AWS CDK Risk: Exploiting a Missing S3 Bucket Allow Takeover

Aqua Security disclosed that predictable AWS CDK staging S3 bucket names (cdk-{qualifier}-assets-{account}-{region}) can be claimed by attackers when a user deletes their bucket, allowing the attacker to modify CloudFormation templates and inject an administrative role to achieve full account takeover; AWS patched the FilePublishingRole condition in CDK v2.149.0 and notified customers, but users who bootstrapped with v2.148.1 or earlier must re-run bootstrap or apply IAM conditions to mitigate.