In the ever-expanding realm of AWS, with over 200 services at our disposal, securing cloud account configurations and mastering complex environments can feel like an overwhelming challenge.
To help prioritise and root them out, here's a guide for AWS configurations that are most commonly overlooked. It features five of the top misconfigurations that could be lurking in any AWS environment right now.
As organisations build up their cloud usage and move to multi-cloud environments, security teams are overwhelmed by numerous configuration errors, all of which pose a security risk. Real-world data shows that companies, on average, experience around 3,500 cloud misconfigurations per month.
The reality is that even a single misconfiguration can provide attackers with an entry point that could lead to a data breach, economic loss, or the compromise of sensitive data.
According to recent data published by Cybersecurity and Infrastructure Security Agency (CISA), misconfigured cloud services are one of the ten most common attack vectors exploited by malicious actors to break into organisations.
The dizzying pace of change in the cloud means that human errors are inevitable. Engineers can accidentally make mistakes, misconfigure services, and leave resources exposed.
Understanding and addressing potential AWS misconfigurations in a cloud account is paramount. Failing to do so can expose an organisation to severe threats such as unauthorised data access, data breaches and regulatory non-compliance, all of which can inflict substantial financial and reputational damage.
Knowledge about common AWS misconfigurations and employing best practices for secure cloud configuration can significantly mitigate these risks, improving an organisation's overall security posture. Below, we highlight the top five most common AWS Misconfigurations to be aware of when building applications in the cloud.
1. Overly permissive roles and policies
Identity Access Management (IAM) permissions that are given to the IAM resources are usually overly permissive and allow for an escalation of privileges within the AWS environment. This type of misconfiguration allows the attacker to create or modify the IAM policy of the IAM user, group, or role, which might lead to gaining access to the AWS account.
Configuration details: Limit Root Account Usage
2. Amazon S3 buckets: Encryption
One of several storage options that Amazon provides, S3 buckets have become popular, with easy, out-of-the-box configurations to make data publicly accessible. This is convenient when S3 buckets are used alongside web and application servers running in EC2.
However, this means more configurations need to be managed to prevent the data in the S3 buckets from being inadvertently accessible by the public.
By default, S3 does not automatically encrypt data. A security practitioner has to configure S3 buckets to encrypt data automatically. This should be required unless there's a specific reason the data can remain unencrypted. It's critical to monitor S3 configurations actively to ensure that encryption is activated.
Configuration details: Setting default server-side encryption behaviour for Amazon S3 buckets
3. Public RDS snapshots
One of Amazon's more popular database options, Amazon Relational Database Service (RDS), is commonly used because of its out-of-the-box, automated options for configuration, management, maintenance, and security.
RDS snapshots are used to create backups of databases in the AWS cloud, and they can contain sensitive information such as personally identifiable information and corporate data.
If an RDS snapshot isn't properly configured, it may be publicly accessible, potentially allowing anyone to access the data contained within it. This can have significant consequences for the companies affected, including reputational damage and potential regulatory fines.
Configuration details: Setting Up AWS Config with the Console
4. AWS Lambda
Lambda is a serverless offering that allows customers to run code for virtually any type of application or backend service without provisioning or managing servers.
Storing sensitive information, such as API keys or database credentials, as plaintext in Lambda function environment variables can expose them to potential attackers or unauthorised access.
5. AWS Fargate access control: Assigning a task execution role
AWS Fargate offering allows customers to let Amazon provision, manage and configure containers with no need to manually launch or manage EC2 instances.
Fargate uses task execution roles to pull images from private registries, as recommended over public registries, or to publish container logs to CloudWatch; these two tasks are critical.
The goal of task execution roles is to isolate permissions for each task based on an IAM role so that each task is prevented from seeing all the other AWS services in the account. The task execution role would be the same as the EC2 role, but the trust relationship needs to be changed such that the container networking interface is allowed to assume the IAM role.
Configuration details: Amazon ECS task execution IAM role
To learn more and get the full list of riskiest AWS misconfigurations, download the complete guide 'The 15 AWS Misconfigurations to Know in 2023'.
In a dynamic and complex cloud environment, finding and fixing all misconfigurations manually is impossible, especially at scale. Unresolved AWS misconfigurations stand as a significant and persistent security concern for organisations navigating the cloud environment.
My company's real-time CSPM is a cloud security solution that helps organisations to identify and remediate security risks, including cloud misconfigurations, in real-time.
Misconfigurations can pose a substantial security risk, with the potential to expose sensitive data, introduce vulnerabilities, and pave the way for breaches. By leveraging our technology, organisations can manage and prevent misconfigurations proactively, reducing the attack surface and strengthening the security posture of their cloud environments.