The flaw enables attackers to take over Identity and Access Management (IAM) roles in other AWS accounts and abuse the AppSync service provided by AWS. According to Datadog, this allows an attacker the chance “to pivot into a victim organisation and use those accounts’ resources.”
On September 1, the researchers found the flaw and quickly informed AWS of it. The next day, AWS replicated the assault and confirmed its impact. On September 6, AWS released a patch to remedy the vulnerability, and Datadog confirmed it had done so.