Protecting the AWS Environment

Recent events involving AWS S3 data compromises have once again highlighted the ongoing and complex struggle organizations face when attempting to achieve a secure state of operations in the cloud. Of particular interest is the reinforcement of the need for defense in depth with active monitoring. While officially published documents have left out the detail of the initial server compromise, the community has postulated that a SSRF (Server Side Request Forgery) was initially used to steal valid IAM Credentials for a role from the victim’s AWS account.

SSRF requires that an attacker take advantage of a flaw in the exposed web interface of a server in order to trick the server into executing commands on behalf of the attacker. If this method of attack is successfully used, the IAM role credentials can be obtained through the call to an “internal” address. In the case of SSRF, the internal resource with the credentials is accessed by another internal resource (the server), which is executing the attacker’s command.

The most common point made in news reports about AWS S3 data compromises is that the S3 bucket was misconfigured and left exposed to the internet without requiring authentication. When an S3 bucket is configured to require authentication, and even restrict access to specific IAM roles, most organizations would consider the bucket to be secure. When paired with an SSRF attack (or other successful attack method) that obtains credentials to S3, those S3 buckets are now accessible to the attacker within the scope of the permissions granted to the compromised IAM Role.

Solutions to Consider

S3 buckets are always publicly facing, so only the validity of credentials typically stands between an attacker and the target data. Enter IAM policy condition statements. The example below would restrict access, even for valid credentials, unless the request comes from a source IP address in the list. This is one additional layer of defense that organizations should consider utilizing for access that is expected to originate from a specific network location (internal or external).

“Condition” :  {

      “IpAddress” : {

          “aws:SourceIp” : [“192.168.0.0/24”, “10.10.11.0/24”]

      }

}

Other leading practices include the enablement of CloudTrail logs to have visibility into the actions taking place.  These logs are instrumental in assisting both internal incident responders and external investigators in piecing together the events that occurred.

CloudWatch events can be considered to monitor for and alert on (or even act through lambda functions) suspicious activity such as making AWS API calls from external IP addresses or sync’ing S3 buckets to external locations.

For an industry leading benchmark to guide the baseline security implementation, consider the AWS CIS Foundations Benchmark.

For additional insight into what is occurring in your AWS environment, and visibility into potential security risks, consider the following AWS services:

Randy Armknecht

Managing Director
Cloud Solutions

Subscribe to Topics

In this interview with @helpnetsecurity, Protiviti's David Taylor explains why #ransomwareattacks are so effective, what makes organizations vulnerable to attacks and what they can do to better protect themselves. http://ow.ly/su1m50GwBSt

#ProtivitiTech #ransomware #cybersecurity

As businesses compete for #quantum compute time, things can get complicated. @Strangeworks provides shorter queue times and cost and access control for customers. Join @KonstantHacker as he chats on this with Cesar Rodriguez from @Strangeworks. http://ow.ly/jERF50Gvo0W

Read this #SAP Blog to learn five considerations that have improved #ROI for our clients, highlight new ways of working and the art of the possible in the organization’s future #S4HANA system compared to ECC 6.x systems. http://ow.ly/WE5I50GuBRT

#ProtivitiTech #analytics #cloud

The intersection of #5G and #edgecomputing technologies will reinvent industries, change the way #security is implemented and revolutionize business operations. Learn in #Technology Insights why 5G and edge computing impacts approaches to security: http://ow.ly/hut750Gu2Um

Digitally transforming business with #Dynamics365 CE provides organizations with easy configuration and #integration with other #Microsoft products, fewer post-deployment issues and can be accessed anywhere. Read more in the #Technology Insights blog: http://ow.ly/AueX50GqQZs

Load More...