The issue’s impact depends on what the vulnerable service stores in the bucket. With CloudFormation, an infrastructure-as-code tool, templates that are then used to automatically deploy infrastructure stacks as defined by the user are what is stored.
These templates can contain sensitive information, such as environment variables, credentials, and more. But it gets worse: An attacker can inject a backdoor into a template saved in the bucket, which would then be executed in the user’s account. For example, a rogue Lambda function injected into the template could create a new admin role on the account that the attacker can then use.
Predictable S3 bucket names using account IDs
The CloudFormation attack is dependent on an existing S3 bucket name created by the service for a user in a region already being leaked in a code repository, but other AWS services that create S3 buckets automatically use even more predictable naming patterns. For example, AWS EMR (Elastic MapReduce) generates S3 buckets with the name aws-emr-studio-[account-ID]-[region] while AWS SageMaker uses sagemaker-[region]-[account-ID].