stackArmor ThreatAlert Top 4 AWS Security Group Misconfigurations

stackArmor ThreatAlertTM Top 4 AWS Security Group Misconfigurations

AWS Security Groups are foundational to security providing baseline building blocks in any AWS cloud deployment. Security Groups are cloud firewalls designed to protect applications and data. Unfortunately, the perception that configuring and managing these building blocks is simple can lead to ignoring key best practices. stackArmor AWS certified Solution Architects and Security engineers have developed a set of best practices over the years and codified them into business rules in our ThreatAlertTM service. The stackArmor ThreatAlertTM Threat Index provides an aggregated view across customers, industries and deployments of common misconfigurations. An overwhelming 63% of vulnerabilities or findings were related to Security Group related issues.

The most common issues found with AWS Security Groups are:

All of this can seem a little confusing and can be a distraction to the everyday functioning of a company. Over time and with growth it’s easy for these security groups to get lost in the management mix, especially in a dynamic environment with rapid code deployment and automation using CD/CD or DevOps.

It is absolutely critical to monitor and manage such misconfigurations. The stackArmor ThreatAlertTM service provides a powerful AI Ops engine that is constantly finding and reporting issues in the environment. One of the main misconfigurations the service monitors for are wide open rules in security groups.  The service alerts the security analyst when ports are opened up too wide, allowing the analysts to notify the business and work with them to remediate the issue (while automatic remediation can be done with the ThreatAlertTM service, the majority of the time stackArmor has found that it’s more practical to be alerted to the issue, notify the business and then work with them as there are times when the opening is legitimate).

This isn’t to say that all wide-open rules are invalid. The stackArmor ThreatAlertTM Cloud Integrity Scanner is very strict and reports on all configurations. In some cases, there is a valid reason to have a specific protocol/port open to all IP addresses such as http/80 or https/443. In these cases, it is important to log and record this explicit rule for reporting and historical reference. Such auditing and logging of configuration management information is a key requirement for compliance standards such as FedRAMP, NIST, HIPAA and others.