How to Avoid Common Configuration
Mistakes in the AWS Security Ecosystem
Erik Rush | May 24, 2021
There’s little doubt that the vast array of features and functions within the Amazon Web Services (AWS) ecosystem helps to make this public cloud platform attractive compared to its competition. Its complexity however, can lead to oversights and mistakes on the human side, which can lead to potentially destructive cybersecurity issues.
While one misconfiguration may seem like no big deal, such missteps can lead to disastrous consequences. The global research and advisory firm Gartner predicts that by 2025, 99% of cloud security failures will have resulted from human error. Compromised information can lead to:
- Service interruptions
- Loss of business
- Costly data breaches
- Potential non-compliance fines and penalties
Regardless of the size and type of an organization, information security personnel should know how to prevent and mitigate security vulnerabilities within their public cloud environment. Most commonly, these issues fall into the categories of permissions or encryption, failure to log access data and too broad a range of IP address access. Many of these configuration problems fall under the heading of permissions or encryption, which will be addressed here.
This category encompasses four areas:
- S3 Bucket Permissions
Simple Storage Service (S3) allows AWS users to store and retrieve data reliably and inexpensively. By default, S3 buckets are private, but administrators can choose to make a bucket public. Should private content get uploaded to that public bucket however, this can cause problems. Buckets with permissions granted to “Everyone” should be immediately reviewed, since anonymous access can lead to stolen or compromised data.
- Direct Permissions
Identity and Access Management (IAM) allows AWS users to control access to their account by creating and managing AWS users and permissions. IAM also allows for the creation of groups; permissions can be granted to a group, and any user that belongs to that group is granted those permissions by default. The trick here is in ensuring that each user does not have their own unique set of permissions, and any users that have their own unique permissions should have those permissions revoked and be added to a group instead.
- Public AMIs
Amazon Machine Images (AMIs) contain the data necessary to launch an Amazon Elastic Compute Cloud (EC2) instance. These are essentially templates containing the software configuration that will be used with the launched instance. AWS users can create their own AMIs, utilize public AMIs, and purchase custom AMIs. When a user creates an AMI, they have the option of making the AMI public, sharing it with specific AWS accounts, or making it private. Public AMIs can be launched by all AWS accounts, but since AMIs often contain proprietary or sensitive data, it is recommended that they always be set to private.
- Lack of Encryption
Nearly all AWS user traffic should be encrypted but this is even more the case for sensitive financial and healthcare data. The performance deficit in encrypting and decrypting data is negligible and it ensures trust among users. Finally, data in storage arrays should be protected. Organizations need to ensure that there are no weak links in this chain when it comes to securing sensitive data.
AWS has the capacity to do a great deal for its customers, but it is also a complex platform. Even the most adept cloud technicians and largest information security teams should be aware of the security vulnerabilities that can result from improper configurations and permissions within the AWS ecosystem.
Order of the Cipher is an Amazon Web Services (AWS) training company and a novel approach to cybersecurity training that combines theatrical presentation with proven teaching techniques. We’ve mastered Amazon Web Services, and we’ve perfected how to showcase the versatility and capability of AWS technology in a manner that provides real-world immersion experiences that prepare students to expertly navigate the AWS ecosystem.