your Savings NOW!

Up to 30% Off on KVM VPS

Significant discounts on KVM VPS SSD. Worldwide Locations. Full Root Access. Instant Deployment.

.CA Domain for only C$10.99

Get a .CA domain, with domain privacy, full DNS record control, domain forwarding, excellent support.

Web Design and SEO

Premium professional WordPress sites that will not break your wallet. Optimized for SEO to drive traffic.

Interviews

Members Recently Online

Menu