Written by Chetan Melhotra
With the advent of Cloud Computing, individuals, enterprises, and large organizations are migrating towards the Cloud. AWS Cloud is the most popular cloud service provider, supporting over 100 services. Misconfigurations are common, and AWS is an attractive attack vector due to its complexity and ubiquity. However, the variety of security services can also become quite intimidating for newcomers, leaving them unsure of where to start. We capture just a tiny amount of services that are available to use in the AWS security Eco-system.
AWS Identity and Access Management (IAM)
Whether you are a small company with a single account or a massive one with thousands of accounts to have different teams accessing resources simultaneously when working on projects, now the question arises of how we can provide access to the team securely.
With AWS IAM, access can be provided to users within the same account and to users from other AWS accounts. Access to resources can be restricted with the help of IAM policies.
IAM risks misconfigurations that result in security vulnerabilities, such as:
- Creating privileged roles, which any AWS user can assume. Anyone knowledgeable about the role can assume the role and perform privileged operations.
- Providing overly permissive privileges to a role used by a service such as EC2 or Lambda. Upon exploiting a vulnerability/misconfiguration in the application running/using the service, the attacker might get hold of the role’s temporary access credentials, allowing the attacker to perform privileged operations.
- Providing low-privileged users the ability to perform critical IAM operations such as attaching policy, adding a user to the group, etc.
Here are some defensive implementations that you can perform:
- Utilize AWS Config that comes with prebuilt rules.
- For IAM permissions, follow the principles of least-privileged access when creating policies and only assign minimal permissions. You can also limit IAM permissions using service control policies and permissions boundaries.
AWS S3
Amazon Simple Storage Service (AWS S3) is a storage service that offers industry-leading scalability, data availability, security, and performance. All sizes of companies and industries can use AWS S3 with all kinds of use cases like mobile/web applications, big data, machine learning, and many more.
AWS storage services have different provisions for highly confidential, frequently accessed, and not-so-frequently accessed data. However, S3 is highly scalable, reliable, and easy to use.
Here are some security practices for AWS S3 to consider:-
- Implement minor privilege identity policies to limit access to S3 resources by combining Identity and Access Management (IAM) policies, bucket policies, and S3 Access Points.
- Ensure that your S3 buckets are not publicly accessible. Block it at the organizational level.
- Encrypt all Amazon S3 data at rest using Server-side Encryption (SSE) or client-side encryption.
- Using versioning will help to preserve, retrieve, and restore your objects.
- Use Macie to scan for sensitive data outside of designated areas.
- Enable logging for S3 using CloudTrail.
- Identify and audit all of your Amazon S3 buckets.
- Implement monitoring of your S3 environment and bucket policies.
CloudTrail
In the Cloud, everything works with an API call, whether using the management console, the CLI, or the AWS SDK. CloudTrail monitors all actions (i.e., API Calls) in AWS. This becomes very useful in incidents and troubleshooting why some security service is not working.
Do these steps to get started:
- Turn on CloudTrail.
- Create an IAM user with limited privileges (e.g., can access EC2 but not S3).
- Analyze the events in CloudTrail for this user creation.
- Try doing something your IAM policy does not allow (accessing S3 when you can only create EC2).
- Look at how the events appear for this failed event.