Amazon addresses vulnerability affecting AWS AppSync

Researchers from security company Datadog discovered a cross-tenant vulnerability in a popular Amazon Web Services (AWS) tool, which Amazon has now addressed.

The bug allows attackers to abuse AWS' AppSync service and assume Identity and Access Management (IAM) roles in other AWS accounts. This gives an attacker the opportunity “to pivot into a victim organization and access resources in those accounts,” according to Datadog.

The researchers discovered the bug on September 1 and immediately reported it to AWS, which reproduced the attack and confirmed the impact the next day. By September 6, AWS pushed out a fix for the vulnerability, with Datadog confirming the fix had addressed the issue. 

Amazon did not respond to requests for comment but released a statement on Monday confirming details of the vulnerability.

“No customers were affected by this issue, and no customer action is required. AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher,” Amazon’s security team said. 

“No other customer accounts were impacted. We would like to thank Datadog Security Labs for reporting this issue.”

AppSync is a popular AWS service that allows developers to quickly create GraphQL and Pub/Sub Application Programming Interfaces (API), the researchers explained. In that process, a developer must create a data source that holds the data the GraphQL API interacts with.

Datadog researchers said AppSync is a common integration with their service, so they started a research project into it before discovering the bug. 

The researchers sought to answer the question of whether they could find a way to trick the AppSync service to assume a role in an account they don’t control and access its resources.

They explained that the vulnerability is an example of an issue they call “confused deputy” – where an attacker with fewer privileges can convince a more privileged entity like AppSync to take actions on its behalf. 

“We wanted to find a way to confuse AppSync to assume roles in other accounts. AWS safeguards against this type of attack by validating the role’s Amazon Resource Name (ARN), a unique identifier for an AWS resource. During the creation of a data source, the API will look at the provided ARN and determine if it is in the same AWS account. If it is not, the API will throw an error,” the researchers explained. 

The researchers eventually found a way to bypass the validation and provide an ARN of a role in a different AWS account.

In bypassing the ARN validation, Datadog researchers were able to create AppSync data sources tied to roles in other AWS accounts. 

“This would allow an attacker to interact with any resource associated with a role which trusts the AWS AppSync service in any account,” they wrote. “With this vulnerability in hand, we could create data sources in our own account which pointed to resources in other AWS accounts.” 

If an attacker was able to phish a victim and gain access to their internal documents, they could get the kind of credentials needed to access other services and tools and use the vulnerability to compromise databases by creating their own AppSync API and data source. 

Datadog said this would allow the attacker to interact with this data source “as if they owned it.” 

“This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service,” Datadog said. 

“By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.