CVE-2024-28056 in AWS Amplify CLI
Summary
by MITRE • 04/15/2024
Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/08/2025
The vulnerability described in CVE-2024-28056 represents a critical misconfiguration issue within Amazon AWS Amplify CLI versions prior to 12.10.1 that affects the role trust policy configuration of IAM roles associated with Amplify projects. This flaw specifically manifests when the Authentication component is removed from an Amplify project, creating a security gap that could potentially allow unauthorized access to AWS resources. The issue stems from incomplete removal of security constraints during the component deletion process, leaving behind residual permissions that could be exploited by threat actors.
The technical flaw occurs when the Amplify CLI removes the Authentication component from a project, specifically leaving behind the "Effect":"Allow" statement while removing the Condition property from the role trust policy. This creates a dangerous scenario where the sts:AssumeRoleWithWebIdentity permission remains available without any restrictive conditions, effectively granting broad access rights to any entity that might have previously had access to the web identity token. According to CWE-284, this represents an improper access control vulnerability where the system fails to properly enforce access restrictions, and the flaw aligns with ATT&CK technique T1531 which involves modifying system access controls to gain unauthorized access.
The operational impact of this vulnerability is significant for organizations that have been using Amplify CLI to manage their AWS projects, particularly those built between August 2019 and January 2024. The vulnerability could have been exploited if an authorized AWS user had removed an Authentication component from their project, potentially enabling unauthorized access to the organization's AWS resources. This scenario is particularly concerning because it leverages legitimate administrative actions to create security weaknesses rather than requiring external exploitation. The vulnerability specifically affects projects where the Authentication component was removed, and the timeframe of affected projects indicates that this issue has been present for over four years, highlighting the long-term nature of the security gap.
Organizations affected by this vulnerability should immediately assess their Amplify projects that were built within the specified timeframe and determine whether the Authentication component has been removed. The recommended mitigation involves upgrading to AWS Amplify CLI version 12.10.1 or later, which properly handles the removal of Authentication components and ensures that all associated role trust policies are correctly configured. Additionally, organizations should implement continuous monitoring of their IAM role configurations to detect any unauthorized changes to trust policies, particularly focusing on the sts:AssumeRoleWithWebIdentity permissions. Security teams should also conduct comprehensive reviews of their Amplify project configurations to identify any other potential misconfigurations that might have been introduced during the authentication component removal process. The vulnerability demonstrates the importance of proper privilege management and the need for automated security controls to prevent unauthorized modifications to critical AWS infrastructure components. Organizations should also consider implementing additional security controls such as AWS CloudTrail monitoring for IAM role changes and regular security assessments to ensure that all AWS resources maintain appropriate access controls and that the principle of least privilege is maintained throughout their cloud infrastructure.