Zolaer9527

**Name of the Vulnerable Software and Affected Versions** aws-deployment-framework versions prior to 4.0.0 **Description** The AWS Deployment Framework (ADF) contains a bootstrap process that relies on elevated privileges to deploy ADF's bootstrap stacks, facilitating multi-account cross-region deployments. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the `sts:AssumeRole` operation without further restrictions, allowing it to assume into any AWS Account in the AWS Organization with elevated privileges. This issue can be exploited by an actor with permissions to change the behavior of the CodeBuild project or the Lambda function, enabling them to escalate their privileges. **Recommendations** As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. Upgrade to `aws-deployment-framework` version 4.0.0 to resolve the issue.