5 Common Cloud Security Misconfigurations for AWS

by Sarah Harvey / April 15th, 2020

Security incidents caused by misconfigurations in the cloud happen every single day. In fact, DivvyCloud reports that over the last two years, 33 billion records have been exposed because enterprises struggle to implement proper cloud security. When you take that number and consider Ponemon’s research, which estimates the average cost per compromised record is $150, that means cloud security misconfigurations have cost companies worldwide nearly $5 trillion since 2018.

Misconfigurations in AWS can have serious consequences, but they’re completely avoidable when you have the right resources to guide you. Let’s discuss five misconfigurations that our auditors see over and over again in AWS environments: IAM policy errors, incorrect security group attachments, deployment pipeline misconfigurations, backup storage location misconfigurations, and S3 bucket misconfigurations.

IAM Policy Errors

IAM is one of the most complex architectures within AWS. IAM controls who has access to which resource, so it’s an incredibly important aspect of cloud security. IAM policies that cause misconfigurations include:

  • Lack of MFA
  • Not following password best practices
  • Keeping unused credentials instead of disabling them
  • Not understanding role assumption or how it’s logged
  • Attaching IAM policies to users instead of groups or roles
  • Not rotating keys every 90 days
  • EC2 instances do not have proper access to resources
  • Running all privileges to all users instead of utilizing the concept of least privileges
  • Resource-based policies are not attached to a defined resource

Incorrect Security Group Attachments

Do you attach the appropriate AWS security groups to the correct EC2 instances? The functionality of security groups is similar to a firewall and filters inbound and outbound traffic based on rules. This is a misconfiguration that shows up especially when default security groups are involved.

Our auditors see incorrect security group attachments often, especially when defaults are involved. To avoid this common AWS misconfiguration, you must fully understand security groups.

Deployment Pipeline Misconfigurations

In the DevOps model, you live and die by your deployment pipeline. When your developers aren’t aligned with security standards or your CI/CD pipeline isn’t implemented and secured properly, it can lead to critical consequences.

Backup Storage Location Misconfigurations

In terms of backup storage locations, we find that people often forget about the security of backups in some instances. Knowing where your backups are going and what security policies you have in place is critical. Let’s say you have a backup storage bucket – are you checking policies on that bucket? Does the organizations encryption policy extend to backups? Questions like these need to be asked to appropriately secure backups.

S3 Bucket Misconfigurations

Symantec reports that in 2018, S3 buckets had with more than 70 million records stolen or leaked as a result of poor configuration. AWS says that the top five S3 security concerns are:

  • Public access to S3 buckets
  • Not utilizing server-side encryption for S3-managed encryption keys
  • Not encrypting inbound and outbound S3 data traffic
  • No familiarity with how S3 versioning works or S3 lifecycle policies
  • No use or analyzation of S3 access logging

Why We Chose These Misconfigurations

In the AWS Shared Responsibility Model, AWS is responsible for security “of” the cloud and customers are responsible for security “in” the cloud. AWS considers configuration management a shared control, explaining, “AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.” This means you, as the AWS customer, cannot depend on AWS’ security practices alone when it comes to configuration. You can avoid the consequences of misconfigurations when you properly understand and configure IAM security groups, deployment pipelines, backups, and S3 buckets.

At KirkpatrickPrice, we’ve created a framework for cloud security audits based on the CIS Benchmark and other industry standards. We hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Contact us today to begin testing your cloud security measures and discover if your AWS environment has any of these common misconfigurations.

More Cloud Security Resources

AWS Security for S3 and EC2

AWS Security Checklist

AWS Security Best Practices