Listen to this Post
Intro
CVE-2026-48035 describes a vulnerability in the `@hulumi/baseline` package before version 1.4.0, where the S3 bucket created by `AccountFoundation` to store CloudTrail and AWS Config audit logs can be silently weakened in three ways. First, the startup-hardened tier hard-coded `objectLock: false` on the audit bucket, disabling Write-Once-Read-Many (WORM) for all objects, even though the real issue was that bucket-wide Object Lock blocks an AWS Config write-then-delete probe. Second, the `forceDestroy` parameter was forwarded to the audit bucket, allowing a downstream stack to set logBucketForceDestroy: true, which on `pulumi destroy` would purge every audit-log object. Third, the sandbox tier skipped Object Lock, server access logging, and the CloudTrail-Lake EventDataStore, leaving sandbox accounts with no audit immutability. As a result, any S3-delete-capable principal could delete audit logs, and sandbox deployments had no immutability at all. The fix in 1.4.0 introduces a single invariant in `SecureBucket` that refuses `forceDestroy: true` on the startup-hardened tier, ensures the `EventDataStore` is always emitted, and adds a deny `s3:DeleteObject` bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes, excluding the AWS Config `ConfigWritabilityCheckFile` probe key so Config’s write-then-delete still works.
DailyCVE Form
Platform: `hulumi/baseline`
Version: `<1.4.0`
Vulnerability: `Audit log deletion`
Severity: `High`
Date: `2026-05-20`
Prediction: `2026-06-15`
What Undercode Say
Check if audit bucket has Object Lock enabled
aws s3api get-object-lock-configuration --bucket <audit-bucket-name>
Check if forceDestroy is allowed
pulumi config get logBucketForceDestroy
Verify bucket policy denies s3:DeleteObject
aws s3api get-bucket-policy --bucket <audit-bucket-name> | jq '.Policy | fromjson | .Statement[] | select(.Effect=="Deny" and .Action | contains("s3:DeleteObject"))'
Simulate a delete attempt (requires appropriate permissions)
aws s3api delete-object --bucket <audit-bucket-name> --key <cloudtrail-log-object-key>
Exploit
An attacker with `s3:DeleteObject` permission on the audit bucket can delete individual audit logs, breaking the forensic trail. If `logBucketForceDestroy: true` is set, a `pulumi destroy` operation will purge all objects in the bucket. In sandbox-tier deployments, there is no Object Lock, no server access logging, and no CloudTrail-Lake EventDataStore, so the attacker can delete logs without any immutable copy.
Protection
Upgrade to @hulumi/[email protected]. The fixed version refuses `forceDestroy: true` on the startup-hardened tier, always creates the EventDataStore, and adds a bucket policy denying `s3:DeleteObject` for the CloudTrail and Config prefixes, except for the Config probe key. As a workaround, replicate audit logs to an Object-Locked archive bucket in a separate account.
Impact
Consumers using `AccountFoundation` could deploy an AWS account where CloudTrail and Config audit logs are deletable by any S3-delete-capable principal, despite believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all. This violates security and compliance requirements, potentially hiding malicious activity and impeding forensic investigations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
