At its Dash 2022 conference, Datadog shared a report that found the primary security challenge organizations encounter in the Amazon Web Services (AWS) cloud is lax management of credentials.
Based on data collected from more than 600 organizations that rely on the Datadog platform to monitor their AWS cloud computing environments, the report also noted the complexity of the AWS identity and access management (IAM) service may lead organizations to publicly expose sensitive resources by accident.
Access keys are a static type of credential that do not expire. The Datadog report found 75% of AWS IAM users have an active access key that’s older than 90 days, while 25% have an active access key that’s older than one year and hasn’t been used in the past 30 days.
A total of 40% have also not used their credentials in the past 90 days, while 40% of organizations have at least one IAM user that has AWS Console access without multifactor authentication (MFA) enabled.
Andrew Krug, lead technical evangelist for security at Datadog, said managing cloud credentials is challenging because organizations often lack any offboarding processes to limit access when, for example, an employee leaves the company. As a result, cybercriminals that steal credentials are then able to easily gain access to cloud environments simply because organizations don’t rotate access keys, he added.
Datadog also noted that, by default, AWS provisions users at a root level that provides them with unlimited administrative permissions. Datadog found approximately 10% of organizations have an active root user access key. Some of these keys are up to 13 years old. A quarter of organizations (25%) had someone use root user credentials in the 30 days prior to the Datadog study. There may be a legitimate need for that level of access, but Krug noted the best practice is to employ least-privilege access whenever possible.
Other issues surfaced by Datadog pertain to how organizations configure cross-account access by using a resource-based IAM policy attached to the resource itself. The report found 18% of organizations that use the Amazon Simple Queue Service, for example, have at least one publicly exposed queue that enables anyone to receive or publish messages to those queues. More than a third of organizations that use the AWS S3 cloud storage service have at least one publicly exposed bucket.
Krug said it needs to be less complex to create secure IAM policies that grant least-privilege, granular permissions. It’s simply too easy to make a mistake, he added.
A fourth cloud security issue that’s widely overlooked is continued reliance on the first version of a EC2 Instance Metadata Service (IMDS) service that has known vulnerabilities. AWS has made available a more secure version, but Datadog found the vast majority of EC2 instances (93%) are not enforcing the usage of IMDSv2. Overall, 95% of organizations that use EC2 have at least one vulnerable instance. The second version of IMDS should be the default configuration, said Krug.
Finally, Datadog found at least 41% of organizations have adopted a multi-account strategy in AWS, with 6% of organizations using more than 10 AWS accounts. Datadog recommended centralizing accounts to make it easier to monitor who has gained access to a cloud computing environment.
Despite these issues, cloud platforms are still fundamentally more secure than on-premises IT environments. However, it’s also clear there is plenty of opportunity for mistakes to be made.
