Initial Publication Date: 2022/01/13 13:00 PST
Security researchers recently identified and reported an issue in AWS CloudFormation. Specifically, the reported issue was in the AWS CloudFormation service itself, which allowed viewing of some local configuration files on an AWS-internal host or attempted unauthenticated HTTP GET requests from the same host. The researchers utilized the HTTP GET capability to obtain a set of locally accessible credentials specific to the host. Neither the local configuration file access nor the host-specific credentials permitted access to any customer data or resources.
AWS took immediate action to correct this issue when it was reported and verified that the technique described by the researchers could not be used to access customer data or resources. Extensive log analysis has verified the researchers activity was limited to the specific AWS CloudFormation host. AWS customers were not impacted by this reported concern, and there are no customer actions required.
We would like to thank Orca Security for reporting this issue.
Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.