IAM Role Vulnerable to CVE-2024-28056

Overview

This check identifies IAM roles that are vulnerable to CVE-2024-28056. The vulnerability allows an attacker to assume an IAM role with a misconfigured trust policy that references 'cognito-identity.amazonaws.com' as the trusted principal without proper conditions.

To be considered vulnerable, the role's trust policy must allow the 'cognito-identity.amazonaws.com' service to assume the role using the 'sts:AssumeRoleWithWebIdentity' action without including conditions to restrict access to specific Amazon Cognito Identity Pools using the 'cognito-identity.amazonaws.com:aud' claim.

The vulnerability primarily affected roles created by unpatched versions of Amplify CLI and Amplify Studio, but it could potentially impact roles created by other means as well. AWS has implemented mitigations in the AWS Security Token Service (STS) and IAM control plane to prevent the creation and assumption of roles with vulnerable trust policies. However, this check aims to identify any existing roles that may have been created before these mitigations were put in place.

To remediate this issue, ensure that the role's trust policy includes conditions that restrict the 'cognito-identity.amazonaws.com:aud' claim to specific Amazon Cognito Identity Pools and the 'cognito-identity.amazonaws.com:amr' claim to 'authenticated'.

Vendor

AWS

Cloud Service

IAM

References

https://aws.amazon.com/security/security-bulletins/AWS-2024-003/, https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/#potential-misconfiguration-1-trust-policy-without-a-condition

Severity

Item Types

AWS::IAM::Role

Overview​

Vendor​

Cloud Service​

References​

Severity​

Item Types​