A potentail risk in the image-resizer-service to escalate IAM permission for S3 bucktes

[zolaer9527]

Hello! I found a potential risk in the image-resizer-service when I deployed it in the AWS Serverless Application Repository.

Detailed Analysis:

Before the image-resizer-service was deployed, it needed a parameter which is the name of a S3 Bucket. And the S3 Bucket must exist prior to deployment, but I found that I could construct the name of a bucket that didn't exist, even "*", which caused the permissions of the IAM role assigned to the application to be escalated. By the way, the runtime of this application must be nodejs18.x, but the runtime in the template is nodejs12.x.

Impact:

In normal, the IAM role just can operate on the object of the specific S3 Bucket. But if the parameter is "*", the role can operate on the objects of all S3 Buckets.

Mitigation Discussion:

1. The parameter which is the name of the S3 Bucket should be checked before the application is deployed. It must ensure that the Bucket exists and filters illegal parameters.

2. The version of runtime in the template should be updated to nodejs18.x.

A Few Questions:

1. Is it a real issue in the uploader?
2. If it's a real issue, can any of my suggestions be used to solve this problem?

By the way, I have reported this issue to aws security team, and they said this problem cannot be resolved by AWS. But I didn't find your email, so I have to report this potential risk by creating a GitHub issue. I'm sorry if there is any inconvenience.

Looking forward to your reply.
Regards,
Xunqi Liu

[zolaer9527]

Knock! Knock! Are there any updates?