A security vulnerability called “cross-tenant” has been detected by Datadog researchers in AppSync, a popular Amazon Web Services (AWS) tool. AppSync is a popular AWS service that allows developers to quickly create GraphQL and Pub/Sub APIs.
The vulnerability is due to a case-sensitivity parsing issue of the AppSync service that could potentially be used to bypass cross-account role usage validations and act as a service on customer accounts. Successful vulnerability exploitation allows threat actors to assume Identity and Access Management (IAM) roles in other AWS accounts.
The vulnerability detected on September 1, 2022, was immediately reported to AWS. AWS, which rescheduled the attack, verified the impact of the vulnerability and released a fix that fixed it. In addition, Amazon released a statement on Monday, November 21, confirming the details of the vulnerability and stating that no customers were affected by the vulnerability. There is no action for Amazon customers to take due to the vulnerability.