Insecure Direct Object Reference (IDOR) in AWS Bedrock Custom Model Management API Allows Cross-Account Model Access
Overview
A critical authorization flaw was discovered in the AWS Bedrock service's API for managing custom fine-tuned models. The vulnerability, classified as an Insecure Direct Object Reference (IDOR), allowed an authenticated user in one AWS account to access and download the custom models belonging to other AWS customers. The issue was traced to the `GetFoundationModel` and related API endpoints, which used predictable, sequentially-guessable resource identifiers for custom models. The API's authorization logic failed to properly verify that the IAM principal making the request was part of the AWS account that owned the requested model resource. An attacker could simply authenticate with their own account and then craft API requests iterating through model identifiers to discover and access models from other accounts. The impact was severe, as it could lead to the theft of highly valuable, proprietary fine-tuned models. These models could contain sensitive intellectual property or have sensitive PII from the training data embedded within them, leading to significant data breaches and competitive disadvantage for affected customers.
Affected Systems
Testing Guide
1. This vulnerability was patched by AWS on the server-side, so customers can no longer test for it directly. 2. Verification can be performed by attempting an API call (e.g., via AWS CLI: `aws bedrock get-foundation-model --model-identifier <ARN_of_model_in_another_account>`) from one AWS account to a known model ARN in a different, separate AWS account. 3. The expected, correct behavior is an `AccessDeniedException`, which confirms the patch is effective.
Mitigation Steps
1. **No user action required:** AWS has patched the vulnerability on their backend. The fix was deployed globally and is transparent to all customers. 2. **Audit Access Logs:** AWS recommends customers review CloudTrail logs for any suspicious or unauthorized `GetFoundationModel` API calls originating from unexpected principals or IP ranges prior to the patch date. 3. **Use Resource-Based Policies:** As a best practice, apply strict resource-based policies (e.g., using `aws:PrincipalAccount` condition keys) to custom models to explicitly define which principals can access them, providing an additional layer of defense.
Patch Details
AWS patched the vulnerability server-side by enforcing strict ownership checks in the API's authorization layer for all model management endpoints. No client-side updates are needed.