Vulnerability management of digital assets begins with strong Security By Design principles that ensure that vulnerabilities are not introduced into the system right from the beginning. An increasing number of businesses are looking to achieve agility and acceleration by hosting in AWS. However, many do not have adequate expertise or understanding of critical security concepts leading to vulnerabilities to be introduced in the system. Some of the top vulnerabilities we have seen are described in this blog post.
Lack of Boundary Protection
AWS Security Groups are often mistaken for firewalls and as result internet facing web applications are often vulnerable to Layer 7 attacks. AWS Security Groups provide network level protection and help ensure that the flow of network traffic is controlled by port and IP address. Boundary Protection through next generation firewalls provide a broader range of protections including DDoS, XSS, and Malware attacks amongst others. Selecting a cloud-friendly firewall should be a critical part of the solution architecture. The AWS Marketplace offers a rich selection of AWS friendly solutions such as the Palo Alto Networks VM-Series Next Generation Firewall’s.
Misconfiguration of AWS Services
AWS provides a powerful policy-driven security framework that many organizations don’t fully understand and is one of the top reasons for vulnerabilities to be introduced into the system. stackArmor ThreatAlert is a vulnerability scanner designed to help detect such misconfigurations. The table below shows the results of a recent scan performed by stackArmor’s Security and Compliance team for a Financial Services and Payroll SaaS Provider getting ready for a SOC 2 assessment.
|AWS Cloud Component||AWS Service Item||Severity Score||Finding||stackArmor Comment|
|policy||PowerUserAccess||10||Managed Policy contains NotAction.||NotAction combined with an “Effect”: “Allow” often provides more privilege than is desired.|
|iamuser||myIAM@ACME.com||10||IAM User has full admin privileges.||Review this user as he has full admin privilages. Its recommended to provide Admin access via groups rather than assigning individually.|
|s3||elasticbeanstalk-us-east-1-xnxnxnxxx240||10||ACL – Unknown Cross Account Access.||Review this service as it has cross account access.|
|securitygroup||Webserver (sg-fexxxaaab in vpc-9aaa9999)||10||Security Group ingress rule contains 0.0.0.0/0||Security Groups should be configured in point to point mode and not be left open. This SG is is opening 1024 ports and causing High vulnerability.|
The table above shows a small subset of vulnerabilities scanned by ThreatAlert to help harden the environment and prevent serious vulnerabilities in the environment due to misconfigurations.
Weak and Vulnerable DMZ
AWS provides a number of powerful networking and routing services including Load Balancers, Security Groups and Sub-nets to help create secure hosting environments. A very common mistake is to place web servers in a public subnet with a public facing Load Balancer. The ideal solution is to have a public facing Load Balancer and have Web Servers within a private subnet with explicit traffic routing between the Load Balancer and the Load Balancer.
Restricting access to ports is critical to ensuring the security of the overall hosting environment. A very common mistake is to expose well known ports such as 22 for SSH access. There are bots constantly scanning for such ports and it is critical to ensure that a security group is established to limit access to only specific IP addresses.
Many times it is advantageous to get expert reviews of the AWS hosting configuration to avoid introducing vulnerabilities that can be exploited by malicious actors.
Interested in cloud security and compliance? Read some of our other blogs on the same topic.