Status

Resolved

What is the issue?

AWS has been notified of an issue for bootstrap stacks versioned 20 or lower where a third party could recreate your asset bucket after you delete it, and in doing so, monitor and make changes to your AWS Cloud Development Kit (AWS CDK) deployments.

This could affect you if you first bootstrap your account, then manually delete only the asset S3 bucket named cdk-hnb659fds-assets-- without deleting the rest of the bootstrap stack, and then continue to perform CDK deployments. A third party could predict the bucket name and recreate it with appropriate permissions. Your next CDK deployment would then upload your assets to their bucket.

In version 21 of the bootstrap stack, the permissions of the File Asset Publishing Role have been changed to only allow access to an S3 bucket in the same account. This ensures that even if you delete your bucket and a third party recreates it, the upload will never succeed.

Solution

Upgrade your version of the CDK CLI to at least version 2.149.0 [1], load appropriate credentials into your shell, and run cdk bootstrap aws://<ACCOUNT ID>/<REGION> for all of your Accounts and regions. Alternatively, use your own preferred method of deploying the bootstrapping CloudFormation template [2] across your accounts using the AWS CLI [3] or CloudFormation Stack Sets [4].

[1] https://docs.aws.amazon.com/cdk/v2/guide/cli.html

[2] https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

[3] https://aws.amazon.com/cli/

[4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html