Researchers on Thursday reported a misconfiguration issue in the AWS Glue data integration service that could potentially let a threat actor escalate privileges within an account and obtain unrestricted access to all resources for the service, including full administrative privileges.
Once notified of the issue, an AWS spokesperson said the company took action to mitigate it within hours and added additional controls to prevent any recurrence. The cloud provider confirmed that no AWS customer accounts or data were affected.
In a blog post by Orca Security, the researchers explained that AWS Glue makes it easy for IT teams to discover, prepare, and combine data for analytics, machine learning, and application development. Access to an AWS Glue account could let threat actors obtain the data of other AWS Glue customers, a serious violation of one of the cloud’s core principles.
“One core principle is the idea that each customer is isolated from other customers, and no data can be inadvertently accessed across accounts,” said the researchers. “As the internet moves more and more to the cloud, the importance of cloud security becomes increasingly paramount.”
AWS permissions are very difficult to get right, and that’s a big reason we still see issues like AWS S3 bucket leaks, said Michael Isbitski, technical evangelist at Salt Security. Isbitski said organizations often over-permission and trust AWS services liberally.
“The Orca researchers executed a complex attack chain where they were able to escalate privileges within the AWS Glue service and then pivot to access other AWS resources of other AWS customer accounts where the AWS Glue service was inherently trusted,” Isbitski said. “Plus, the initial attack vector was a misconfiguration flaw within the AWS Glue service API.”
John Morgan, CEO at Confluera, added that if an attacker wants in, they will find a way via vulnerabilities, misconfigurations, supply chain contamination, or other ways.
“We need to keep plugging the holes as Orca is doing, but also understand there are more holes than we know about,” Morgan said. “An organization must have technologies that assume attacks get in, find them, and stop the attack before it does any damage.”