Add Ben Reser's MWAA vuln

Question

Add Ben Reser's MWAA vuln

0xdabbad00 opened this issue 2 years ago · 1 comments

https://cloudsecurityforum.slack.com/archives/C6DN616HG/p1653611790045629

I found a security vulnerability in MWAA (Amazon Managed Workflows for Apache Airflow) that has been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert IAM credentials into tokens that can be used to login to airflow. The CreateCliToken and CreateWebLoginToken were logging the tokens to CloudTrail. The event used included the hostname for the airflow server, so everything required to login to the server was in the event.

Reported May 11th, fixed May 22.

tokens are only valid for 60 seconds and CloudTrail log delivery is not fast enough that they are valid by the time an AWS customer can see them.

Answer 1 · 2022-05-31T19:12:40.000Z

Mentioned on twitter publicly in this thread: https://twitter.com/BenReser/status/1531710736719695872