Amazon Web Services (AWS) fixed a cross-tenant flaw in AWS AppSync that could allow miscreants to abuse that cloud service to assume identity and access management roles in other AWS accounts, and then gain access to and control over those resources.
Security researchers at Datadog identified the bug and reported it to AWS on September 1. Five days later the tech giant pushed a fix to the AppSync service, which Datadog confirmed solved the problem.
No customers were affected by the vulnerability and no customer action is required, according to AWS.
In a statement posted on Monday, the cloud services provider thanked Datadog for reporting the “case-sensitivity parsing issue” in AppSync.
“AWS moved immediately to correct this issue when it was reported,” it read. “Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted.”
AWS AppSync provides a GraphQL interface for application developers to combine data from Amazon DynamoDB, AWS Lambda, and external APIs like Datadog. In addition to predefined data sources, developers can create integrations to allow AppSync to directly call APIs by creating a role that gives AppSync the required identity and access management (IAM) permissions.
Because Datadog integrates with AppSync, the company’s security researchers wanted to see if they could “trick” the AWS service into assuming a role and then accessing and controlling resources from other data