A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-28056

CVE-2024-28056: Amazon Amplify CLI Auth Bypass Vulnerability

CVE-2024-28056 is an authentication bypass flaw in Amazon Amplify CLI that allows unauthorized role assumption when Authentication components are removed. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2024-28056 Overview

Amazon AWS Amplify CLI before version 12.10.1 contains a critical insecure permissions vulnerability (CWE-276) that incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, leaving sts:AssumeRoleWithWebIdentity available to threat actors with no conditions.

This vulnerability affected Amplify CLI deployments built between August 2019 and January 2024 where the Authentication component was subsequently removed. If such removal occurred, an "assume role" action may have been possible, potentially allowing unauthorized access to an organization's AWS resources.

Critical Impact

Threat actors could exploit misconfigured IAM role trust policies to assume roles and gain unauthorized access to AWS resources without any conditional restrictions, potentially compromising entire cloud environments.

Affected Products

  • Amazon Amplify CLI versions prior to 12.10.1
  • Amplify projects built between August 2019 and January 2024 where Authentication component was removed
  • IAM roles associated with affected Amplify deployments

Discovery Timeline

  • 2024-04-15 - CVE-2024-28056 published to NVD
  • 2025-06-30 - Last updated in NVD database

Technical Details for CVE-2024-28056

Vulnerability Analysis

This vulnerability stems from improper handling of IAM role trust policies during the removal of Authentication components from AWS Amplify projects. When a user removes the Authentication component (such as built-in Cognito resources), the Amplify CLI fails to properly clean up the associated IAM role trust policy.

The core issue lies in the update mechanism for IAM roles when Authentication components are removed. While the Condition property that previously restricted which identity providers could assume the role is deleted, the permissive "Effect":"Allow" statement remains intact. This creates an overly permissive trust policy that allows any entity to call sts:AssumeRoleWithWebIdentity without the originally intended restrictions.

The vulnerability window spans from August 2019 to January 2024, affecting any Amplify project where an authorized AWS user removed an Authentication component during this period. Common scenarios include organizations migrating away from built-in Cognito resources or transitioning to different identity providers.

Root Cause

The root cause is improper access control (CWE-276 - Incorrect Default Permissions) in the Amplify CLI's CloudFormation resource update logic. When processing Authentication component removal, the CLI modifies the IAM role trust policy by removing Condition elements but fails to update or remove the associated Allow effect, leaving the role assumable without proper authorization conditions.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker who discovers a misconfigured IAM role trust policy can exploit the vulnerability through the following attack flow:

  1. Attacker identifies an Amplify-deployed application that had its Authentication component removed during the vulnerable period
  2. Attacker crafts a sts:AssumeRoleWithWebIdentity request targeting the misconfigured IAM role
  3. Without conditional restrictions, AWS STS accepts the request and returns temporary credentials
  4. Attacker uses the assumed role credentials to access AWS resources with the permissions attached to that role

The exploitation is particularly dangerous because IAM roles associated with Amplify projects often have broad permissions to interact with backend resources such as DynamoDB, S3, Lambda, and AppSync APIs.

Detection Methods for CVE-2024-28056

Indicators of Compromise

  • Unexpected sts:AssumeRoleWithWebIdentity API calls in CloudTrail logs from unknown sources
  • IAM role trust policies containing "Effect":"Allow" for sts:AssumeRoleWithWebIdentity without Condition elements
  • Unusual access patterns to AWS resources from Amplify-associated IAM roles
  • CloudTrail events showing role assumption from unrecognized identity providers or principals

Detection Strategies

  • Review CloudTrail logs for AssumeRoleWithWebIdentity events on Amplify-associated IAM roles
  • Audit all IAM role trust policies created by Amplify CLI for missing Condition blocks
  • Implement AWS Config rules to detect overly permissive trust policies on roles matching Amplify naming patterns
  • Use AWS IAM Access Analyzer to identify roles that can be assumed by external principals

Monitoring Recommendations

  • Enable CloudTrail logging for all AWS STS API calls across affected accounts
  • Configure CloudWatch alarms for unusual AssumeRoleWithWebIdentity activity patterns
  • Implement continuous monitoring of IAM role trust policy changes using AWS Config
  • Deploy SentinelOne Singularity Cloud Security for real-time detection of suspicious IAM role assumptions

How to Mitigate CVE-2024-28056

Immediate Actions Required

  • Upgrade AWS Amplify CLI to version 12.10.1 or later immediately
  • Audit all IAM roles associated with Amplify projects deployed between August 2019 and January 2024
  • Review and remediate trust policies for any roles that had Authentication components removed
  • Check CloudTrail logs for any unauthorized role assumption activity during the exposure window

Patch Information

Amazon has addressed this vulnerability in Amplify CLI version 12.10.1. The fix ensures that IAM role trust policies are properly updated when Authentication components are removed, either by removing the Allow effect or by adding appropriate Condition restrictions.

Organizations should upgrade by running:

bash
npm install -g @aws-amplify/cli@latest

For detailed patch information, refer to the AWS Security Bulletin AWS-2024-003 and the GitHub commit.

Workarounds

  • Manually audit and update IAM role trust policies to add appropriate Condition elements
  • Restrict trust policies to specific identity providers using Condition blocks with StringEquals on cognito-identity.amazonaws.com:aud
  • Delete and recreate affected IAM roles with properly scoped trust policies
  • Implement AWS Service Control Policies (SCPs) to restrict AssumeRoleWithWebIdentity at the organization level
bash
# Identify Amplify-associated IAM roles and review their trust policies
aws iam list-roles --query "Roles[?contains(RoleName, 'amplify')].{RoleName:RoleName,Arn:Arn}" --output table

# Get the trust policy for a specific role to check for missing Conditions
aws iam get-role --role-name <AMPLIFY_ROLE_NAME> --query "Role.AssumeRolePolicyDocument" --output json

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechAmazon Amplify Cli
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.61%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-276
  • Technical References
  • GitHub Amplify Role Update JSON
  • GitHub Amplify Release v12.10.1
  • Datadog Article on AWS IAM Vulnerabilities
  • Vendor Resources
  • AWS Security Bulletin AWS-2024-003
  • GitHub Commit Changes
  • Latest CVEs
  • CVE-2024-8261: Prolizyazilim OBS Auth Bypass Vulnerability
  • CVE-2024-13068: LimonDesk Auth Bypass Vulnerability
  • CVE-2025-53679: Fortinet FortiSandbox RCE Vulnerability
  • CVE-2026-9446: Simple POS Inventory System SQLi Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English