Protecting the AWS Environment

Recent events involving AWS S3 data compromises have once again highlighted the ongoing and complex struggle organizations face when attempting to achieve a secure state of operations in the cloud. Of particular interest is the reinforcement of the need for defense in depth with active monitoring. While officially published documents have left out the detail of the initial server compromise, the community has postulated that a SSRF (Server Side Request Forgery) was initially used to steal valid IAM Credentials for a role from the victim’s AWS account.

SSRF requires that an attacker take advantage of a flaw in the exposed web interface of a server in order to trick the server into executing commands on behalf of the attacker. If this method of attack is successfully used, the IAM role credentials can be obtained through the call to an “internal” address. In the case of SSRF, the internal resource with the credentials is accessed by another internal resource (the server), which is executing the attacker’s command.

The most common point made in news reports about AWS S3 data compromises is that the S3 bucket was misconfigured and left exposed to the internet without requiring authentication. When an S3 bucket is configured to require authentication, and even restrict access to specific IAM roles, most organizations would consider the bucket to be secure. When paired with an SSRF attack (or other successful attack method) that obtains credentials to S3, those S3 buckets are now accessible to the attacker within the scope of the permissions granted to the compromised IAM Role.

Solutions to Consider

S3 buckets are always publicly facing, so only the validity of credentials typically stands between an attacker and the target data. Enter IAM policy condition statements. The example below would restrict access, even for valid credentials, unless the request comes from a source IP address in the list. This is one additional layer of defense that organizations should consider utilizing for access that is expected to originate from a specific network location (internal or external).

“Condition” :  {

      “IpAddress” : {

          “aws:SourceIp” : [“192.168.0.0/24”, “10.10.11.0/24”]

      }

}

Other leading practices include the enablement of CloudTrail logs to have visibility into the actions taking place.  These logs are instrumental in assisting both internal incident responders and external investigators in piecing together the events that occurred.

CloudWatch events can be considered to monitor for and alert on (or even act through lambda functions) suspicious activity such as making AWS API calls from external IP addresses or sync’ing S3 buckets to external locations.

For an industry leading benchmark to guide the baseline security implementation, consider the AWS CIS Foundations Benchmark.

For additional insight into what is occurring in your AWS environment, and visibility into potential security risks, consider the following AWS services:

Randy Armknecht

Managing Director
Cloud Solutions

Subscribe to Topics

Providing a 360-degree view of various interactions enables organizations with a more proactive approach to accelerate business results. Learn how Microsoft Dynamics 365 CE can help you. Read here: http://ow.ly/MQ8X50JizUO

#ProtivitiTech #Microsoft #Dynamics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference. http://ow.ly/HaT750JfK4Y

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level. http://ow.ly/JlSU50JfHkL

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company. http://ow.ly/1NZN50JfyYN

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth: http://ow.ly/TuRj50Jcxy0

#ProtivitiTech #SAP #DataAnalytics

Load More...