As companies transition their infrastructures quickly into the cloud, errors and oversights become increasingly frequent. Misconfigurations made during migration can be exploited by malicious actors to cause data breaches that make headlines each night.
DevSecOps teams should keep an eye out for misconfigurations to customise automated Conformity scans so they’re continually assessing and assuring the security of AWS environments.
Top 10 AWS Security Misconfigurations
AWS Misconfigurations in cloud infrastructure can result in cyber exposures, security breaches and data leakages that can damage your company’s reputation and cost money. Furthermore, they expose sensitive information to unauthorized users while also violating customers’ information or intellectual property privacy rights.
Keep yourself aware of the most dangerous misconfigurations on AWS to help ensure that when setting up new infrastructure or changing existing settings, these misconfigurations won’t occur. Doing this will also ensure you adhere to AWS Shared Responsibility Model which states that security within an environment should remain your responsibility while AWS handles security “of” it.
Misconfigurations in AWS services can expose critical assets and data to untrustworthy parties, leading to security or data breaches. Breaches like Capital One’s 2019 breach that exposed 100 million records; FlexBooker’s 2021 incident that exposed 3 million customers’ PII; and SeniorAdvisor’s 23-million file leak are examples of how AWS misconfigurations may lead to massive public exposures of your information.
Top 3 S3 Misconfigurations
Amazon Simple Storage Service (S3) serves as the cornerstone of cloud data and object storage, supporting everything from web servers and mobile apps to backup/restore, archiving, and IoT devices. But misconfigurations within S3 could make it an opportunity for attackers.
S3 buckets that are publicly accessible present a serious security threat; attackers could use them to serve or control malware, damage websites, store any amount of data at your expense or even encrypt files for ransom demands.
To prevent this from occurring, make sure that S3 bucket access logging is enabled. This will allow users to monitor and log changes made to the bucket and also help achieve compliance with standards such as CIS, SOC2, PCI, MAS, HIPAA, and GDPR.
1. Public Buckets or Public Objects Inside Buckets
Public buckets, defined as those with the Bucket Policy set to public-read, allow anyone access to list or download objects stored within them. While this feature can be extremely beneficial to some S3 users, it should not be utilized in environments where security and compliance requirements must be strictly observed.
Bucket policies can be configured at a bucket level and, unless explicitly denied, will apply to all objects stored in it. They can also be configured to grant specific entities access through cross-account permissions such as emails/Ids or full control.
Misconfiguration can be hard to spot, and identifying attackers using it to gain entry is even harder due to non-malicious activities they will likely be performing. AWS CloudTrail and other security services can help monitor for this behavior; additionally, external tools designed to simulate and evaluate bucket or object policies can provide valuable insights into an environment’s workings while alerting of any potential threats that arise from these changes.
2. Not Using Access Logging
Misconfigurations are a huge threat in the cloud. Hackers use them to snoop on, steal and sell information as well as ransom companies 24/7, while enterprises’ best efforts at implementing and reviewing cloud services often results in errors, oversights or poor configuration choices.
Kromtech Security discovered an Amazon Web Services cloud S3 bucket misconfiguration belonging to Patient Home Monitoring that stored laboratory results and other private information for 150,000 patients without proper protections in place. Although quickly secured the data to reduce consumer impact, the damage has already been done.
AWS access logs offer an expansive record of all requests to an S3 bucket and are invaluable in monitoring its usage. Unfortunately, many organizations fail to enable it on their accounts and when they do enable it they often don’t specify the format to use for logs resulting in fields like XrayTraceId being left out. Users also frequently neglect enforcing account-wide key rotation, essential in protecting against bad actors gaining entry to your infrastructure.
3. Not Encrypting Critical Information
Consumers today are becoming more privacy-aware than ever, which makes misconfigurations that expose customer data an expensive mistake for companies. A single data breach could cost companies millions or billions in fines, lost revenue, damaged brand reputation and customer losses.
DevSecOps teams can use a single platform to configure, test, and audit their entire infrastructure – this enables them to spot common AWS misconfigurations automatically while providing advice based on best practices; finally it also automates fixes for those misconfigurations while verifying compliance without manual tasks being necessary.
Estee Lauder recently experienced a serious breach due to 86 unprotected Amazon S3 buckets that Kromtech researchers discovered contained confidential employee and customer data, such as medical records and lab results. Data breaches like this one make personal information vulnerable to thieves who could steal and use for identity theft; it’s crucial that organizations invest in an information management platform capable of protecting sensitive data while restricting access.
Top 3 EC2 Misconfigurations
Misconfigurations often result in data being exposed to unauthorised parties, leading to data breaches exposing Personal Identifiable Information, Intellectual Property, Financial information, etc. and costing organisations millions every year. A breach’s public perception can further harm brands due to media coverage and social media backlash that diminish brand value further.
Misconfigurations like this one are all too frequent in the cloud environment, as organisations rush in without fully comprehending its complex features and risks; as a result, businesses experience thousands of misconfigurations every month, most of which go undetected by IT administrators.
Misconfigurations on Amazon EC2 often allow an attacker to gain access to Amazon EBS volume snapshots and encrypted data stored on those volumes, usually through developers deploying servers and databases in the default VPC for testing purposes or POC purposes. Following AWS security best practices such as their Well Architected Framework should help keep these misconfigurations at bay; for a more comprehensive approach to detection and prevention consider investing in an AWS security misconfiguration scanner that automatically detects and alerts you of these issues.
Data breaches can cost businesses millions in lost productivity, revenue and compliance violations – password rotation can help protect against these breaches by keeping passwords fresh.
Misconfigurations may still lead to security gaps on AWS; here are some of the top ones.
1. Public Snapshots or Non-encrypted Shared Snaps
AWS users have the capability to make snapshots private, yet many fail to do so correctly or completely. Without proper implementation of this security best practice, other accounts could potentially copy or restore snapshots and gain access to sensitive data that should remain protected.
Misconfiguration can expose personal information including names, social security numbers, addresses, phone numbers, bank account and credit card details and other confidential details that were never protected in the first place – making it accessible via cloud storage misconfigurations. Attackers with software engineering backgrounds find it easy to leverage this type of unprotected data through misconfigurations; security researchers and defense contractors regularly discover personal data made private within publicly accessible RDS snapshots like those uncovered with NGA/CENTCOM in 2017 as well as Elasticsearch in 2019. Security researchers and defense contractors regularly unearth personal data hidden within publicly accessible RDS snapshots such as NGA/CENTCOM in 2017 as well as Elasticsearch in 2019 through cloud storage misconfigurations; security researchers and defense contractors regularly discover personal data made private inside public RDS snapshots with private RDS snapshots that leak to public RDS snapshots, security researchers uncover similar incidents such as with NGA/CENTCOM in 2017 or Elasticsearch in 2019. Security researchers as well as defense contractors uncover it regularly from misconfigurations found to access cloud storage misconfigurations with Cloud service misconfigurations via cloud misconfigurations with NGA and CENTCOM in 2017 and Elasticsearch in 2019.
To make sure a snapshot isn’t public, use the “describe-db-snapshot-attributes” command (macOS/Linux/UNIX). If any returned attribute values include an all value then that indicates public snapshot which allows any account accessing to copy or restore them – to protect privacy it is always wiser to make your snapshots private once complete.
2. Backend instances living in public subnets
Public subnets are ranges of addresses accessible by instances (VMs or EC2 servers) within an Availability Zone, for instance VMs and servers running an operating system like Linux. Such subnets might contain CIDR blocks like 10.0.1.0/24 that enable instances to reach computers on the Internet through Network Address Translation (NAT) gateways or an egress-only gateway.
Attackers can utilize public IPs to gain entry to an EC2 instance’s security group and assume the role of customer administrator, giving them full privileges within its environment and potentially leading to data breaches in which compromised information can be misused for malicious purposes.
Cloud misconfigurations may occur frequently, but they’re preventable with the right tools and practices. That’s why cloud security posture management (CSPM) is so essential in identifying and fixing misconfigurations before they become cyberattack vectors. Wiz’s CSPM solution continuously monitors cloud environments to help teams identify insecure configuration drift and misuse that attackers could exploit; discover more about mitigating risk with this solution or request a demo now!
3. Public/unencrypted AMIs
AMIs (Amazon Machine Images) are the cornerstone of deployment on Amazon Elastic Compute Cloud (EC2). A public AMI provides everyone with access to create instances of that AMI – this may reveal sensitive data such as SSH keys, configuration files or credentials for other resources if it contains such components.
Misconfigurations involving default settings are among the most frequently seen errors by our auditors, potentially having devastating repercussions for any business that relies on AMI data.
One effective solution to this issue is encrypting AMIs at rest. To do this, simply make the AMI private by selecting it in your dashboard’s IMAGES section and clicking “Permissions.” This will change its launch permissions so it cannot be created and launched on other accounts.
Top 4 IAM misconfigurations
Misconfiguration of IAM (Identity and Access Management) is one of the most widespread security threats. Cloud infrastructure is complex, making it easy for attackers to gain entry through security holes that create access points into sensitive data.
IAM (Identity and Access Management) allows you to effectively control identity and access management in your Cloud environment. It enables you to create users and groups, assign permissions to them according to resource access needs, and identify any misconfigurations with IAM roles – to avoid these, you should use a cloud-native tool which continuously evaluates privileges to flag those that may be excessive or dangerous.
As an example, if your IAM role s3:BlockPublicAccessDisabled has broad list actions (such as s3:ListAllMyBuckets) enabled, an attacker who gains access can enumerate all your S3 buckets to see what is stored there – this misconfiguration has led to several high-profile data breaches such as Capital One breach in 2019 and SeniorAdvisor breach in 2021.
DevSecOps processes that automatically scan for misconfiguration are the ideal way to ward off this type of misconfiguration and enable teams to work securely while building without interruption from misconfiguration issues. Furthermore, MFA should be enabled on all privileged user accounts as well as rotating passwords regularly to provide further protection from misconfiguration errors.
1. Lack of MFA/Key rotation
One common misconfiguration in EC2 involves failing to rotate IAM user access keys regularly as per security best practice. While this should be easy for DevOps environments where changes happen rapidly and frequently, in DevOps environments this might prove challenging and expensive to keep up.
An unauthorized breach can give access to customer or financial information without their knowledge, as evidenced by breaches such as 2019 Capital One breach where 100 million records were exposed, and 2021 FlexBooker and SeniorAdvisor breaches where personal details from millions were exposed.
Misconfiguration can also cause critical applications and services not to function as intended, costing organizations thousands in lost productivity and revenue as well as violations to Service Level Agreements (SLAs) and customer dissatisfaction.
Implementing proper configuration practices is crucial, but having the tools in place to quickly detect and address vulnerabilities is even more essential. Trend Micro Cloud One – Conformity provides DevSecOps teams with the capability of automating an extensive set of conformity checks allowing organizations to ensure that their CI/CD pipelines are safely configured without slowing development and deployment efforts.
2. Not using roles
As enterprises make major investments in digital transformation, cloud infrastructure may provide operational efficiency and simplicity; but this only holds true if best practices are enabled and configured correctly; otherwise misconfigurations or ignorance could lead to data breaches which prove costly for pentesting services.
Under AWS’ Shared Responsibility Model, cloud adopters are accountable for security “in” their cloud environment while AWS takes responsibility for security “of” the cloud. DevSecOps teams should be aware of common misconfigurations and act swiftly to resolve them before malicious actors exploit them.
Therefore, we developed automated Conformity scans for AWS services, enabling security engineers to build securely with minimal impact while also helping teams demonstrate compliance and governance more easily and quickly. One of the primary misconfigurations is failing to enable AWS CloudTrail; this service tracks changes made to your AWS account and infrastructure which provides security auditing, resource tracking and troubleshooting benefits; however if this feature is disabled an attacker could gain anywhere from zero privilege up to full control of all EC2 instances within an account by editing assumed role policies of any existing roles
3. Giving out too much privilege
Before making any adjustments that grant privileges, it’s vital to consider their potential ramifications on security. This is particularly pertinent with cloud infrastructures where the structure allows easy escalation of privileges across an entire system.
When services are invoked, they often check (implicitly and without using iam:PassRole or sts:AssumeRole) whether the calling principal can assume the roles necessary to perform its actions and assume their associated permissions – potentially leading to privilege escalation without adequate IAM policies in place to safeguard these actions.
An EC2 instance configured to grant access to its IMDS v2 interface from its CMDS interface makes it easier for threat actors to clone a CodeCommit repository, browse its commit history, and obtain AWS credentials used to access that instance – giving them entry into the system and enabling them to execute commands at will and cause serious data breaches or disrupt customer trust, revenue or operations.
4. Keeping unused credentials around
Humans make mistakes, so it is nearly impossible to prevent every cloud misconfiguration incident that may arise. However, regular misconfiguration detection can help mitigate their effect by identifying and fixing incidents before they escalate into more serious issues.
As part of good practices and to safeguard security, credentials that are no longer needed should be invalidated from an account once they’re no longer needed. Unused credentials provide attackers with an entryway into your infrastructure that can lead them to compromise it completely – it is recommended that any credential that hasn’t been used in 45+ days should be disabled to eliminate this potential vulnerability.
Misconfigurations in our highly connected world can expose data to the public and put both enterprises and their customers at risk of breach. Even without actual breach, trust issues between organizations and their customers may damage both parties over time.
Conclusion
Although AWS Shared Responsibility Model largely places security responsibilities on users, misconfigurations may still expose data and infrastructure to malicious actors. By adopting policies and practices as described herein, IT teams can reduce AWS EC2 misconfigurations that compromise data leaks or breaches and protect themselves.
Misconfigured Amazon S3 buckets pose a threat to sensitive corporate and customer data across industries, from the U.S. Department of Defense to Silicon Valley tech titans. Mistakes made with Amazon S3 bucket configuration are one of the primary causes of 2021 data breaches; to reduce their likelihood, it’s essential that individuals understand why mistakes like these arise and take proactive measures against them.
Datadog can be a powerful way of discovering any issues with Amazon EC2 performance metrics. Users can tag instances and organize them based on dozens of criteria, making it simple to aggregate and correlate metrics that reveal performance issues that impact end users. Take advantage of a free 14-day trial of Datadog now and witness its power firsthand!