Widespread AWS Misconfiguration Opens Cloud Environments to Attack

When it comes to securing services in the cloud, misconfigurations are a scourge: Wide-open SSH and infrequent software updates plague cloud-based environments.  

In an analysis by Threat Stack, nearly two-thirds were found to have at least one critical security misconfiguration. Configuration lapses that enable an attacker to gain access directly to private services or the Amazon Web Services console, or could be used to mask criminal activity from monitoring technologies are deemed critical by Threat Stack.

Among the most egregious issues found were AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions.

Additionally, the well-recognized best practice of requiring multi-factor authentication for AWS users was not being followed by 62% of companies analyzed, making brute-force attacks that much simpler. Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.

“The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users,” said Sam Bisbee, CTO, Threat Stack. “Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely. Hopefully, this data will serve as a wakeup call.”

While these cloud security best practices are relatively simple to fix, Threat Stack also identified a more complex concern. Data collected going back to September of 2016 showed that fewer than 13% of the companies analyzed were keeping software updates current. In addition, despite the “spin up/down” intrigue of the cloud, the majority of those unpatched systems are kept online indefinitely, some more than three years. When combined with the AWS misconfigurations and weak remote administration, it becomes clear that companies need to focus on fundamental hygiene immediately.

“Despite the widespread proliferation of, and investment in, advanced security tools for cloud environments, a big majority of companies continue to make themselves vulnerable simply because their AWS settings are misconfigured,” said a Threat Stack spokesperson. “This is a big, and largely unexplored, area of AWS security that any cloud-based or hybrid company should be aware of.”

What’s Hot on Infosecurity Magazine?