Overly Permissive Trust Policy in Harmonix on AWS EKS
Bulletin ID: AWS-2025-031
Scope:
AWS
Content Type:
Informational
Publication Date: 2025/12/15 11:45 AM PST
Description:
Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges.
Impacted versions: v0.3.0 through v0.4.1
Resolution:
This issue has been addressed in Harmonix on AWS version 0.4.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
If you cannot immediately upgrade to version 0.4.2 or later, we recommend reviewing and restricting the IAM trust policies in your Harmonix on AWS deployment, particularly focusing on the EKS environment provisioning role to ensure it does not trust the account root principal. The provisioning role from the sample code can be found in the IAM console and will have the following name pattern:
*-eks-*-provisioning-role
CloudTrail events can be reviewed and monitored for ‘AssumeRole’ event names where the requestParameters.roleArn field includes the ARN of the provisioning role
References:
Acknowledgement:
We would like to thank Security researcher r00tdaddy for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.