Amazon Web Services (AWS) recently patched a security flaw in its Cloud Development Kit (CDK) that could have exposed some users to account takeovers. This vulnerability, discovered by Aqua Security, made it possible for attackers to hijack CDK staging buckets through a technique known as S3 Bucket Namesquatting, where attackers could predict and take over bucket names used in CDK deployments.
Aqua’s security researchers, Ofek Itach and Yakir Kadkoda, identified the flaw on June 27. AWS then released a fix with CDK version v2.149.0 on July 12, 2024. According to AWS, the flaw affected about 1% of CDK users, all of whom received direct notifications and update instructions.
The vulnerability stemmed from CDK’s default naming conventions, which make it easy for bad actors to guess S3 bucket names. Aqua’s earlier research on a similar issue, called “Bucket Monopoly,” had already exposed how predictable S3 bucket names could be exploited.
In both cases, attackers could predict and claim identical bucket names by knowing the AWS account ID and deployment region. This opened the door for account takeovers.
AWS has since strengthened security in the latest CDK version to stop data leaks during deployments. However, users with older versions must update and rerun the command.
Aqua advises CDK users to further protect themselves by adding unique identifiers to their S3 bucket names, preventing future namesquatting attempts.
AWS thanked Aqua for identifying the flaw, while Aqua reminds developers to avoid predictable bucket names as a standard security measure.