As the world is moving towards adopting cloud services, AWS (Amazon Web Services) has been the top choice for most. Amazon Web Services has been around since 2006 but users are still wondering about the best practices and associated AWS security risks. Building a robust cloud infrastructure which includes comprehensive cloud security architecture with an understanding of all its blind spots and user models is key to having a secure cloud.
In this article, we list 8 major AWS security risks for better understanding. Here it goes:
1. Unrestricted access to S3 buckets
S3 (Simple Storage Solution) lets users store data that can be easily and securely retrieved. In this, users choose a region and create a bucket to upload data. The S3 system uploads and stores data on multiple devices in that region and repairs all detected lost redundancy.
S3 buckets are susceptible to ransomware attacks if they allow unfiltered access to all users. Attackers can use an account having read/write permission and use it to encrypt admin and core files and folders. Apart from this, attackers can also rewrite settings or install malware within the application using such privileges.
Thus, AWS users should grant and control permissions to those who have access to these buckets. Permissions can be of the following types: edit permission, view permission, upload/delete, and list. Reviewing permission for all these buckets is an important step to mitigate AWS security risks.
AWS users can grant and control permissions to those who have access to these buckets.
One can use the AWS console to provide access to three types of users:
- authenticated users,
- log delivery, and
Permissions can be of the following types:
- edit permission,
- view permission,
- upload/delete, and
Reviewing permissions for all these buckets is an important step to mitigate AWS security risks.
2. Undetected data requests
Since S3 buckets handle files and store application files, they become targets for information theft. Cyber-attacks leading to data leaks consist of numerous requests for accessing data in these buckets. And in the absence of bucket logs these requests go undetected until it is too late.
S3 buckets do not generate logs by default since it needs to be turned on manually. One enabled, S3 buckets will create access logs for any request made to the bucket with details such as the type of request, resource used for the request, and date-time stamps. Having access logs helps in assessing AWS security risks by monitoring requests and identifying the type of requests made. An AWS Pentest would be a great approach to identify such threats – https://www.getastra.com/blog/security-audit/penetration-testing-aws/
Having access logs helps in assessing AWS security risks by monitoring requests and identifying the type of requests made.
3. Malicious API requests
Due to the wide usage of AWS, there are multiple APIs that are freely available with their architecture and implementation. For a cyberattack attackers can use this information to inject malicious codes into API to launch DDoS attacks or use these infected API for SQL Injection.
Amazon CloudTrail allows users to access the complete history of all API calls made to the account. These logs include the IP address and date-time stamps. Once these logs are generated they are stored in a pre-designated S3 bucket. Having CloudTrail enabled will help you detect any AWS security risks by monitoring all API calls.
Amazon CloudTrails (Source: Amazon AWS)
4. Unfiltered traffic from untrusted sources
When traffic has unhindered access to AWS servers, there is a chance that attackers can gather information about the application to launch an attack. By limiting certain traffic to specific instances, we prevent attackers from gaining insight about the application.
Security groups behave like a firewall by allowing only specific traffic to any instance. For example, the EC2 instance might have multiple groups assigned to it, for which the rules can be updated at any time. And only the allowed traffic can access the instance. These rules define specific sources for accessing the instance by employing protocols such as ICMP or TCP along with destination ports. To avoid any AWS security risks only specific IP addresses or ranges should be allowed access.
5. Incorrect permission and privileges
Not all users need access to all folders and divisions of the application. For example, non-admin users would not require access to the control panel or admin files. Identity and Access Management enables users to manage account access by setting up user accounts and permissions. IAM also allows for the creation of user groups which helps in assigning permissions collectively to users who belong to a certain group.
Identity and Access Management enables users to manage account access by setting up user accounts and permissions. IAM also allows for the creation of user groups which helps in assigning permissions collectively to users who belong to a certain group. While assigning permissions you should understand the requirements and necessity of the set of permissions. Review all users who have higher access privileges and regularly update users based on their functions.
6. Non-configured network access
Without a properly configured network, attacks such as DDoS can be launched from a group of IPs and can quickly overwhelm a system. To prevent such attacks you need to configure the network to deny traffic from suspicious sources. This also helps in reducing the attack area of an application by limiting traffic and controlling access.
NACL is an additional layer of security that controls the traffic to and from a subnet. Similar to other security groups you can set up NACL with security rules. In NACL, rules are evaluated based on the rule number. The first rule that matches a request is given priority and implemented. To prevent any AWS security risks, check to see if an NACL rule allows all ports or IP addresses. This will make the system vulnerable, so remove the rule and create new restrictive rules for appropriate ports or IP.
7. Login and credential theft
A lot of cyber-attacks on cloud services are based on credential theft. Credentials are the gold mines for hackers, allowing them to completely take over an account. Cyberattacks faced by establishments such as Code Spaces and Timehop are an example of how extensive damage can be done by credential theft. There are some ways to protect your account and data:
- 2 Factor Authentication or multi-Factor Authentication can protect accounts in case credentials are stolen
- Continuous monitoring for anonymous logins
- Generate and store logs at host level
- You can use services such as AWS Secrets Manager to rotate login credentials
Amazon Secrets Manager (Source: AWS Documentation)
8. Vulnerable multi-tenant cloud infrastructure:
The notion that multi-tenant systems have more AWS security risks is not accurate. Rather the security of your system and infrastructure determines the level of security. AWS has adopted several measures to ensure the proper partition of data between users and to ensure that there are no data leaks in the case of multi-tenant systems. Still, users can take additional precautions in areas as mentioned below:
- System access and users
- Control panel for infrastructure
- Runtime and services
- Vulnerability and patching management
As more and more companies are moving towards cloud-based systems, AWS security risks continue to rise. Security breaches and cyberattacks can cause an immense impact on financial and brand value. To ensure that your cloud services are completely secure, you will require an exhaustive AWS security audit which can detect security gaps and provide a comprehensive repair plan and guidance. We at Astra have such a vulnerability scanner and audit system with more than 1,250 tests, built by a team of security experts with extensive experience. From network systems to business logics, Astra’s tool scans all avenues of your system and provides a detailed dashboard for an in-depth understanding of your security standards.