We've all read about AWS security issues, but is the cloud actually unsecure or is the problem in the way it is being used? The evidence implies the latter. So, what can be done to prevent AWS security issues attributable to human error, malicious insiders, mismanagement, or a lack of knowledge?
Most recent high-profile data breaches have a common theme—AWS security issues. Among some of the biggest reported stories in the last twelve months, AWS security issues have been responsible for the theft of 57 million personnel records from Uber, the exposure of 14 million Verizon customer accounts, the discovery of almost 40,000 passwords used by Accenture clients, and a 100GB leak of sensitive, classified data belonging to U.S. Intelligence and Security Command (INSCOM).
However, in none of these cases was Amazon Web Services (AWS) at fault. The Uber data breach was attributable to a lack of security practices, while the other three incidents were due to the improper configuration of S3 storage buckets so they could be accessed by anybody with knowledge of their URLs. Verizon, Accenture, and INSCOM are not unique in experiencing AWS security issues due to human error. Research has shown that 7 percent of all S3 storage buckets have unrestricted public access.
Additionally, creating a Cloud Center of Excellence (CCoE) can also help prevent misconfigurations and security breaches from happening within your cloud envrionment. Learn more about building a successful cloud infrasturcture security and compliance practice with our whitepaper here.
Other types of AWS security issues
The improper configuration of S3 storage buckets often attract the headlines because of the volume of records accessed and nature of their content; but there are many other types of AWS security issues attributable to human error, malicious insiders, mismanagement, or a lack of knowledge. These include (but are not limited to):
- Unencrypted data (reportedly 35 percent of data stored in S3 buckets is unencrypted).
- Loose security group policies that fail to set granular permissions on a per-user basis.
- Insufficient identity, credential and IAM access management.
- Application vulnerabilities at risk of being exploited by bots.
- Unsecure interfaces (UIs) and application programming interfaces (APIs).
The issues caused by these errors can often be exacerbated by the failure to properly configure CloudTrail or enable logging on S3 buckets. Although log files won't prevent the issues from occurring, they can reveal details such as dates, times, and IP addresses that can help businesses investigate cases of unauthorized access and patch gaps in their security.
The difficulty with patching security gaps (and the solution)
Fortunately, there are shortcuts to patching some security gaps. You can retrospectively encrypt the content of S3 buckets that do not have encryption enabled by default and use the AWS Config capability to ensure logging is enabled on all S3 buckets. However the difficulty in patching security gaps to prevent AWS security issues is finding all the gaps to patch, and then preventing new gaps appearing due to human error, malicious insiders, mismanagement, or a lack of knowledge.
The solution is to have your AWS infrastructure undergo a CloudHealth Health Check and then receive recommended actions based on AWS best practices. A Health Check is not only a practical way to expose vulnerabilities that may result in AWS security issues, but also a means of identifying cloud waste due to underutilized assets and zombie resources. The Health Check will also result in personalized and actionable recommendations for improving your cloud governance.
How automation can prevent AWS security issues
The automation process consists of creating and applying policies in order to prevent the errors that cause AWS security issues and alert you to activity on your accounts that may indicate the presence of a malicious insider. A typical selection of security policies might include:
- Revoke access when an IAM User Access key has not been rotated in 90 days.
- Send an alert if any IAM user or root account has MFA disabled.
- Terminate EC2 instances with unauthorized open ports.
- Encrypt any unencrypted S3 bucket with tag Function: PII.
- Send alert if CloudTrail logs are not integrated with CloudWatch logs.
- Revoke access when an IAM user logs in from an unrecognized IP address.
- Terminate instances launched outside regular working hours.
- Disable access to accounts not complying with password policies.
Automation can also be used to enforce financial management policies, cost optimization policies, performance management policies, and asset configuration management policies in order to keep your business' cloud costs under control and optimize performance.