Oct 20 2022

Datadog Details Most Common AWS Security Mistakes

Category: AWS SecurityDISC @ 1:29 pm

At its Dash 2022 conference, Datadog shared a report that found the primary security challenge organizations encounter in the Amazon Web Services (AWS) cloud is lax management of credentials.

Based on data collected from more than 600 organizations that rely on the Datadog platform to monitor their AWS cloud computing environments, the report also noted the complexity of the AWS identity and access management (IAM) service may lead organizations to publicly expose sensitive resources by accident.

Access keys are a static type of credential that do not expire. The Datadog report found 75% of AWS IAM users have an active access key that’s older than 90 days, while 25% have an active access key that’s older than one year and hasn’t been used in the past 30 days.

A total of 40% have also not used their credentials in the past 90 days, while 40% of organizations have at least one IAM user that has AWS Console access without multifactor authentication (MFA) enabled.

Andrew Krug, lead technical evangelist for security at Datadog, said managing cloud credentials is challenging because organizations often lack any offboarding processes to limit access when, for example, an employee leaves the company. As a result, cybercriminals that steal credentials are then able to easily gain access to cloud environments simply because organizations don’t rotate access keys, he added.

Datadog also noted that, by default, AWS provisions users at a root level that provides them with unlimited administrative permissions. Datadog found approximately 10% of organizations have an active root user access key. Some of these keys are up to 13 years old. A quarter of organizations (25%) had someone use root user credentials in the 30 days prior to the Datadog study. There may be a legitimate need for that level of access, but Krug noted the best practice is to employ least-privilege access whenever possible.

Other issues surfaced by Datadog pertain to how organizations configure cross-account access by using a resource-based IAM policy attached to the resource itself. The report found 18% of organizations that use the Amazon Simple Queue Service, for example, have at least one publicly exposed queue that enables anyone to receive or publish messages to those queues. More than a third of organizations that use the AWS S3 cloud storage service have at least one publicly exposed bucket.

Krug said it needs to be less complex to create secure IAM policies that grant least-privilege, granular permissions. It’s simply too easy to make a mistake, he added.

A fourth cloud security issue that’s widely overlooked is continued reliance on the first version of a EC2 Instance Metadata Service (IMDS) service that has known vulnerabilities. AWS has made available a more secure version, but Datadog found the vast majority of EC2 instances (93%) are not enforcing the usage of IMDSv2. Overall, 95% of organizations that use EC2 have at least one vulnerable instance. The second version of IMDS should be the default configuration, said Krug.

Finally, Datadog found at least 41% of organizations have adopted a multi-account strategy in AWS, with 6% of organizations using more than 10 AWS accounts. Datadog recommended centralizing accounts to make it easier to monitor who has gained access to a cloud computing environment.

Despite these issues, cloud platforms are still fundamentally more secure than on-premises IT environments. However, it’s also clear there is plenty of opportunity for mistakes to be made.

Datadog Web3 DNSSEC OPSWAT web application security

AWS Security

Tags: AWS security

Jul 26 2022

AWS Adds More Tools to Secure Cloud Workloads

Category: AWS SecurityDISC @ 2:16 pm

Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.

The additional services, announced at the AWS re:Inforce event, include support for Amazon EBS Volumes within the Amazon GuardDuty Malware Protection service and the ability to automatically share security findings between Amazon GuardDuty and AWS Security Hub.

In addition, the Amazon Macie data security service can now review and validate sensitive data found in an Amazon S3 cloud storage service, while Amazon Detective can now analyze logs generated by the Amazon Elastic Kubernetes Service (EKS).

AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.

Finally, AWS is making available in preview tools to assess the security of third-party applications in its marketplace and revealed that the AWS Single Sign-On service (AWS SSO) has been rebranded AWS IAM Identity Center to better reflect the expanded role of the platform.

CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.

The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.

AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.

On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistake— and cybercriminals will find a way to exploit it.

AWS Spring4Shell flaws vulnerabilities WhiteSource Python

AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

DISC InfoSec

#InfoSecTools and #InfoSectraining



Ask DISC an InfoSec & compliance related question

Tags: AWS security, AWS Security Cookbook, AWS tools

Jan 03 2022

SEGA Europe left AWS S3 bucket unsecured exposing data and infrastructure to attack

Category: AWS Security,Cloud computingDISC @ 10:43 am

At the end of the year, gaming giant SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket, cybersecurity firm VPN Overview reported.

The unsecured S3 bucket contained multiple sets of AWS keys that could have allowed threat actors to access many of SEGA Europe’s cloud services along withMailChimp and Steam keys that allowed access to those services. in SEGA’s name.

“Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.” reads the report published by VPN Overview.

sega vulnerabilities-hack-infographic-updated 2

The unsecured S3 bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com.

Below is the list of bugs in SEGA Europe’s Amazon cloud reported by the company:

Steam developer keyModerate
RSA keysSerious
PII and hashed passwordsSerious
MailChimp API keyCritical
Amazon Web Services credentialsCritical

Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and CloudFormation

Tags: AWS S3 bucket unsecured

May 18 2021

Detecting attackers obfuscating their IP address inside AWS

Category: AWS SecurityDISC @ 9:14 am

The feature and its exploitation potential

“Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define,” AWS explains.

Customers have complete control over their virtual networking environment, and can select their own IP address range, create subnets, and configure route tables and network gateways.

Unfortunately, the feature that allows customers to control their IP addresses also allows attackers to control the IP address written to AWS CloudTrail logs when accessing a compromised account via a newly created VPC endpoint.

“This can potentially enable an attacker to fool various security protections that rely on the Cloudtrail logs, such as SIEMs and cloud security tools. In addition, analysts looking for evidence of an attack might miss it,” Hunters researchers noted.

Attackers can obfuscate their IP address by making it look like an “organizational” public IP address, an employee “home” external IP address, a (potentially whitelisted) third party service provider public IP address, or a special private, reserved, testing or documentation-only IPv4 subnet block.

They could thus make it seem that a malicious action has been performed by an employee, or make it fly under the radar of threat intelligence and reputation services.

What attackers can’t do with this technique is to change the IAM permissions the attacker has when using victims’ compromised AWS API credentials, nor bypass IP-based IAM policies.

There is a solution

This technique may allow attackers to bypass security measures that rely solely on AWS CloudTrail, an AWS web service that allows customers to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure (including AWS API activity).

Defenders should not rely on the contents of the “sourceIPAddress” field in the logs to detect attackers inside AWS, making API requests/calls, the researchers noted. Instead, they should review the “vpcEndpointID” field.

“If you use VPC endpoints in your environment, the only significant difference between the logs created by legitimate actions and the attacker’s actions is the specific VPC endpoint IDs logged. We recommend addressing this use-case with more anomalous-based detection logic, detecting usage of a new VPC endpoint ID never seen before in the organization,” the researchers advised.

They also recommended AWS CloudTrail users to cross-reference their cloud events with other sensors on endpoints, on-premises, email, identity, etc, to trace inconsistent logging and missed threats.

Tags: obfuscating their IP address

Nov 24 2020

Zero Trust architectures: An AWS perspective

Category: AWS Security,Zero trustDISC @ 11:23 am

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework.)

Definition and guiding principles for Zero Trust

Let’s start out with a general definition. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters. The zero in Zero Trust fundamentally refers to diminishing—possibly to zero!—the trust historically created by an actor’s location within a traditional network, whether we think of the actor as a person or a software component. In a Zero Trust world, network-centric trust models are augmented or replaced by other techniques—which we can describe generally as identity-centric controls—to provide equal or better security mechanisms than we had in place previously. Better security mechanisms should be understood broadly to include attributes such as greater usability and flexibility, even if the overall security posture remains the same. Let’s consider more details and possible approaches along the two dimensions.

Source: Zero Trust architectures: An AWS perspective | Amazon Web Services

SANS Webcast – Zero Trust Architecture

Tags: Zero Trust, Zero Trust architectures, Zero Trust Network, Zero Trust Security

Nov 22 2020

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

Category: AWS SecurityDISC @ 4:07 pm

Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says.

Nearly two dozen application programming interfaces (APIs) across 16 different Amazon Web Services offerings can be abused to allow attackers to obtain the roster and internal structure of an organization’s cloud account in order to launch targeted attacks against individuals.

All that a threat actor would require in order to carry out the attack is the target organization’s 12-digit AWS ID — something that is used and shared publicly — Palo Alto Networks said this week.

Source: Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

Testing and Monitoring APIs on AWS – AWS Online Tech Talks

API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.

Jun 15 2020

Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More

Category: AWS Security,Security BreachDISC @ 2:37 pm

3somes, Gay Daddy Bear, and Herpes Dating are among the nine services that leaked the data of hundreds of thousands of users. Researchers find a developer running multiple dating services left 845GB of explicit photos, chats, and more exposed in AWS buckets

Source: Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More

Download a Security Risk Assessment steps paper!

Download a vCISO template

Take an awareness quiz to test your basic cybersecurity knowledge

Subscribe to DISC InfoSec blog by Email

Best Practices for Amazon S3 Security with S3 Access Management Tools and S3 Block Public Access

AWS S3 Bucket Security 👮- Restrict Privileges🔒to User using IAM Policy | Grant User Access

Jun 11 2020

The importance of encryption and how AWS can help | Amazon Web Services

Category: AWS SecurityDISC @ 10:13 pm

Encryption is a critical component of a defense-in-depth strategy, which is a security approach with a series of defensive mechanisms designed so that if one security mechanism fails, there’s at least one more still operating. As more organizations look to operate faster and at scale, they need ways to meet critical compliance requirements and improve […]

Source: The importance of encryption and how AWS can help | Amazon Web Services

Why is Encryption Important? – Why is Cybersecurity Important Episode 1

Download a Security Risk Assessment steps paper!

Download a vCISO template

Subscribe to DISC InfoSec blog by Email

Tags: encryption

May 19 2019

AWS Security Profiles: Tracy Pierce, Senior Consultant, Security Specialty, Remote Consulting Services | Amazon Web Services

Category: AWS SecurityDISC @ 1:00 pm

In the weeks leading up to re:Inforce, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing. You’ve worn a lot of hats at AWS. What do you do in your current role, […]

Source: AWS Security Profiles: Tracy Pierce, Senior Consultant, Security Specialty, Remote Consulting Services | Amazon Web Services

 Subscribe in a reader

Tags: AWS, AWS security