Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources

This report documents discovery of a new attack vector called "Shadow Resources" and a technique dubbed "Bucket Monopoly" where predictable S3 bucket naming used by AWS services (CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, CodeStar) and some open-source deployment workflows allows an attacker to pre-claim buckets, set permissive policies and trigger Lambda-based modifications to templates or artifacts; impacts include data exfiltration, template modification leading to injected admin roles or RCE, DoS of service features, and possible account takeover. The authors reported the issues to AWS in February 2024, AWS mitigated the vulnerabilities across the identified services, and the report includes detection guidance and mitigations (e.g., aws:ResourceAccount checks, owner verification, non-predictable bucket naming).