Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.
When the Authentication component is removed from an Amplify project, the CLI tool incorrectly leaves an 'Effect':'Allow' entry in the IAM role's trust policy while removing the Condition property that limited the scope of trust. As a result, the sts:AssumeRoleWithWebIdentity operation becomes available without any conditions for any external principal. The situation applies to projects where the Authentication component was removed between August 2019 and January 2024. It is worth noting that the vulnerability itself did not give the attacker the ability to remove the Authentication component — this required action by an authorized AWS user.
An attacker can perform an 'assume role' operation on an incorrectly configured IAM role and gain unauthorized access to an organization's AWS resources, potentially taking control of its cloud infrastructure.
Amazon Amplify CLI should be updated to version 12.10.1 or later. Additionally, it is recommended to review the trust policies of IAM roles associated with Amplify projects where the Authentication component was removed during the specified period, and manually remove excess 'Effect':'Allow' entries without proper Condition properties. Detailed instructions are available in the AWS security bulletin AWS-2024-003.
Amazon Amplify CLI in all versions before 12.10.1, in cases of projects where the Authentication component was removed during the period from August 2019 to January 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAmazon Amplify Cli
APPAmazon< 12.10.1
Related vulnerabilities
Nieprawidłowa walidacja certyfikatów w Amazon Athena ODBC Driver — atak MITM
Niewystarczające zabezpieczenia uwierzytelniania w Amazon Athena ODBC Driver
Cisco ISE w chmurze: współdzielone statyczne poświadczenia umożliwiają nieautoryzowany dostęp
Buffer over-read w parserze DNS biblioteki FreeRTOS-Plus-TCP
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary v...