Initial Publication Date: 04/25/2023 10:00AM EST

A security researcher recently reported an issue with AWS’s recently-released (November 16th, 2022) support for multiple multi-factor authentication (MFA) devices for IAM user principals. The reported issue could have potentially arisen only when the following three conditions were met: (1) An IAM user had possession of long-term access key (AK)/secret key (SK) credentials, (2) that IAM user had the privilege to add an MFA to their own identity without using an MFA, and (3) that IAM user’s overall access privileges beyond console sign-in had been configured by an administrator to be greater after adding the MFA. Under those narrow conditions, possession of AK/SK alone was equivalent to possession of AK/SK and a previously configured MFA.

While IAM users with the ability to add or delete an MFA device associated with their own identity have always been able to do so solely with AK/SK credentials, an issue arose when the new feature was combined with the self-management by IAM users of their own MFA devices, with restricted access prior to an MFA being added by the user. This self-management pattern was documented here, and that page included a sample IAM policy for implementing the pattern. The combination of the new multi-MFA feature created an inconsistency with that approach. Given the new feature, a user with only AK/SK credentials could add an additional MFA without using a previously-configured MFA, thus allowing possession of AK/SK alone without a previously configured MFA to potentially gain broader access than expected by customers using the sample policy.

This issue did not affect AWS Management Console-based access, since an existing MFA is always required at sign-in. Nor did it affect federated principals, who manage MFA through their identity provider.

As of April 21, 2023, the identified issue has been remediated by requiring that IAM users who already have one or more MFAs and who use AK/SK credentials to manage their own MFA devices to first use sts:GetSessionToken and an existing MFA to obtain MFA-enabled temporary credentials to sign their CLI commands or API requests prior to enabling or disabling MFA devices for themselves. We have directly notified a very small number of customers via their Personal Health Dashboard who had previously associated an additional MFA device using a mechanism other than the AWS Management Console. We recommended that those notified customers confirm the correctness of their MFA configurations. No further customer action is required.

We would like to thank researchers at MWR Cybersec for identifying and responsibly disclosing this issue to AWS. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Initial Publication Date: 05/18/2023 10:00AM EST

A security researcher recently reported an issue in Amazon GuardDuty in which a change to the policy of an S3 bucket not protected by Block Public Access (BPA) could be carried out to grant public access to the bucket without triggering a GuardDuty alert. This specific issue would occur if the S3 bucket policy was updated within a single new policy that included both an "Allow" for "Principal::"*" or "Principal":"AWS":"*" in one statement (making the bucket public) and also a “Deny” for "Action": "s3:GetBucketPublicAccessBlock in another, which altered all callers’ ability (including GuardDuty) to check bucket configuration. Customers who use the recommended BPA feature would not have been impacted by this issue because the required previous step of disabling BPA would have triggered a different GuardDuty alert.

While the previous GuardDuty detection criteria and limitation was publicly documented here, we agreed with the researcher’s recommendation to alter this behavior and, as of April 28, 2023, have implemented a change to still provide a GuardDuty alert in this case.

We would like to thank Gem Security for responsibly disclosing this issue and working with us on its resolution.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Initial Publication Date: 12/13/2022 9:00AM EST

On November 14, 2022, a security researcher reported an issue in Amazon Elastic Container Registry (ECR) Public Gallery, a public website for finding and sharing public container images. The researcher identified an ECR API action that, if called, could have enabled modification or removal of images available on ECR Public Gallery.

As of November 15, 2022, the identified issue was remediated. We have conducted exhaustive analysis of all logs, we are confident our review was conclusive, and that the only activity associated with this issue was between accounts owned by the researcher. No other customers’ accounts were affected, and no customer action is required.

We would like to thank Lightspin for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Initial Publication Date: 2022/11/21 10:00AM EST

A security researcher recently disclosed a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts.

No customers were affected by this issue, and no customer action is required.

AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted.

We would like to thank Datadog Security Labs for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

Initial Publication Date: 2022/11/01 09:00 PDT

AWS is aware of the recently reported issues regarding OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). AWS services are not affected, and no customer action is required. Additionally, Amazon Linux 1 and Amazon Linux 2 do not ship with OpenSSL 3.0 and are not affected by these issues. Customers utilizing Amazon Linux 2022, Bottlerocket OS or ECS-optimized Amazon Machine Images (AMIs) on Amazon ECS should read the instructions below.

As a security best practice, we encourage customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at https://www.openssl.org/source/ or via their operating system’s software update mechanism.

Amazon Linux 2022

We will release an updated version of OpenSSL 3.0 to the Amazon Linux 2022 repositories shortly. Once available, customers testing the preview release of Amazon Linux 2022 should upgrade to the patched version of OpenSSL 3.0. Updated Amazon Linux 2022 AMIs will also be available shortly.

More information is available in the Amazon Linux Security Center: https://alas.aws.amazon.com/alas2022.html

​Amazon Elastic Container Service

Amazon ECS will release updated ECS-optimized Amazon Machine Images (AMIs) containing mitigations for these issues shortly. More information about the ECS-optimized AMI is available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html.

​Meanwhile, we recommend that ECS customers who use the preview release of the ECS-optimized Amazon Linux 2022 AMI update the version of OpenSSL 3.0 via DNF configuration. More information is available at https://docs.aws.amazon.com/linux/al2022/ug/managing-repos-os-updates.html.

​Bottlerocket OS

While Bottlerocket OS itself is not affected by these issues, we will shortly release a patched version of the Bottlerocket Update Operator solution containing the latest version of OpenSSL 3.0. Customers using the preview versions of the Bottlerocket Update Operator should upgrade to the new 1.0.0 version when it is available. We expect version 1.0.0 to be available no later than November 2, 2022.

Information about the Bottlerocket Update Operator is available at https://github.com/bottlerocket-os/bottlerocket-update-operator and security advisories may be found at https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories.