CVE-2024-28056
📋 TL;DR
AWS Amplify CLI versions before 12.10.1 incorrectly configure IAM role trust policies when removing the Authentication component, leaving sts:AssumeRoleWithWebIdentity permissions without conditions. This allows threat actors to potentially assume IAM roles and access AWS resources. Organizations that used Amplify CLI to remove Authentication components between August 2019 and January 2024 are affected.
💻 Affected Systems
- AWS Amplify CLI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Threat actors gain unauthorized access to AWS resources through IAM role assumption, potentially leading to data exfiltration, resource hijacking, or complete account compromise.
Likely Case
Unauthorized access to specific AWS resources associated with the vulnerable IAM roles, potentially enabling privilege escalation within the AWS environment.
If Mitigated
Limited impact due to proper IAM policies, monitoring, and the requirement that an authorized user must have removed the Authentication component first.
🎯 Exploit Status
Exploitation requires knowledge of vulnerable IAM roles and the ability to use sts:AssumeRoleWithWebIdentity. The vulnerability was publicly disclosed with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.10.1
Vendor Advisory: https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
Restart Required: No
Instructions:
1. Update AWS Amplify CLI to version 12.10.1 or later using 'npm update -g @aws-amplify/cli'. 2. Review and update IAM role trust policies for all Amplify projects where Authentication component was removed. 3. Consider rotating IAM role credentials.
🔧 Temporary Workarounds
Manual IAM Policy Review and Update
allManually review and update IAM role trust policies to ensure proper conditions are present for sts:AssumeRoleWithWebIdentity
aws iam get-role --role-name ROLE_NAME
aws iam update-assume-role-policy --role-name ROLE_NAME --policy-document file://updated-policy.json
🧯 If You Can't Patch
- Review all IAM role trust policies in AWS accounts using CloudTrail and IAM Access Analyzer
- Implement strict monitoring for sts:AssumeRoleWithWebIdentity API calls and set up alerts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Amplify CLI version with 'amplify --version' and verify if version is below 12.10.1. Review IAM role trust policies for Amplify projects where Authentication was removed.Check Version:
amplify --versionVerify Fix Applied:
Confirm Amplify CLI version is 12.10.1 or higher. Validate IAM role trust policies have proper Condition properties for sts:AssumeRoleWithWebIdentity.📡 Detection & Monitoring
Log Indicators:
- CloudTrail logs showing sts:AssumeRoleWithWebIdentity calls without expected conditions
- Unexpected IAM role assumptions from unfamiliar identities
Network Indicators:
- Unusual API call patterns to AWS STS service
SIEM Query:
source="aws.cloudtrail" eventName="AssumeRoleWithWebIdentity" | where !has_field("requestParameters.condition")🔗 References
- https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
- https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99a404f3c92547c8a175458016f682fac/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
- https://github.com/aws-amplify/amplify-cli/commit/73b08dc424db2fb60399c5343c314e02e849d4a1
- https://github.com/aws-amplify/amplify-cli/releases/tag/v12.10.1
- https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-003/
- https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99a404f3c92547c8a175458016f682fac/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
- https://github.com/aws-amplify/amplify-cli/commit/73b08dc424db2fb60399c5343c314e02e849d4a1
- https://github.com/aws-amplify/amplify-cli/releases/tag/v12.10.1
- https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
