In the cloud, where there are no perimeters and limitless endpoints, there are many ways attackers can get direct access to your environment if you make the wrong move. Given the speed that companies are moving to and scaling in the cloud, it’s easy to miss a step along the way and leave your business wide open for an attack.
In a recent survey, we found that 73 percent of companies have critical AWS cloud security configurations. Issues like wide open SSH and infrequent software updates are among the top risks identified, and of course, some of the biggest exposures in the recent past (Verizon, Dow Jones, and the RNC) were the result of AWS S3 configuration errors. But there are many others that are more obscure, yet just as dangerous if left unaddressed.
So, how do you know whether a misconfiguration is going to put you at risk? And how do you identify where your gaps are? In this post, we’ll walk through the four signs of a critical misconfiguration, how to spot one, and how you can fix it — fast.
Signs of a Critical AWS Security Misconfiguration
The beauty of the cloud is that you can configure it in any number of ways to fit your organization’s unique needs. The only problem is, it can be difficult to know the difference between a configuration that deviates from the norm but does not put your security at risk and one that could lead to a breach.
If a misconfiguration could lead to any of the following situations, then it’s considered critical:
- Can be leveraged in a direct data breach
- Can be leveraged in a more complex attack
- Enables trivial attacks on an AWS console
- Reduces or eliminates critical visibility (security or compliance)
The best way to determine whether a misconfiguration could lead to any of the above is to think like an attacker. If you can envision an attack based on a misconfiguration, chances are, someone else can too.
How to Spot a Critical Misconfiguration
The best process for spotting misconfigurations is to scan for them as soon as you move to the cloud and again each time you make a change to your environment. Running a configuration audit will help you see what you may have missed and give you the opportunity to remediate before attackers can find and exploit it.
Looking for some examples? Mishaps like leaving SSH wide open to the internet can allow an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. Failing to enforce multi-factor authentication (MFA) is another big misconfiguration concern. In our survey, 62 percent of companies did not actively require users to use MFA, making brute force attacks all too easy for adversaries to carry out. Auditing your configurations regularly will show you how you hold up against CIS Benchmarks and AWS best practices.
The sooner you begin to regularly audit your configurations, the faster you’ll be able to spot misconfigurations before someone else does.