Over the last few years, several high-profile data breaches have rocked the tech industry, specifically targeting cloud infrastructure. Many of these attacks started on servers hosted in Amazon Web Services (AWS) and successfully bypassed all the security controls. In 2021, a company named Verkada experienced a breach that impacted 97 of its clients, caused by the exposure of sensitive data on the internet due to a misconfigured AWS server. Similarly, in 2021, Capital One suffered a data breach that resulted from misconfigured AWS Identity and Access Management (IAM) users, leading to the theft of personally identifiable information (PII) belonging to 100 million individuals. This breach resulted in an $80 million settlement, underscoring the severe financial repercussions of poor cybersecurity practices. These incidents serve as a cautionary tale to businesses and individuals alike, emphasizing the importance of proactive measures to protect sensitive information in the digital age.
This blog will discuss six best practices you can use to bulletproof your AWS infrastructure. They are based on extensive research conducted by AWS using their product Amazon Guard Duty, which uses machine learning, anomaly detection, and threat findings to alert users on potentially unauthorized access and malicious attacks.
Top 3 common attack vectors, according to AWS
With recent data breaches and exfiltration of personally identifiable information from AWS servers, it is essential to analyze the threat vectors that attackers use inside AWS. AWS has extensively researched this using their product Amazon GuardDuty, which uses machine learning, anomaly detection, and threat findings to alert users on potentially unauthorized access and malicious attacks.AWS performed a thorough analysis of the current security threat landscape using AWS GuardDuty, a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. They created a chart that illustrates a breakdown of threat purposes in all the findings between July and September of 2022. The study was performed on data from all the GuardDuty customers with AWS compute (Amazon EC2) or storage (Amazon S3) services or both. The top three (3) findings were unauthorized access (20%), policy (15%), and stealth (15%), comprising 50% of the findings’ purposes in the chart, collectively representing the most commonly used attack vectors.
Unauthorized access to an Amazon EC2 instance is a major concern for AWS customers. This occurs when a person or a program attempts to access an EC2 instance they are not authorized to use. This attack frequently occurs over RDP or SSH connections made by either an internal or external service, and it’s particularly concerning if it’s an internal service or an employee. Such access attempts could indicate that other infrastructure parts may already be compromised.
Violations of policies are detected when GuardDuty has found account activity that goes against security best practices. You can easily reconfigure or mitigate these to harden your environment. The top three policies breached were: (1) root credential usage, (2) blocking public access on an S3 bucket that is disabled, and (3) multi-factor authentication (MFA) usage.
- Root credential usage means that the root account is being used to make requests to AWS. The root account is the key to your kingdom, and as the super admin account, it has access to every single resource in your AWS environment, including your billing. There’s no need to use this identity for anything once admin accounts are first created, and this is a goldmine for attackers.
- Disabled blocking public access on an S3 bucket setting means that anyone on the internet can attempt to access your S3 bucket.
- Ensuring MFA usage is enabled for privileged users is the most critical security practice that provides minimal protection for your AWS accounts.
The concept of stealth in cybersecurity refers to the deliberate act of disabling server access logging on a bucket by a user. This finding is significant because attackers typically aim to remain undetected, and disabling server access logging makes it harder to track their activities. By turning off logging tools, attackers can access sensitive data without leaving any trace of their actions. When the server access logging is disabled, knowing who is accessing your data is impossible. Disabled logging may be an early sign of an ongoing cyberattack. The stealth finding type highlights the importance of maintaining logs and other monitoring tools as an effective means of detecting and preventing unauthorized access to sensitive information.
Top 6 best practices
#1: Disable inbound RDP and SSH connections
To improve the security of your EC2 instances, limiting the number of inbound connections to them is essential. One way to do this is by disabling RDP and SSH connections using AWS Web Application Firewall (WAF). AWS WAF provides real-time protection against web-based attacks by inspecting incoming traffic and blocking suspicious requests. By disabling inbound RDP and SSH connections, you can ensure that only authorized users can access your instances. This approach reduces the attack surface and adds an additional layer of protection to your environment. Additionally, WAF can help you monitor your traffic and provide detailed logs of all incoming requests, making it easier to identify and respond to any potential security threats.
#2: Remove public access to S3 buckets
One of the most common causes of data breaches is leaving S3 buckets open to the public, often because of a misconfiguration or an oversight in the security settings. Public access to S3 buckets can allow anyone on the internet to access and download sensitive data. The best practice is to prevent unauthorized access by removing public access to S3 buckets. The most practical way to do this is using the AWS Identity and Access Management (IAM) policy to restrict access to the bucket to only authorized users or services. Additionally, you can configure bucket policies to enforce specific security controls, such as requiring encryption or restricting access from specific IP addresses. By removing public access to S3 buckets, you can significantly reduce the risk of data breaches and ensure your sensitive data remains secure.
#3: Use IAM for user access to S3 buckets
When securing access to S3 buckets, using IAM for user access is a highly recommended practice. IAM allows you to control who has access to your S3 buckets and what actions they can perform on them. For example, you can create IAM policies that grant specific permissions to individual users or groups of users, such as read-only or full-control access. By using IAM, you can ensure that only authorized users can access your S3 buckets and only perform the actions they are supposed to. Adhering to these best practices helps to prevent unauthorized access, accidental deletions, and other types of security incidents that can put your data at risk. Additionally, IAM provides you with detailed logs and audit trails that allow you to track who accessed your buckets and when which can be useful for forensic investigations and compliance purposes.
#4: Encrypt S3 data
Encrypting data on S3 buckets is an important security measure that can help protect sensitive information. AWS provides different options for encrypting data at rest, including server-side encryption using AWS-managed keys, customer-provided keys, or AWS Key Management Service (KMS) keys. Additionally, you can use client-side encryption to encrypt data before uploading it to S3 buckets. When encrypting data on S3 buckets, it’s essential to carefully manage encryption keys and access policies to ensure that only authorized users and applications can access the encrypted data. By encrypting data on S3 buckets, you can provide an additional layer of protection to your data.
#5: Secure and limit use of root account
Root privilege is the most powerful privilege in an AWS account, and it should be used only for specific administrative tasks that other IAM users or roles cannot perform. As such, it’s essential to harden the root account by setting up MFA (multi-factor authentication), strong password policies, and other security mechanisms. The root account should also not be used for daily operations, as it poses a significant security risk due to its broad permissions. Instead, AWS recommends creating IAM users with limited permissions for everyday operations, such as managing S3 buckets or EC2 instances. This approach helps to minimize the risk of misuse of the root account and strengthens the overall security posture of the AWS account.
#6: Use AWS Config to enforce logging for AWS compute and storage
Enforcing logging for AWS compute and storage services is crucial for maintaining visibility and control over your cloud infrastructure. By using AWS Config, you can ensure that all resources are configured with the necessary logging settings, and you can automate the remediation process when resources fall out of compliance. This helps you detect and respond to security incidents faster and more effectively. In addition, AWS Config provides a centralized view of resource configurations and changes, allowing you to monitor compliance against policies and regulations. By setting up AWS Config rules for logging, you can ensure that all your resources, including EC2 instances, S3 buckets, and other storage services, are logging the necessary events and activities. This is an essential step towards improving your security posture and protecting your sensitive data from unauthorized access or misuse.
How can Zilla help?
Zilla Security can significantly reduce your cloud attack surface by detecting and flagging “known bad” settings in any cloud infrastructure. ZIlla’s identity security solution offers an extensive library of out-of-the-box policies, including the CIS-recommended identity policies for AWS, to immediately reduce your attack surface and prevent similar problems from returning.
You can use Zilla’s identity security solution to find and fix the most common sources of data breaches, including AWS accounts with enabled root access, admins with third-party email addresses, privileged accounts without MFA, and S3 buckets with public access.
Additionally, Zilla’s fully automated, easy-to-use access reviews help you always know who has access to what and demonstrate robust evidence of your organization’s security measures. With regular, comprehensive assessments, you can prevent many issues discussed above and ensure your organization stays secure and compliant. If you would like to learn more about AWS security best practices and Zilla Security, contact us.