Oct 20 2022

Datadog Details Most Common AWS Security Mistakes

Category: AWS SecurityDISC @ 1:29 pm

At its Dash 2022 conference, Datadog shared a report that found the primary security challenge organizations encounter in the Amazon Web Services (AWS) cloud is lax management of credentials.

Based on data collected from more than 600 organizations that rely on the Datadog platform to monitor their AWS cloud computing environments, the report also noted the complexity of the AWS identity and access management (IAM) service may lead organizations to publicly expose sensitive resources by accident.

Access keys are a static type of credential that do not expire. The Datadog report found 75% of AWS IAM users have an active access key that’s older than 90 days, while 25% have an active access key that’s older than one year and hasn’t been used in the past 30 days.

A total of 40% have also not used their credentials in the past 90 days, while 40% of organizations have at least one IAM user that has AWS Console access without multifactor authentication (MFA) enabled.

Andrew Krug, lead technical evangelist for security at Datadog, said managing cloud credentials is challenging because organizations often lack any offboarding processes to limit access when, for example, an employee leaves the company. As a result, cybercriminals that steal credentials are then able to easily gain access to cloud environments simply because organizations don’t rotate access keys, he added.

Datadog also noted that, by default, AWS provisions users at a root level that provides them with unlimited administrative permissions. Datadog found approximately 10% of organizations have an active root user access key. Some of these keys are up to 13 years old. A quarter of organizations (25%) had someone use root user credentials in the 30 days prior to the Datadog study. There may be a legitimate need for that level of access, but Krug noted the best practice is to employ least-privilege access whenever possible.

Other issues surfaced by Datadog pertain to how organizations configure cross-account access by using a resource-based IAM policy attached to the resource itself. The report found 18% of organizations that use the Amazon Simple Queue Service, for example, have at least one publicly exposed queue that enables anyone to receive or publish messages to those queues. More than a third of organizations that use the AWS S3 cloud storage service have at least one publicly exposed bucket.

Krug said it needs to be less complex to create secure IAM policies that grant least-privilege, granular permissions. It’s simply too easy to make a mistake, he added.

A fourth cloud security issue that’s widely overlooked is continued reliance on the first version of a EC2 Instance Metadata Service (IMDS) service that has known vulnerabilities. AWS has made available a more secure version, but Datadog found the vast majority of EC2 instances (93%) are not enforcing the usage of IMDSv2. Overall, 95% of organizations that use EC2 have at least one vulnerable instance. The second version of IMDS should be the default configuration, said Krug.

Finally, Datadog found at least 41% of organizations have adopted a multi-account strategy in AWS, with 6% of organizations using more than 10 AWS accounts. Datadog recommended centralizing accounts to make it easier to monitor who has gained access to a cloud computing environment.

Despite these issues, cloud platforms are still fundamentally more secure than on-premises IT environments. However, it’s also clear there is plenty of opportunity for mistakes to be made.

Datadog Web3 DNSSEC OPSWAT web application security

AWS Security

Tags: AWS security

Jul 26 2022

AWS Adds More Tools to Secure Cloud Workloads

Category: AWS SecurityDISC @ 2:16 pm

Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.

The additional services, announced at the AWS re:Inforce event, include support for Amazon EBS Volumes within the Amazon GuardDuty Malware Protection service and the ability to automatically share security findings between Amazon GuardDuty and AWS Security Hub.

In addition, the Amazon Macie data security service can now review and validate sensitive data found in an Amazon S3 cloud storage service, while Amazon Detective can now analyze logs generated by the Amazon Elastic Kubernetes Service (EKS).

AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.

Finally, AWS is making available in preview tools to assess the security of third-party applications in its marketplace and revealed that the AWS Single Sign-On service (AWS SSO) has been rebranded AWS IAM Identity Center to better reflect the expanded role of the platform.

CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.

The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.

AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.

On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistake— and cybercriminals will find a way to exploit it.

AWS Spring4Shell flaws vulnerabilities WhiteSource Python

AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

DISC InfoSec

#InfoSecTools and #InfoSectraining



Ask DISC an InfoSec & compliance related question

Tags: AWS security, AWS Security Cookbook, AWS tools

Aug 30 2021

Operationalize AWS security responsibilities in the cloud

Category: Cloud computingDISC @ 9:18 am
What do AWS Partners with Level 1 Managed Security Service (MSSP) Competency provide?

All AWS Level 1 MSSP Competency Partners provide at minimum the ten 24/7 security monitoring, protection, and remediation services as defined in the Level 1 Managed Security Services baseline. Those ten 24/7 services specifically are below.

Many of the Level 1 MSSP Competency Partners also provide additional security assessment and implementation professional services as well to assist customers in their AWS cloud journey.

  • AWS Infrastructure Vulnerability Scanning – Routine scanning of AWS infrastructure for known software vulnerabilities.
  • AWS Resource Inventory Visibility – Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
  • AWS Security Best Practices Monitoring – Track and detect misconfigurations of AWS resources to improve cloud security posture and reduce business risk.
  • AWS Compliance Monitoring – Scanning AWS environment for compliance standards such as: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT&CK, and SOC2.
  • Monitor, Triage Security Events – Gain visibility into security alerts with a consolidated list of security events and recommended remediation guidance.
  • 24/7 Incident Alerting and Response – Receive notification of high priority security events and expert guidance on recommended remediation steps 24/7.
  • DDoS Mitigation – Increase visibility and resilience to DDoS attacks and reduce the risk of availability, financial, and security impacts to applications.
  • Managed Intrusion Prevention System (IPS) – Add a layer of security for AWS-based endpoints, helping with defense against known threat patterns, to increase overall security posture.
  • Managed Detection and Response (MDR) for AWS-Based Endpoints – A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS-based endpoints.
  • Managed Web Application Firewall (WAF) – A firewall managed service designed to protect web-facing applications and APIs against common exploits.

What are the prerequisites for becoming an AWS Level 1 MSSP Competency Partner?

AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

Tags: AWS security

Feb 23 2021

Security Logging in Cloud Environments – AWS

Category: Cloud computing,Security logsDISC @ 4:33 pm

Which Services Can We Leverage?

AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg.

CloudWatch Logs is the default logging service for many AWS resources (like EC2, RDS, etc.): it captures application events and error logs, and allows to monitor and troubleshoot application performance. CloudTrail, on the other hand, works at a lower level, monitoring API calls for various AWS services.

Although listing (and describing) all services made available by AWS is out of scope for this blog post, there are a few brilliant resources which tackle this exact problem:

In the remainder of this section I’ll provide a summary of the main services we will need to design our security logging platform. Before doing so, though, it might be helpful having a high-level overview of how these services communicate (special thanks to Scott Piper for the original idea)

Source: Security Logging in Cloud Environments – AWS

Tags: AWS security, Cloud computing, cloud security

Dec 26 2020

Fake Amazon gift card emails deliver the Dridex malware

Category: Malware,Pen TestDISC @ 1:56 pm

The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.

Dridex phishing campaign wants to send a gift

When distributing malware, malware gangs commonly use current events and the holidays as themes for phishing campaigns to lure people into opening malicious attachments.

Such is the case in a recent phishing campaign discovered by cybersecurity firm Cyberreason that pretends to be an Amazon gift certificate sent via email.

These emails, shown below, pretend to be a $100 gift certificate that users must redeem by clicking on a phishing email button.

Source: Fake Amazon gift card emails deliver the Dridex malware

Fake Amazon Email Scam 2020 | How to Detect & Defend | Alert | Windows 10 | Beginners Guide |

Tags: AWS security

May 19 2019

AWS Security Profiles: Tracy Pierce, Senior Consultant, Security Specialty, Remote Consulting Services | Amazon Web Services

Category: AWS SecurityDISC @ 1:00 pm

In the weeks leading up to re:Inforce, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing. You’ve worn a lot of hats at AWS. What do you do in your current role, […]

Source: AWS Security Profiles: Tracy Pierce, Senior Consultant, Security Specialty, Remote Consulting Services | Amazon Web Services

 Subscribe in a reader

Tags: AWS, AWS security