Fixed the vulnerability reported by the MSRC team in the AWSSEServerAccessAndConfig cloud formation template file related to the SQS and Bucket hardcoded default name.

[v-ezequielbi]

The MRSC team discovered a misconfiguration in relation to how the default SQS queue is protected in the
Microsoft Sentinel’s AWS S3 connector GitHub repo in the AWSS3ServerAccessAndConfig.json. This vulnerability allows a malicious actor to send messages using the AWS S3 Event Notification feature to a victim’s SQS queue by exploiting
hardcoded default names template parameters such as the default s3 bucket name and SQS queue and insufficient policy conditions.

The fix removes all hardcoded default values, requiring users to provide unique resource names during stack deployment, thereby eliminating the predictability attack vector. Additionally, the SQS queue policy has been enhanced with an aws:SourceAccount condition to prevent cross-account exploitation.

Change(s):

• Removes all hardcoded default values, requiring users to provide unique resource names during stack deployment in the cloud formation template fileAWSS3ServerAccessAndConfig.json.

Reason for Change(s):

• Resolve vulnerability reported ISSUE #Incident 31000000529754 : [MSRC] [105956] - SecurityFeatureBypass - Confused Deputy Risk in Microsoft Sentinel AWS S3 Connector CloudFormation Template

Version Updated:

• Yes

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-ezequielbi]

@microsoft-github-policy-service agree company="Microsoft"

[v-maheshbh]

Hi @v-ezequielbi
Kindly share the testing document for reference.

Thanks!