What Makes a Misconfiguration Critical? AWS Security Tips

In the cloud, where there are no perimeters and limitless endpoints, there are many ways attackers can get direct access to your environment if you make the wrong move. Given the speed that companies are moving to and scaling in the cloud, it’s easy to miss a step along the way and leave your business wide open for an attack.

In a recent survey, we found that 73 percent of companies have critical AWS cloud security configurations. Issues like wide open SSH and infrequent software updates are among the top risks identified, and of course, some of the biggest exposures in the recent past (Verizon, Dow Jones, and the RNC) were the result of AWS S3 configuration errors. But there are many others that are more obscure, yet just as dangerous if left unaddressed.

So, how do you know whether a misconfiguration is going to put you at risk? And how do you identify where your gaps are? In this post, we’ll walk through the four signs of a critical misconfiguration, how to spot one, and how you can fix it — fast.

Signs of a Critical AWS Security Misconfiguration

The beauty of the cloud is that you can configure it in any number of ways to fit your organization’s unique needs. The only problem is, it can be difficult to know the difference between a configuration that deviates from the norm but does not put your security at risk and one that could lead to a breach.

If a misconfiguration could lead to any of the following situations, then it’s considered critical:

  1. Can be leveraged in a direct data breach
  2. Can be leveraged in a more complex attack
  3. Enables trivial attacks on an AWS console
  4. Reduces or eliminates critical visibility (security or compliance)

The best way to determine whether a misconfiguration could lead to any of the above is to think like an attacker. If you can envision an attack based on a misconfiguration, chances are, someone else can too.

How to Spot a Critical Misconfiguration

The best process for spotting misconfigurations is to scan for them as soon as you move to the cloud and again each time you make a change to your environment. Running a configuration audit will help you see what you may have missed and give you the opportunity to remediate before attackers can find and exploit it.

Looking for some examples? Mishaps like leaving SSH wide open to the internet can allow an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. Failing to enforce multi-factor authentication (MFA) is another big misconfiguration concern. In our survey, 62 percent of companies did not actively require users to use MFA, making brute force attacks all too easy for adversaries to carry out. Auditing your configurations regularly will show you how you hold up against CIS Benchmarks and AWS best practices.

The sooner you begin to regularly audit your configurations, the faster you’ll be able to spot misconfigurations before someone else does.

How to Continuously Monitor For Misconfigurations

The fastest way to fix a misconfiguration is to know about it the moment it happens. If you can set up your configuration auditing tool of choice to alert you the moment a misconfiguration is detected, you can take action on it before it’s out on the internet for all to see.

Platforms like Threat Stack’s Audit utilize CloudTrail monitoring to give visibility into any changes made associated with these configurations. Someone creates a security group that is wide open to the world? We’ll alert you. New IAM user created without MFA? We’ll alert you. It’s a powerful one, two punch: Configuration Audit will give you the snapshot and CloudTrail monitoring allows you to keep up with your infrastructure and be alerted to misconfigurations in real-time.

Threat Stack gives you contextual visibility to determine whether a misconfiguration has been exploited and what path the attacker used. With this level of information, you can not only fix the issue at hand, but avoid similar misconfigurations in the future.

Is Your Cloud Misconfigured?

With a platform such as Threat Stack, you can bring your configurations up to 100 percent compliance with AWS security best practices and CIS benchmark standards with a simple, automated scan. This level of visibility allows you to continue moving at the speed of the cloud without missing a beat when it comes to security. Considering the speed that cloud technologies change today, it can be hard to stay up-to-date on security best practices, so automating this process gives you the confidence that you need to run secure in the cloud

Do you know whether you have a misconfiguration hidden within your AWS environment? According to the data, the odds are you do. Find out today by scheduling a demo of Threat Stack and seeing what our Configuration Audit feature can uncover for you.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Request a Demo