10 AWS Security Issues and How They Can be Addressed

By Stephen Wilding

AWS is a leading cloud platform that offers many cloud services.  Whilst AWS provides robust security features natively, sometimes enabled by default, misconfiguration can still occur which can lead to vulnerabilities. In this article I dive into 10 common AWS security issues and explain how they can be mitigated

1. Overly Permissive IAM Policies

Misconfigured Identity and Access Management (IAM) policies are a primary source of security risk in AWS.  A very common action I see is to simply grant the "Administrator" policy to user accounts rather than a more restrictive policy.  Since the Administrator policy has full access to almost every service a malicious actor that gains access to this account could cause lots of damage

Solution:

• Implement the principle of least privilege.
• Regularly review IAM policies and use IAM Access Analyzer to identify risks.

2. Insecure AWS Access Keys

AWS access keys are used to access AWS resources, usually, either via the command line or via automation (e.g. from tooling).  However they can pose a significant security risk if an attacker gains access to them as the attacker could impersonate the access key owner, inheriting their AWS policies and causing damage.   Hardcoding AWS access keys in code or sharing them inadvertently exposes environments to this type of unauthorised access.

Solution:

• Avoid the use of permanent access keys, if possible, by using AWS roles to access resources.
• Never assign access keys to the root account.
• Rotate permanent access keys regularly, if used.
• Avoid embedding keys in code; use AWS Secrets Manager or AWS Systems Manager Parameter Store instead and enable automatic rotation if possible.

3. Weak Password Policies

In order to prevent successful brute force attacks against your AWS users it is important to ensure that you have an adequate method of managing passwords.

Solution:

• Use IAM federation and consider using a "passwordless" method of authentication
• Set up an AWS IAM password policy that conforms to current recommended standards
• Set a long password for the root account and do not store it anyway

4. Inadequate S3 Bucket Security

S3 has many security features, some of which are now enabled by default.  However a very common cause of data breaches is due to poorly configured S3 buckets and therefore it is vital that this be reviewed regularly to avoid undue risk.

Solution:

• Ensure S3 Block Public Access is enabled to ensure buckets aren't exposed.
• If S3 Bucket policies or Access Control Lists (ACL's) are used, ensure that they are restrictive and least privilege.
• Regularly review S3 Bucket policies.
• Use tools such AWS Macie to monitor and alert on sensitive data stored in S3 such as Personal Identifiable Information (PII).

5. Lack of Monitoring and Logging

Without proper monitoring, malicious activities or misconfigurations can go undetected. Lack of logging hinders incident investigation and prevent remediation of unknown issues.

Solution:

• Enable AWS CloudTrail to log all API activities.
• Enable AWS Config to log changes to resources.
• Enable GuardDuty monitoring for threat and vulnerability detection.
• Implement VPC Flow Logs for network traffic monitoring.
• Use Amazon CloudWatch for real-time monitoring and alerting.
• User AWS Security Hub to gain a centralised view of security issues.
• Send all logs to a centralised logging AWS account and a Security Incident and Event Monitoring (SIEM) system.

6. Poorly Configured Network Security

A misconfigured network is a very common issue, from insecure VPC's to unrestricted security groups.  These issues can overly expose your systems leading to a risk of unauthorised access, DDOS and Brute force attacks

Solution:

• Configure VPC's correctly using subnetting in a layered model.  Ensure, where possible, AWS resources are stored in private subnets and only endpoints (such as load balancers and NAT gateways) are stored in public subnets.
• Define strict inbound and outbound rules in security groups in order to limit traffic access.
• Use Web Application Firewall (WAF) to protect against common web attacks.
• Use CloudFront, if possible, to help protect against Denial of Service (DOS) attacks.
• Enable GuardDuty monitoring for threat and vulnerability detection.
• Ensure RDS database public access is disabled.

7. Ignoring Patching and Updates

Although many AWS services are fully managed, resources such as EC2 instances still need active maintenance in order to avoid undue risk.   Failing to patch operating systems, applications, or AWS services can leave your infrastructure vulnerable to exploits.

Solution:

• Automate patch management with AWS Systems Manager Patch Manager.
• Regularly update Amazon Machine Images (AMIs) to the latest versions.
• Enable automatic updates where applicable for managed services (i.e. RDS/ElasticBeanstalk).
• Regularly update Lambda function libraries and code versions.
• Enable AWS Inspector to detect vulnerabilities on EC2 instances, Lambda functions and container images.

8. Not applying Encryption

In order to protect the integrity and confidentially of data stored within AWS it is important the appropriate levels of encryption are applied to both data at rest and data in transit.

Solution:

• Enable server-side encryption for S3 buckets and database services like RDS.
• Enable encryption on EBS volumes attached to EC2 instances.
• Enable encryption on AWS managed services such as DynamoDB, EFS, SNS, SQS.
• Use AWS Key Management Service (KMS) to manage encryption keys.
• Implement TLS for data in transit.

9. Lack of Multi-Factor Authentication (MFA)

Accounts without MFA are more susceptible to unauthorised access due to stolen credentials.

Solution:

• Enforce MFA for all IAM accounts that login via the console.
• Use hardware MFA devices for additional security.
• Combine MFA with conditional access policies (such as requiring MFA in order to delete an object in an S3 bucket).

10. Inadequate Security Automation

Having security automation in place is crucial in order to detect and respond to security events efficiently.   Manual checks are prone to error and will not necessarily capture issues in a timely fashion

Solution:

• Use Security Hub or AWS Config for compliance posture management detection and response
• Set up AWS Lambda functions for automated responses to security events.
• Leverage AWS Trusted Advisor for continuous best practice recommendations.

Final Thoughts

As part of the "Shared Responsibility Model" AWS secures much of the infrastructure itself but the rest remains the responsibility of the end-user.  And although AWS provides powerful tools to secure your cloud environment you must know how to configure them and more importantly how to act when security issues arise.

Here at Hydras we are specialists in configuring and managing security tooling within the AWS cloud.  Our range of services will ensure your systems are secure and remain secure after initial configuration.  If you need help securing and managing your AWS environment, give us a shout.