DEV Community: Serdal Kepil

The Top 8 AWS Security Risks: What You Need to Know

Serdal Kepil — Sat, 12 Nov 2022 16:02:00 +0000

As the world is moving towards adopting cloud services, AWS (Amazon Web Services) has been the top selection for most. Amazon Web Services has actually been around since 2006 however users are still wondering about the best practices and associated AWS security risks. Constructing a robust cloud infrastructure that includes comprehensive cloud security architecture with an understanding of all its blind and user models is key to having a secure cloud.

8 Major AWS Security Risks

1. Unrestricted and long-lived access to S3 buckets

S3 (Simple Storage Service) lets users keep data that can be easily and securely retrieved. In this, users select a region and create a bucket to upload data. The S3 system uploads and stores data on multiple data centers in that region and also fixings all found lost redundancy.

S3 buckets are susceptible to ransomware attacks if they permit unfiltered access to all users. Attackers can use an account that has read/write permission and use it to encrypt admin and also core documents and folders. Aside from this, attackers can also rewrite settings or set up malware within the application using such privileges.

Therefore, AWS users must approve and manage permissions for those who have access to these buckets. Permissions can be of the list following kinds: edit permission, view permission, upload/delete, and list. Reviewing permission for all these buckets is an essential action to mitigate AWS security risks.

You will need to implement temporary access with the IAM Roles strategy when accessing your data. You can create custom policies with some conditions like IP address for your IAM roles. So, you can define a secure process between your application and S3 Buckets.

2. Undetected request events to your S3 Buckets

S3 Buckets can become targets for information theft because they handle objects and store application files. Cyber-attacks leading to data leaks consist of countless requests for accessing data in these buckets. And in the absence of bucket logs, these requests go undetected until it is too late.

S3 Buckets do not generate logs by default given that it needs to be turned on manually. Once enabled, S3 buckets will create access logs for any type of request made to the buckets with details such as the type of request, the resource used for the request, and date-time stamps. Having gain access logs helps in assessing AWS security risks by keeping an eye on requests and also recognizing the type of requests made. Having access logs helps in assessing AWS security risks by monitoring requests and identifying the type of requests made.

🔐An AWS Security Audit would be a great approach to identify such misconfiguration.

3. Malevolent AWS API requests

There are multiple AWS APIs available in public and the attackers could use these endpoints to explode some of your architecture details. They can try to sniff access details from your application’s communication with AWS services like DynamoDB, SQS, SNS, API Gateway,…

Then the attackers can use this information to inject malicious codes right into API to launch DDoS attacks or use these infected APIs for SQL Injection for an extensive cyberattack.

You need to always use proper encryption options with these AWS services at this point. Also, it is recommended that you should use AWS SDK when developing AWS-integrated applications. Because AWS SDK signs your requests by default.

For monitoring, Amazon CloudTrail allows users to access the complete history of all API calls made to the account. These logs include Request, Response, IP address as well as date-time stamps. Once these logs are created, they are stored in a pre-designated S3 bucket. Having CloudTrail enabled will certainly help you detect any kind of AWS security risks by monitoring all API calls. Also, you can get notified with CloudTrail Event with some specific security issues like root user login.

4. Unfiltered traffic from untrusted sources

When traffic has unrestricted access to your deployed AWS instances or load balancers, there is a possibility that attackers can gather information about the application to launch an attack. By limiting particular traffic to specific instances, you will stop attackers from gaining insight into the application.

Without an effectively configured network, attacks such as DDoS can be launched from a group of IPs and also can rapidly overwhelm a system. To prevent such attacks you require to configure the network to deny traffic from suspicious sources. This also aids in reducing the attack area of an application by limiting traffic as well as controlling access.

Security Groups act like a firewall by allowing just specific traffic to any instance. As an example, the EC2 instance may have multiple Security Groups assigned to it, for which the rules can be updated at any time. As well as only the allowed traffic can access the instance. These rules define specific sources for accessing the instance by using protocols such as ICMP or TCP along with destination ports. To stay clear of any AWS security risks only specific IP addresses or ranges ought to be allowed access.

NACL is an additional layer of security that manages the traffic to and also from a subnet. Similar to other security groups you can set up NACL with security rules. In NACL, rules are evaluated based on the rule number. The first rule that matches a request is offered priority and implemented. To avoid any type of AWS security risks, check to see if an NACL rule allows all ports or IP addresses. This will certainly make the system vulnerable, so remove the rule as well as create new restrictive rules for appropriate ports or IP.

5. Incorrect permission and privileges

Not all users need access to all folders and divisions of the application. For instance, non-admin users would not require access to the control panel or admin files. Identity and Access Management allows users to manage account access by setting up user accounts and also permissions. IAM also allows for the creation of user groups which assists in assigning permissions collectively to users who belong to a specific group.

Identity and Access Management enables users to manage account access by setting up user accounts and permissions. IAM also enables the creation of user groups which helps in assigning permissions collectively to users that belong to a specific group. While assigning permissions, you need to understand the demands and requirements of the set of permissions. Review all users who have higher access privileges and regularly update users based on their functions. Also, you need to prevent using AWS Managed Policies. You can create custom policies based on the application stage and user role.

6. Login and credential theft

Plenty of cyber-attacks on cloud services are based on credential theft. Credentials are the gold mines for hackers, allowing them to totally take over an account. Cyberattacks faced by establishments such as CodeSpaces and Timehop are an example of exactly how extensive damage can be done by credential theft. There are some ways to secure your account and sign-in information:

2 Factor Authentication or Multi-Factor Authentication can protect accounts in case credentials are stolen
Continuous monitoring for failed or anonymous logins
Store your application and system logs with strict rights
Do not push your credentials git repositories and logs
You can make use of services such as AWS Secrets Manager to rotate login credentials

7. Vulnerable multi-tenant cloud infrastructure

The notion that multi-tenant systems have more security risks is not correct. Rather the security of your system and also infrastructure figures out the level of security. AWS has adopted numerous measures to ensure the proper partition of data between users as well as to ensure that there are no data leaks in the case of multi-tenant systems. Still, users can take extra precautions in areas as pointed out listed below:

Secure access for end users — like Oauth2
Central control panel and infrastructure
Monitoring the runtime and services actively
Vulnerability and also automated patching management
Invest in Private Networking like DirectConnect

8. Protect your public endpoints with WAF

If you need to serve API endpoints or web applications in public, you need to monitor and take action against popular attack types like DDoS, ReDoS, XSS, … in real-time.

You can easily create a powerful layer-7 firewall with AWS WAF service against OWASP Top 10 rules. AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. You can protect the following resource types:

Amazon CloudFront distribution
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool

You can get benefit from managed rules to mitigate attacks with minimum effort. Also, if you want to create a more resilient application, you can create your own rule sets. You can evaluate the incoming requests in real-time and accept or deny them with such information as IP address, HTTP header, originated country, and the presence of SQL/XSS code that is likely to be malicious. For instance, if you do not serve in a specific country, you can block all requests coming from this country.

Conclusion

As more and more companies are moving toward cloud-based systems, AWS security risks continue to increase. Security breaches and cyberattacks can trigger a tremendous influence on financial and brand value. To ensure that your cloud services are completely secure, you will certainly require an extensive AWS security audit which can detect security gaps as well as offer a comprehensive fixing plan and guidance. We at CloudMetrik have a vulnerability scanner and audit system with more than 300 tests, developed by a team of security experts with comprehensive experience. From network systems to business logic, CloudMetrik’s tool checks all avenues of your system and also provides a comprehensive report for an in-depth understanding of your security standards.

The Top 11 AWS Security Tools and Services for Your AWS Environment

Serdal Kepil — Mon, 31 Oct 2022 13:49:30 +0000

Since 2020, AWS held 76% of enterprise cloud adoption, a fact measuring the power and value AWS holds. Nevertheless, with great power also comes a greater probability of risk, as well as customers using AWS, have found themselves the targets of many data breaches over the past year. AWS enables enterprises to upload and distribute data with unique effectiveness, but it comes with a unique set of vulnerabilities easily overlooked by users. This danger is precisely why AWS is working hard to protect their infrastructure and secure their platform to protect things like customer information. Nevertheless, AWS operates under the Shared Responsibility Model; this means that the customer is responsible for keeping everything secure in their cloud. This includes services and customizable configurations for smart use of your cloud. AWS provides a range of security tools and services to help make your life easier when it comes to securing your cloud. This article will introduce some of the AWS security services, tools, and solutions that you can use as a customer.

What are AWS Security Tools and Services?

AWS Security Tools and Services are a variety of services provided by AWS that spread several areas of security, including data protection, identity and access management, infrastructure security, threat detection and continuous monitoring.

Data protection: AWS is aware of the importance of securing data and ensuring that it is not lost in the transfer. Their services help you meet basic security, privacy, and compliance needs. Features contain encryption, data replication, and data monitoring. An example of a data protection service from AWS is Amazon Macie.

Identity & Accessibility Administration: AWS is aware of the need to manage identities, so they provide a comprehensive list of tools and services to help you manage your identity in the cloud. The goal is to control the resources and actions that identities can use and manipulate.

**Infrastructure Security: **Infrastructure protection is a critical component of information security, helping to ensure that everything in your workload is safe from vulnerability, exploitation, or unwanted access. Although the infrastructure is largely managed by AWS, they also provide some additional resources, such as AWS WAF, to manage the security of the configurable infrastructure.

Threat Detection: When in the cloud, you need constant assurance that your security posture is strong and that you have the right configurations to optimize security. AWS provides services such as Amazon GuardDuty that increase visibility into your deployment and operations, as well as monitor identity behavior to help detect threats.

Account vs. Application vs. Service Security on AWS, one thing to note about AWS services and tools is that there are distinctions in what these sources are helping to secure. AWS differentiates between account security and application and service security.

Account: Securing an identity, whether personal or non-personal, requires a different approach to security. This is where IAM practices stand out, as AWS encourages control identities’ ability to access sensitive data or manipulate privileges. This can help avoid concerns like privilege escalation if someone’s credentials are compromised. An example is AWS IAM, a service that provides security practices such as SSO or MFA and that determines and manages the permissions of identities in your cloud.

Application & Service: Applications and services within AWS are vulnerable to threats such as external attacks from malicious people or even vulnerabilities existing from the development process, so they need their own security resources. An example would be Amazon Inspector, a service for vulnerability management of applications deployed on EC2. Now that we’ve explored the different purposes and types of AWS security tools, let’s apply this information and explore the best services and features customers can use today.

Top 11 AWS Security Tools.

AWS Security Hub
Collection and Identification, AWS Security Hub is a cloud security posture management service that collects and identifies security data from across AWS accounts, services, and supported third-party partner products. It collects your security alerts (findings) in a standardized format so you can take action easily. Security Hub makes it easy to understand and improve your security posture through automated integrations with other AWS services like AWS Systems Manager or AWS partner products. It can also detect the severity of the finding. Many roles may find themselves tasked with managing the secure use of the cloud, but in particular, this may be used by Cloud Security Analysts.

AWS Shield
Infrastructure Protection, AWS Shield protects all your applications running on AWS from DDoS attacks, or Denial-of-Service attacks. These guidelines protect the environment of your application. The good thing is that Shield is integrated by default with services like ALB, API Gateway, and CloudFront. You can also choose the Advanced version if you want more transparency regarding DDoS attacks to AWS. The target audience for this service is DevSecOps and cloud administrators.

AWS Identity Access Management (IAM)
Identity & Access Management, AWS IAM provides identity and access controls in the environment. Specifically, it offers granular control over which identities (person and nonperson) can access and perform. You can create your roles and custom policies securely using strict conditions. Typical users of this are IT Managers or Cloud Admins.

AWS IAM Analyzer
Identity & Access Management Usage Reporting, Building from the insights and controls AWS IAM provides, the complexities of managing the permissions of identities can get unruly. IAM Analyzer provides a clearer picture of these access patterns to assist in removing excessive privileges and working towards the lowest privilege. It can report temporary access sessions and events as well.

Amazon Macie
Data Protection, Amazon Macie helps secure Amazon S3 buckets. It uses machine learning and pattern matching to detect sensitive data within S3 buckets. This alerts you to issues such as lack of encryption or publicly accessible data. This would be particularly beneficial for anyone responsible for compliance.

Amazon GuardDuty
Intelligent Threat Detection, Amazon GuardDuty analyzes stored log data which collected from different AWS accounts and workloads by monitoring Route53 Resolver DNS logs, VPC Flow Logs, event logs, container logs, and other data. Data is analyzed to detect abnormal behavior and present it in a central location using machine learning. Security & SecOps teams would use this service.

AWS Config
Detection and Monitoring, AWS Config will continually evaluate your cloud configurations and detect out-of-policy changes. This is extremely useful when making configuration changes to resources and ensuring that there are no possibilities for data breaches. For example, you can use a drift detection policy to detect manual changes. The target audience is Security Analysts and Cloud Security teams.

AWS Secrets Manager
Sensitive Data Protection, Secrets Manager helps you better protect sensitive information or secrets that allow access to services and databases in your environment. If you need to access a secret, you can create an API call to get the information from the Secrets Manager API. This tool would be beneficial to Development Teams or admins.

**AWS Inspector
**Detection and Monitoring, AWS Inspector is an assessment service for applications deployed on EC2 instances and container images. Security assessments include CIS benchmarks, potential risks or vulnerabilities (CVEs), or general security best practices, such as disabling root logins for SSH. This would be beneficial for DevSecOps teams or Security Analysts.

AWS Web Application Firewall (WAF)
Infrastructure Security, AWS WAF helps protect web applications from exposure to the internet and therefore from exploitation against OWASP Top Ten Risks. It will detect and mitigate attacks, such as SQL injections. It has managed rules, but your team can customize your own settings. Also, it is already integrated for managed rules to third-party technology partners like F5 and Cisco. This would be beneficial for Cloud, Network, or Security Admins.

AWS CloudTrail
Detection and Monitoring, CloudTrail monitors all behavior in your environment. This includes all actions, requests, responses, and identity operations, and all API calls as events. This will help you review and detect inappropriate or suspicious behavior. For example, you can get notified when the root account is logged in. There is an additional AWS CloudTrail Insights you can add to get alerted when abnormal activity is detected.

Build Upon AWS Security Tools with CloudMetrik
Amazon Web Services has put out comprehensive services and tools to help your teams secure your cloud. That being stated, AWS is a cloud provider, not a security provider. At this point, it is widely accepted that the best way to extend your cloud security beyond the limitations of native tools is to rely on 3rd party security tools.

CloudMetrik exists to serve this purpose and offers a wide variety of solutions, all hosted in one integrated product. Also, we at CloudMetrik have a vulnerability scanner and audit system with over 300 tests, developed by a team of security experts with comprehensive experience. From network systems to business logic, CloudMetrik’s Tool checks all avenues of your system and also provides a comprehensive report for an in-depth understanding of your security standards.

Source: https://www.cloudmetrik.com/the-top-11-aws-security-tools-and-services/