all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

A Confused Deputy Vulnerability in AWS AppSync

Add to bookmarks
Nov. 21, 2022, midnight |

Datadog Security Labs securitylabs.datadoghq.com

We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. This blog post describes how we discovered the vulnerability, a proof of concept showing how we performed sts:AssumeRole into roles that trust the AppSync service, and our disclosure process with the AWS team.


The …

appsync aws vulnerability

Visit resource

More from securitylabs.datadoghq.com / Datadog Security Labs

Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover 3 weeks ago | securitylabs.datadoghq.com
amplify aws disclosure exposed +11
The XZ Utils backdoor (CVE-2024-3094): Everything you need to know, and more 1 month ago | securitylabs.datadoghq.com
ages backdoor backdoors cve +9
A threat-informed roadmap for securing Kubernetes clusters (KubeCon EU 2024) 1 month, 2 weeks ago | securitylabs.datadoghq.com
attacks clusters controls kubecon +8
Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns 1 month, 3 weeks ago | securitylabs.datadoghq.com
aws campaign campaigns cloud +5
Kubernetes security fundamentals: Authentication 2 months, 3 weeks ago | securitylabs.datadoghq.com
authentication fundamentals kubernetes kubernetes security +1
An analysis of a TeamTNT doppelgänger 3 months ago | securitylabs.datadoghq.com
analysis api api endpoints backdoors +7
Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining 3 months, 2 weeks ago | securitylabs.datadoghq.com
amazon amazon ecs attacks aws +11
From IRC to Instant Messaging: The Rise of Malware Communication via Chat Platforms 3 months, 3 weeks ago | securitylabs.datadoghq.com
chat communication datadog instant messaging +9
Highlights from Datadog Security Labs in 2023 4 months ago | securitylabs.datadoghq.com
datadog labs security

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

Consultant Sécurité SI H/F Gouvernance - Risques - Conformité - Nantes

@ Hifield | Saint-Herblain, France
View on infosec-jobs.com

L2 Security - Senior Security Engineer

@ Paytm | Noida, Uttar Pradesh
View on infosec-jobs.com

GRC Integrity Program Manager

@ Meta | Bellevue, WA | Menlo Park, CA | Washington, DC | New York City
View on infosec-jobs.com

Consultant Active Directory H/F

@ Hifield | Sèvres, France
View on infosec-jobs.com

Consultant PCI-DSS H/F

@ Hifield | Sèvres, France
View on infosec-jobs.com

Head of Security Operations

@ Canonical Ltd. | Home based - Americas, EMEA
View on infosec-jobs.com
View more jobs