Aqua Security, a leader in cloud native security, has revealed critical vulnerabilities in six key AWS services, uncovered by its cyber research team, Nautilus. The newly identified flaws had the potential to enable remote code execution (RCE), full-service user takeovers, AI module manipulation, and the exposure of sensitive data, among other serious risks. Following Aqua Security’s disclosure, AWS swiftly acknowledged and addressed these vulnerabilities.

The vulnerabilities were identified in AWS services including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. According to Aqua Security’s Lead Researcher Yakir Kadkoda, these flaws stemmed from internal dependencies and complexities that are not always apparent to cloud users and developers.

“We found that under some conditions, an attacker could exploit gaps to gain access to and even take over AWS accounts,” Kadkoda explained.

The issue arises when these services are initiated in a new region for the first time. An S3 bucket is automatically created with a name that combines the service’s name, the AWS account ID, and the region name. Across all AWS regions, the bucket name remains consistent, varying only by region.

The “Bucket Monopoly” Exploit

Aqua Nautilus researchers discovered a method dubbed “Bucket Monopoly,” where attackers could preemptively create these S3 buckets across all available regions. By doing so, they could store malicious code in the bucket, which would be unknowingly executed by the targeted organization when the service is enabled in a new region.

This method could potentially allow attackers to create an administrative user in the targeted organization, thereby gaining control over the AWS account.

“Because S3 bucket names are unique across all of AWS, if you capture a bucket, it’s yours and no one else can claim that name,” noted Ofek Itach, a security researcher at Aqua Nautilus. “We demonstrated how S3 can become a ‘shadow resource,’ and how easily attackers can discover or guess it and exploit it.”

Kadkoda emphasized that this discovery aligns with Aqua Security’s mission to enhance cloud security and ensure that organizations can use these services safely. “Our responsible disclosure of findings to the AWS security team, and their professional response, prevented what could have been a massive initial access point for attackers, protecting the cloud environments of many organizations,” he said.