|
| 1 | +# AWS MWAA Execution Role Account Wildcard Vulnerability |
| 2 | + |
| 3 | +## The Vulnerability |
| 4 | + |
| 5 | +MWAA's execution role (the IAM role that Airflow workers use to access AWS resources) requires this mandatory policy to function: |
| 6 | + |
| 7 | +```json |
| 8 | +{ |
| 9 | + "Effect": "Allow", |
| 10 | + "Action": [ |
| 11 | + "sqs:ChangeMessageVisibility", |
| 12 | + "sqs:DeleteMessage", |
| 13 | + "sqs:GetQueueAttributes", |
| 14 | + "sqs:GetQueueUrl", |
| 15 | + "sqs:ReceiveMessage", |
| 16 | + "sqs:SendMessage" |
| 17 | + ], |
| 18 | + "Resource": "arn:aws:sqs:us-east-1:*:airflow-celery-*" |
| 19 | +} |
| 20 | +``` |
| 21 | + |
| 22 | +The wildcard (`*`) in the account ID position allows the role to interact with **any SQS queue in any AWS account** that starts with `airflow-celery-`. This is required because AWS provisions MWAA's internal queues in a separate AWS-managed account. There is no restriction on making queues with the `airflow-celery-` prefix. |
| 23 | + |
| 24 | +**Cannot be fixed:** Removing the wildcard pre-deployment breaks MWAA completely - the scheduler can't queue tasks for workers. |
| 25 | + |
| 26 | +Documentation Verifying Vuln and Acknowledging Vectorr: [AWS Documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html) |
| 27 | + |
| 28 | +## Exploitation |
| 29 | + |
| 30 | +All Airflow DAGs run with the execution role's permissions. DAGs are Python scripts that can execute arbitrary code - they can use `yum` or `curl` to install tools, download malicious scripts, or import any Python library. DAGs are pulled from an assigned S3 folder and run on schedule automatically, all an attacker needs is ability to PUT to that bucket path. |
| 31 | + |
| 32 | +Anyone who can write DAGs (typically most users in MWAA environments) can abuse this permission: |
| 33 | + |
| 34 | +1. **Data Exfiltration**: Create a queue named `airflow-celery-exfil` in an external account, write a DAG that sends sensitive data to it via `boto3` |
| 35 | + |
| 36 | +2. **Command & Control**: Poll commands from an external queue, execute them, return results - creating a persistent backdoor through SQS APIs |
| 37 | + |
| 38 | +3. **Cross-Account Attacks**: Inject malicious messages into other organizations' queues if they follow the naming pattern |
| 39 | + |
| 40 | +All attacks bypass network controls since they use AWS APIs, not direct internet connections. |
| 41 | + |
| 42 | +## Impact |
| 43 | + |
| 44 | +This is an architectural flaw in MWAA with no IAM-based mitigation. Every MWAA deployment following AWS documentation has this vulnerability. |
| 45 | + |
| 46 | +**Network Control Bypass:** These attacks work even in private VPCs with no internet access. The SQS API calls use AWS's internal network and VPC endpoints, completely bypassing traditional network security controls, firewalls, and egress monitoring. Organizations cannot detect or block this data exfiltration path through network-level controls. |
0 commit comments