7 Cloud Security Issues and AWS Security Best Practices Fixes
When developing or hosting using AWS, some of the most common and serious AWS security concerns include:
- Insufficient Permissions and Encryptions
- Accidentally making Amazon Machine Images (AMIs) public
- Identity and Access Management (IAM) given too much control/access, indirectly
- CloudTrail logging disabled, or not enabled
- S3 buckets logging disabled, or not enabled
- Not enough IP addresses enabled within a Virtual Private Cloud (VPC)
- Network Access Control list (NACL) allowing too much inbound traffic
In this article, we look at these seven AWS security issues, and how to fix them. Although AWS is one of the largest and most secure cloud-providers on the planet, there are a lot of things that can go wrong, and often this happens during the configuration stage.
Without realising it, even experienced IT teams can configure AWS solutions in such a way as to cause serious potential security issues and problems down the road.
No one wants that to happen, of course. Security weaknesses and vulnerabilities can undermine an entire Enterprise security architecture, giving hackers and cyber criminals access to your network, IT infrastructure, apps, websites, email, and numerous other internal systems. Here are seven of the most serious AWS cloud security problems, and solutions for these.
Top 7 AWS Security Best Practices
#1: Insufficient Permissions and Encryptions
Within AWS is the option to store and retrieve data using the Simple Storage Service (S3) infrastructure, also known as S3 buckets. Users can choose to create a bucket within a specific region (anywhere in the world you choose), and upload the data quickly and cheaply.
However, the problem is that it’s too easy to make what should be a private bucket public. This means that anyone with an AWS account, and even anonymous users who can access it, one way or another. In 2018, Symantec found that 70 million buckets were accessible or had data stolen or leaked due to poor configuration issues.
Solution: Making sure, at the configuration stage, that an S3 bucket is private, or permissions have been granted the right way to specific users or groups, especially if you’re storing anything sensitive within this bucket.
#2: Accidentally making Amazon Machine Images (AMIs) public
Amazon Machine Images (AMIs) contain everything anyone would need to launch an Amazon Elastic Compute Cloud (EC2) instance. AMIs contain everything you would need to replicate something a company is already using for elastic cloud-based storage (e.g. the operating system, server and applications).
Accidentally making an AMI public makes your company incredibly vulnerable to security threats, and is unfortunately easy to do in error. Anyone with an AWS account can even be shared within an AWI catalog, which could mean sensitive data is shared in the public domain.
Solution: At the configuration stage, making sure an AMI is set to private is the most effective way to avoid what could be a very expensive, embarrassing and time-consuming mistake and security error.
#3: Identity and Access Management (IAM) given too much control/access, indirectly
With Identity and Access Management (IAM), users can set and grant, control and revoke access to AWS accounts and services. However, as one of the most common Amazon cloud issues, access can be set incorrectly, potentially giving the wrong users too much control, or access to sensitive data they shouldn’t have.
Solution: Definitely an AWS cloud security best practices that should be monitored closely and reviewed by a trusted development and security partner, to ensure the right users have the correct permissions to maintain security protocols within the Enterprise.
#4: CloudTrail logging disabled, or not enabled
Amazon CloudTrail tracks and monitors every API call made against their account. It logs all of the records then deposits them in the relevant S3 bucket. Unfortunately, this is a service that too many users either disable or fail to enable, which means you never know where API requests are being made from. As an AWS cloud security, this is a serious one, because you could be under a DDoS attack without realising it, and not knowing where the attack is coming from.
Solution: One of the essential AWS security tips, is to ensure CloudTrail stays enabled, or isn’t disabled, and the API data logs are reviewed regularly.
#5: S3 buckets logging disabled, or not enabled
Similar to the above AWS security problem: if S3 bucket logs aren’t enabled, or have been disabled, then you’ve got a potentially serious security weakness within your AWS account(s).
Solution: Logging must be manually enabled, and it’s always recommended that security and data logs for all S3 buckets are reviewed regularly.
#6: Not enough IP addresses enabled within a Virtual Private Cloud (VPC)
Within Virtual Private Cloud (VPC) infrastructures, such as VPNs, administrators need to set enough IP addresses to ensure everyone who needs it can access the VPN or VPC. Having too many open and set could be a weakness in itself, but not enabling enough might mean those who need additional security can’t get into the VPN.
Solution: As a customizable solution, IT and cloud admins need to ensure any VPC or VPN environment is configured according to who needs access, with the relevant permissions and security monitoring in-place, to avoid a VPN and anything contained and transmitted within being made public.
#7: Network Access Control list (NACL) allowing too much inbound traffic
A Network Access Control list (NACL) is another optional layer of AWS security that can control traffic in and out of a subnet within a network, such as a VPC or VPN. Another worrying AWS security concerns, is that if access is configured the wrong way, you could give anyone access (especially if NACL rule #100 is accidentally set), thereby creating a major security issue.
Solution: Make sure this is configured the right way, and always monitor access and traffic.
AWS has created one of the most secure, flexible and configurable sets of cloud-based storage solutions in the world. But at the same time, there are many many security concerns when it comes to AWS, and so much of those come down to the way users configure accounts, access, network permissions, and numerous other settings.
If you have any AWS security concerns, have suffered any kind of security breach, and think these AWS security best practices are useful for your business, then get in contact with Skelia, to give your AWS a security boost.