A vulnerability in Amazon Web Services (AWS) AppSync enabled unauthorized cross-account access to AWS resources, according to the findings of security researchers.
AppSync is a service that allows developers to create serverless GraphQL and Pub/Sub APIs. When creating GraphQL API with AppSync, developers must specify the data source that stores or has access to the data the API will interact with, such as Lambda functions, DynamoDB, RDS, and external APIs.
Tricking AppSync
One of the features of AppSync is to directly invoke AWS APIs such as Amazon S3. To do this, the developer must create a role that has access to the target resource. The developer then creates a “trust policy”, a JSON document that allows AppSync to assume that role.
Researchers at DataDog Security Labs were interested in seeing if they could somehow use the trust policy to trick AppSync to give them unauthorized access to other AWS accounts.
AWS protects against this kind of attack by making sure the AppSync endpoint and the target resource are in the same account.
This validation is performed through Amazon Resource Name (ARN), the unique identifier of the AWS resource.
The researchers at DataDog found that they could bypass the ARN validation by simply changing the letter case of the JSON field for the ARN.
This enabled them to create AppSync data sources that could be tied to other AWS accounts. Using this loophole, they could interact with any resource associated with a role that trusts the AWS AppSync service in any account.
In a proof of concept, the researchers show how an attacker could exploit the vulnerability to obtain full control of a cloud-hosted database.
Difficult detection
Since the logs generated by the attack indicate all activity is coming from the AppSync service, detecting the attack would be difficult. Therefore, if the attacker knew the ARN of the AppSync role and the resources they wanted to access, the logs would indicate normal activity.
However, under normal circumstances, the attacker would need to do some brute force probing to find the target resources, which would result in an unusual amount of AccessDenied events in the AWS log. Administrators would also be able to detect attacks by looking for anomalous behavior, such as an AppSync service accessing an AWS resource for the first time.
Amazon patched the vulnerability in AppSync in September, while the research blog post was published this week. According to the company, there were no indications of the vulnerability having been exploited in the wild.
“[We] have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted,” Amazon said in a statement.
Copyright 2021 Associated Press. All rights reserved.
