all InfoSec news
A Confused Deputy Vulnerability in AWS AppSync
Nov. 21, 2022, midnight |
Datadog Security Labs securitylabs.datadoghq.com
We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. This blog post describes how we discovered the vulnerability, a proof of concept showing how we performed sts:AssumeRole into roles that trust the AppSync service, and our disclosure process with the AWS team.
The …
More from securitylabs.datadoghq.com / Datadog Security Labs
Jobs in InfoSec / Cybersecurity
Consultant Sécurité SI H/F Gouvernance - Risques - Conformité - Nantes
@ Hifield | Saint-Herblain, France
L2 Security - Senior Security Engineer
@ Paytm | Noida, Uttar Pradesh
GRC Integrity Program Manager
@ Meta | Bellevue, WA | Menlo Park, CA | Washington, DC | New York City
Consultant Active Directory H/F
@ Hifield | Sèvres, France
Consultant PCI-DSS H/F
@ Hifield | Sèvres, France
Head of Security Operations
@ Canonical Ltd. | Home based - Americas, EMEA