5 Common AWS Security Mistakes and How to Avoid Them
Amazon Web Services is the leading player in the cloud computing industry. According to reports, AWS solutions earned 500 billion dollar business, a 33% increase from 2022. One of the main reasons behind this increase is that more organizations quickly realize AWS offers. Nevertheless, considering its complexity, it is quite easy for administrators to make mistakes with some of the most crucial AWS security settings, leading to devastating security problems.
Even though a simple mistake may not sound like much, it may have disastrous concerns. Going by the predictions at Gartner, by 2025, 99% of all cloud security problems will result from simple mistakes that are taken lightly. Compromising even a small detail in the AWS environment means business losses, service interruptions, potential penalties, and fines for non-compliance with the data privacy regulations and expensive data breaches.
Regardless of the type and size of the organization, AWS security professionals should be aware of these 5 common AWS security mistakes and how to mitigate them successfully:
-
Improper IAM Management
IAM or Identity and Access Management in AWS enable the users to control their account access by creating and managing AWS permissions. The entity specifying these permissions in AWS is known as “policy.” And when a user fails to assign identity-based policies in IAM to the right individual, the system extensively and automatically assigns them to the users in numerous resources or groups. Furthermore, it offers users several access privileges, resulting in security breaches. Other IAM mistakes in AWS include not rotating access keys; improper handling of access keys to access AWS resources programmatically; absence of multi-factor authentication for all sensitive accounts; not using SCPs or Service Control Policies across different AWS accounts, and having unwanted or unused IAM roles or users.
You can avoid these pitfalls by:
- Creating new IAM user accounts for all new actions and enabling ley access only for the programmatic accounts.
- Granting the least privileges for accounts and adding privileges as the need might be.
- Enabling 2-factor authentication for user accounts used by real individuals.
- Logging IAM admin login and other important events.
-
Open S3 Buckets
S3 is an object storage solution wherein data storage occurs in buckets, with each bucket having configurable access permissions. The buckets are private by default, so accounts with explicit permission only can access them. Nevertheless, the buckets are often made public and open online so anyone can access them and the data. Though this makes it convenient for the users to circumvent access controls, this is a major AWS security mistake. Common S3 misconfiguration problems include:
- Using bad access control lists.
- Enabling directory listings for all
- Absence of horizontal access control enabling one user to access the files of all the other users.
Some steps to avoid open S3 bucket issues include:
- Using a specialized user with ownership of all the objects instead of using the ACLs.
- Disabling directory listings for all the users.
- Enabling applications to proxy-file access so no one can touch the S3 bucket items directly.
-
Lack of Custom Security Groups for Interconnected Resources.
It’s quite natural for the AWS resources to communicate with the other resources from time to time. For instance, the EC2 server of a company’s CMS platform needs to communicate with a Memcached instance and an RDS instance. A compromised and poorly configured AWS system will have only one security group featuring all the resources. This will allow the potential hackers to access all the resources even if they get hold of just one of the resources.
The best ways to avoid this mistake is to create custom security groups so resources get only minimal access that’s required for them to function optimally.
-
Unwanted Open Ports on Security Groups and Resources
Web services use UDP or TCP ports with port numbers as part of their regular functioning. For proper communication and data transfer, all client applications should connect to these ports. While Port 22 is meant for SSH sessions, Port 80 is for HTTP traffic, and Port 443 is for HTTPS traffic. Users can reassign all these default ports though this may mean compatibility issues for clients who do not know about the changes. Nevertheless, these default ports are also open to misconfigurations that can help the attackers collect information about different services running.
A few recommendations to avoid this mistake are:
- Opening ports only on a case-by-case basis.
- Disabling banner exposure on all internet-facing applications
- Greenkeeping or updating an application exposed through an open port and not updated automatically. Greenkeeping is essentially a regular code and involves code dependency maintenance.
-
Unauthenticated or Insecure Lambdas
The serverless functions in the AWS environment are known as AWS Lambdas. These standalone solutions do not share the same authentication systems as Ruby on Rails or other apps. Consequently, the web developers in a company cannot implement meaningful authentication on these functions or Lambdas. This can further result in issues like insecure Lambda use or, even worse, no authentication to the service requests and flat key authentication by Lambda, allowing users to make requests on behalf of the other user.
Steps to avoid this mistake include:
- Checking for file upload errors, specifically when uploading files based on location sent from the front end.
- Having an authentication plan per user for the AWS Lambdas.
To Conclude
So, there you are- five of the most common AWS mistakes companies or individuals will likely make. Hopefully, by knowing these mistakes and the right way to mitigate them, you may get ahead of the curve in ensuring tight AWS security, enabling customers to use your services confidently.