A security vulnerability called “cross-tenant” has been detected by Datadog researchers in AppSync, a popular Amazon Web Services (AWS) tool. AppSync is a popular AWS service that allows developers to quickly create GraphQL and Pub/Sub APIs.
The vulnerability is due to a case-sensitivity parsing issue of the AppSync service that could potentially be used to bypass cross-account role usage validations and act as a service on customer accounts. Successful vulnerability exploitation allows threat actors to assume Identity and Access Management (IAM) roles in other AWS accounts.
