Aqua Security this week at the Black Hat USA 2024 conference revealed that it has discovered six vulnerabilities in the cloud services provided by Amazon Web Services (AWS).

The vulnerabilities, since remediated, included issues involving remote code execution (RCE), full-service user takeover that could potentially be escalated to enable administrative access, manipulation of artificial intelligence (AI) modules, exposure of sensitive data, data exfiltration and denial of service.

The vulnerabilities were found in the following AWS services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar. When creating any of these services in a new region for the first time, an S3 bucket is automatically created with a certain name. This name is divided into the name of the service of the AWS account ID and the name of the region. As a result, across all AWS regions, the bucket name remains the same, differing only by the region name.

Aqua Nautilus researchers discovered how cyberattackers could discover the buckets’ names or guess predictable parts of the bucket name. Subsequently, using a method dubbed “Bucket Monopoly,” the attackers can create these buckets in advance in all available regions, essentially performing a land grab, then storing malicious code in the bucket.

When the targeted organization enables the service in a new region for the first time, the malicious code will be unknowingly executed by the targeted organization, potentially resulting in the creation of an administrative user in the targeted organization granting control to the attackers.

Assaf Morag, senior leader for the Aqua Nautilus research team, said that issues primarily stemmed from how cloud services were configured by AWS, and cybersecurity teams should check to make sure other cloud services are not making similar mistakes. There’s no evidence that cybercriminals have been able to exploit these flaws, but they typically don’t disclose the tactics and techniques they use either.

More than a decade after the first adoption of cloud computing services, organizations are still wrestling with cloud security issues. In general, notwithstanding the AWS issues uncovered by Aqua Security, the underlying cloud infrastructure platforms are more secure than on-premises platforms. However, the processes for configuring and deploying applications in the cloud remain vulnerable. Many cloud services are configured directly by developers who typically don’t have a lot of cybersecurity expertise.

At the same time, cloud computing environments are more challenging to secure given the highly dynamic nature of the workloads deployed on those platforms. It’s not uncommon for multiple changes to be made to these platforms daily. Keeping up with that rate of change is often beyond the ability of cybersecurity teams that are supposed to be accountable for ensuring cloud security.

On the plus side, however, there is more focus than ever on cloud security, noted Morag. As more workloads are deployed in the cloud the number of researchers focusing on cloud security continues to increase.

Unfortunately, cybercriminals are avid readers of that research, so the amount of time organizations have to address an issue once it is discovered continues to diminish, an issue that is only likely to be increasingly exacerbated by artificial intelligence (AI) tools that promise to make it simpler for almost anyone to figure out how to exploit a vulnerability.