AWS fixes 'confused deputy' vulnerability in AppSync

2022-11-22 22:01

Amazon Web Services fixed a cross-tenant flaw in AWS AppSync that could allow miscreants to abuse that cloud service to assume identity and access management roles in other AWS accounts, and then gain access to and control over those resources.

No customers were affected by the vulnerability and no customer action is required, according to AWS. In a statement posted on Monday, the cloud services provider thanked Datadog for reporting the "Case-sensitivity parsing issue" in AppSync.

AWS AppSync provides a GraphQL interface for application developers to combine data from Amazon DynamoDB, AWS Lambda, and external APIs like Datadog.

In addition to predefined data sources, developers can create integrations to allow AppSync to directly call APIs by creating a role that gives AppSync the required identity and access management permissions.

Because Datadog integrates with AppSync, the company's security researchers wanted to see if they could "Trick" the AWS service into assuming a role and then accessing and controlling resources from other data sources.

After bypassing the ARN validation, an attacker could "Cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," they wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/11/22/aws_confused_deputy_vulnerability/

#AWS #vulnerability