CloudFront Instance Takeover: Missing Origin S3 Bucket

This plugin identifies instances set to utilize S3 buckets but they are not available.

Risk Level: High

Description: 

This plugin identifies instances set to utilize S3 buckets but they are not available. This configuration can lead to a domain acquisition where a malicious person can build an S3 bucket with the same name and upload material to the brand image in a different AWS account. An attacker will deface your subdomains if not addressed by this vulnerability.

PingSafe strongly recommends ensuring that all such CloudFront instances are removed.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

This configuration can lead to the domain acquisition in which a malicious person can upload content that damage the corporate image to an instance with the same DNS name on another AWS account. A vulnerability is used by an attacker to deface your subdomains if not patched.


What is Account Takeover?

The takeover of accounts is a kind of theft of personal identification and fraud in which a hostile third party has access to user credentials successfully. By acting as true users, cyber thieves can modify account information, send emails, steal financial or sensitive information or utilize any information gained in order to access more accounts in the business.

Steps to reproduce :

  1. Log In to AWS Console.
  2. Navigate to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/ )
  3. Next, navigate to “Distributions” and select the distribution to examine.
  4. We then check the “Origins” heading, if the origin of the distribution is S3.
  5. For the next step, we navigate to the S3 Management Console to check if the name of the S3 bucket exists in it.
  6. We can clearly see that the bucket does not exist in S3 because it shows “No matches”.
  7. This suggests that the CloudFront distribution’s origin is missing the S3 bucket.
Repeat the steps to check the origins of other distributions.

Steps for remediation :


  1. Log In to AWS Console.
  2. Navigate to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/ )
  3. Next, navigate to “Distributions” and select the distribution to examine.
  4. We then check the “Origins” heading, if the origin of the distribution is S3.
  5. For the next step, we navigate to the S3 Management Console to check if the name of the S3 bucket exists in it.
  6. We can clearly see that the bucket does not exist in S3 because it shows “No matches”.
  7. This suggests that the CloudFront distribution’s origin is missing the S3 bucket.
  8. We will delete the distribution in order to overcome this problem.
  9. Click on “Delete” in the Delete Distribution to delete the distribution.
  10. Repeat steps for other distributions with such problems. 

References