73% of Companies Have Critical AWS Security Misconfigurations

Threat Stack Delivers Wake Up Call

Wide open SSH and infrequent software updates among top risks identified in the majority of cloud-based environments

How effective are your AWS security configurations? And how do you know for sure?

In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

If we caught your attention with that opening statistic, please read on.

Here’s What the Threat Stack Study Found

Our analysis found a surprising number of well-documented security misconfigurations.

  • Among the most egregious were AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions.
  • Additionally, the well-recognized best practice of requiring multi-factor authentication (MFA) for AWS users was not being followed by 62% of companies analyzed, making brute force attacks that much simpler.
  • Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.

“The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users,” said Sam Bisbee, Threat Stack’s CTO.

“Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely.

Hopefully, the data in our new analysis will serve as a wakeup call.”

There’s More . . . Failure to Keep Software Updates Current

While these cloud security best practices are relatively simple to fix, Threat Stack identified a more complex concern.

Data collected by Threat Stack going back to September of 2016 showed that fewer than 13% of the companies analyzed were keeping software updates current. In addition, despite the “spin up/down” intrigue of the cloud, the majority of those unpatched systems are kept online indefinitely, some more than three years.

For a detailed discussion of this problem, see It All Started With a Wager About System Upgrades by Sam Bisbee, Threat Stack’s CTO. For guidance on how to effectively manage the problem, take a look at OS Updates and Package Management by Tom McLaughlin, Threat Stack’s Engineering Advocate.

The Bottom Line

When the problem of software updates is combined with the AWS misconfigurations and weak remote administration, it becomes clear that companies need to focus on fundamental hygiene immediately.

Check Your AWS Configuration Setting with Config Audit

AWS Customers: Identify the types of AWS misconfigurations that can easily be missed in this quick-to-install, self-audit trial from Threat Stack.

Quickly measure your specific AWS configuration settings against AWS security best practices and obtain steps for improvements.