Home Tags AWS security

Tag: AWS security

10 AWS security blunders and how to avoid them

The cloud has made it dead simple to quickly spin up a new server without waiting for IT.

But the ease of deploying new servers -- and the democratic nature of cloud management -- can be a security nightmare, as a simple configuration error or administrative mistake can compromise the security of your organization's entire cloud environment. With sensitive data increasingly heading to the cloud, how your organization secures its instances and overall cloud infrastructure is of paramount importance.

Cloud providers, like Amazon, secure the server hardware your instances run on, but the security of the cloud infrastructure your organization sets up on that infrastructure is all on you.

A broad array of built-in security services and third-party tools are available to secure practically any workload, but you have to know how to use them.

And it all starts with proper configuration. Analysis of real-world Amazon Web Services usage doesn’t paint a pretty picture.

Cloud security company Saviynt recently found among its customers an average of 1,150 misconfigurations in Elastic Compute Cloud (EC2) instances per AWS account.
It’s clear that the ease of spinning up EC2 instances for development and testing is coming at the expense of security controls that would otherwise be in place to protect on-premises servers.

AWS admins need to use available tools properly to ensure the security of their environments. Here we survey some of the most common configuration mistakes administrators make with AWS. Mistake 1: Not knowing who is in charge of security When working with a cloud provider, security is a shared responsibility. Unfortunately, many admins don’t always know what AWS takes care of and which security controls they themselves have to apply. When working with AWS, you can’t assume that default configurations are appropriate for your workloads, so you have to actively check and manage those settings. “It’s a straightforward concept, but nuanced in execution,” says Mark Nunnikhoven, vice president of cloud research at Trend Micro. “The trick is figuring out which responsibility is which.” More important, AWS offers a variety of services, each of which requires distinct levels of responsibility; know the differences when picking your service.

For example, EC2 puts the onus of security on you, leaving you responsible for configuring the operating system, managing applications, and protecting data. “It’s quite a lot,” Nunnikhoven says.
In contrast, with AWS Simple Storage Service (S3) customers focus only on protecting data going in and out, as Amazon retains control of the operating system and application. “If you don't understand how this model works, you're leaving yourself open to unnecessary risks,” Nunnikhoven says. Mistake 2: Forgetting about logs Too many admins create AWS instances without turning on AWS CloudTrail, a web service that records API calls from AWS Management Console, AWS SDKs, command-line tools, and higher-level services such as AWS CloudFormation. CloudTrail provides invaluable log data, maintaining a history of all AWS API calls, including the identity of the API caller, the time of the call, the caller’s source IP address, the request parameters, and the response elements returned by the AWS service.

As such, CloudTrail can be used for security analysis, resource management, change tracking, and compliance audits. Saviynt’s analysis found that CloudTrail was often deleted, and log validation was often disabled from individual instances. Administrators cannot retroactively turn on CloudTrail.
If you don’t turn it on, you’ll be blind to the activity of your virtual instances during the course of any future investigations.
Some decisions need to be made in order to enable CloudTrail, such as where and how to store logs, but the time spent to make sure CloudTrail is set up correctly will be well worth it. “Do it first before you need it,” says John Robel, a principle solutions architect for Evident.io. Mistake 3: Giving away too many privileges Access keys and user access control are integral to AWS security.
It may be tempting to give developers administrator rights to handle certain tasks, but you shouldn’t. Not everyone needs to be an admin, and there’s no reason why policies can’t handle most situations.
Saviynt’s research found that 35 percent of privileged users in AWS have full access to a wide variety of services, including the ability to bring down the whole customer AWS environment.

Another common mistake is leaving high-privilege AWS accounts turned on for terminated users, Saviynt found. Administrators often fail to set up thorough policies for a variety of user scenarios, instead choosing to make them so broad that they lose their effectiveness.

Applying policies and roles to restrict access reduces your attack surface, as it eliminates the possibility of the entire AWS environment being compromised because a key was exposed, account credentials were stolen, or someone on your team made a configuration error. “If you find yourself giving complete access to a service to someone, stop,” says Nunnikhoven. “Policies should include the least amount of permissions to get a job done.” Mistake 4: Having powerful users and broad roles AWS Identity and Access Management (IAM) is critical for securing AWS deployments, says Nunnikhoven.

The service -- which is free -- makes it fairly straightforward to set up new identities, users, and roles, and to assign premade policies or to customize granular permissions. You should use the service to assign a role to an EC2 instance, then a policy to that role.

This grants the EC2 instance all of the permissions in the policy with no need to store credentials locally on the instance. Users with lower levels of access are able to execute specific (and approved!) tasks in the EC2 instance without needing to be granted higher levels of access. A common misconfiguration is to assign access to the complete set of permissions for each AWS item.
If the application needs the ability to write files to Amazon S3 and it has full access to S3, it can read, write, and delete every single file in S3 for that account.
If the script’s job is to run a quarterly cleanup of unused files, there is no need to have any read permissions, for example.
Instead, use the IAM service to give the application write access to one specific bucket in S3.

By assigning specific permissions, the application cannot read or delete any files, in or out of that bucket. “In the event of a breach, the worst that can happen is that more files are written to your account. No data will be lost,” says Nunnkhoven. Mistake 5: Relying heavily on passwords The recent wave of data breaches and follow-up attacks with criminals using harvested login credentials to break into other accounts should have made it clear by now: Usernames and passwords aren’t enough.

Enforce strong passwords and turn on two-factor authentication to manage AWS instances.

For applications, turn on multifactor authentication.

AWS provides tools to add in tokens such as a physical card or a smartphone app to turn on multifactor authentication. “Your data and applications are the lifeblood of your business,” Evident.io’s Robel warns. Mistake 6: Exposed secrets and keys It shouldn’t happen as often as it does, but credentials are often found hard-coded into application source code, or configuration files containing keys and passwords are stored in publicly accessible locations.

AWS keys have been exposed in public repositories over the years.

GitHub now regularly scans public repositories to alert developers about exposed AWS credentials. Keys should be regularly rotated.

Don’t be the administrator who lets too much time pass between rotations.
IAM is powerful, but many of its features are frequently ignored.

All credentials, passwords, and API Access Keys should be rotated frequently so that in the event of compromise the stolen keys are valid only for a short, fixed time frame, thereby decreasing attacker access to your instances.

Administrators should set up policies to regularly expire passwords and prevent password reuse across instances. “If an attacker is able to steal your keys, they can then access the resources in your account as if they were you. Use roles whenever possible,” Nunnikhoven says. Mistake 7: Not taking root seriously It pops up time and again.

Admins forget to disable Root API access -- a highly risky practice. No one should be using the AWS root account and associated keys, let alone sharing them across users and applications. Keys to access AWS resources directly should be used sparingly, as the keys need to be tracked, managed, and protected.
In cases where root is absolutely necessary, Saviynt found that those accounts often have multifactor authentication disabled.

The root account deserves better protection than that. Mistake 8: Putting everything in one VPC or account The more teams and workloads added to an account or Virtual Private Cloud (VPC), the more likely you are to meet the lowest common denominator.

AWS has very generous limits on VPCs and accounts.

There's no reason not to isolate workloads and teams into different regions, VPCs, or even accounts.

The simplest way to start is to make sure that development, testing, and production are in different accounts. Mistake 9: Leaving wide open connections Too many admins enable global permissions to instances. When you use, you are giving every machine everywhere the ability to connect to your AWS resources. “You wouldn't leave the front door to your house open, why do you use” Robel asks. AWS Security Groups wrap around EC2 instances to permit or deny inbound and outbound traffic.
It’s tempting -- and expedient! -- to add broad access rules to security rules.

Fight the urge.

Give your security groups the narrowest focus possible. Use different AWS security groups as a source or destination to ensure only instances and load balancers in a specific group can communicate with another group. One-third of the top 30 common AWS configuration mistakes identified by Saviynt involve open ports. Workloads showed open RDP, MySQL, FTP, or telnet ports via Security Groups, and Security Groups showed open RDP and SSH ports. Others were wide open to the internet. Thanks to high-quality automation tools such as OpsWorks, Chef, Ansible, and Puppet, there’s no reason to allow remote access -- such as SSH or RDP -- to EC2 instances.
If an application or OS needs to be patched, it’s better to create a new image and spin up a brand-new instance with the patched applied instead of trying to connect to the instance and applying a patch in place. If remote access is necessary, a “bastion host,” where users connect to an intermediary EC2 instance, is a safer option.
It is easier to manage all remote access connections going to a single host, then restrict what connections are possible between each instance.
It’s also possible to lock down the bastion host so that only pre-approved systems are allowed access.

Control all remote access in order to reduce your overall risk. Mistake 10: Skimping on encryption Many organizations don’t enable encryption in their AWS infrastructures, and the reasons vary from it's too hard to not realizing it was important.
Saviynt found that Relational Database Service (RDS) instances were being created with encryption disabled -- a potential data breach waiting to happen.
In EC2, there were workloads with unencrypted Elastic Block Storage (EBS). Data in S3 should be protected, and traffic between EC2 instances should be secured.
Implementing encryption incorrectly is equally as bad -- if not worse -- than not having encryption at all, but Amazon actually offers tools to help ease the challenges.

Administrators reluctant to enable encryption over concerns of managing keys should let AWS manage those keys.
It’s always possible to migrate to the organization’s own public key infrastructure afterward. Mistakes, not vulnerabilities The fact that privileged users can bring down a whole AWS environment, with critical applications and sensitive information, isn’t the fault of the cloud.
It highlights the fact that for many organizations the security implementation is weak.

Administrators need to apply the same rigorous controls they have had in their datacenters to their cloud infrastructures. Many of these configuration mistakes are not difficult to fix, and they mitigate a large range of potential issues, freeing up administrators to handle more in-depth tasks, such as running a vulnerability scanner like Amazon Inspector or Tenable Network Security’s Nessus.

But first things first, and that means bringing security hygiene to the cloud. Related articles

RHSA-2016:1996-1: Important: CFME 4.1 bug fixes and enhancement update

Updated cfme packages that fix bugs and add various enhancementsare now available for Red Hat CloudForms 4.1.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section. Red Hat CloudForms Management Engine delivers the insight, control,and automation needed to address the challenges of managing virtualenvironments. CloudForms Management Engine is built on Ruby on Rails,a model-view-controller (MVC) framework for web applicationdevelopment. Action Pack implements the controller and the viewcomponents.* An input validation flaw was found in the way CloudForms regularexpressions were passed to the expression engine via the JSON API and theweb-based UI. A user with the ability to view collections and filter themcould use this flaw to execute arbitrary shell commands on the host withthe privileges of the CloudForms process. (CVE-2016-7040)This issue was discovered by Tim Wade (Red Hat).Additional Changes:This update fixes bugs and adds various enhancements.Documentation for these changes is available in the Release Notes linkedto in the References section.All CFME users are advised to upgrade to these updated packages, whichcorrect these issues and add these enhancements. Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat CloudForms 4.1 SRPMS: cfme-     MD5: 89572e8486cea08263785597bdfbc0afSHA-256: bc44d158abc61656e0cb91a60f27f960d3bc133f8a2878b68b6e97e797ea22d8 cfme-appliance-     MD5: b3c5ba11bfce7b5bb880637ae958dbebSHA-256: aeb5b894d50215e58099d3e9077bfe929a613344be4372f9cd590a98e5db724c cfme-gemset-     MD5: 294f0ba500b938ed7a9e6a7854276022SHA-256: d31a74dd4512d28b19f878d0089cb6b5205eb38b0f7a91e0eaeb08efaa0f5432 rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.src.rpm     MD5: 987d269d305ce6b5b0707c773bfbfde4SHA-256: 359c25623c2ac3c8a1a3b67237f7b234b6b585e1f6393ce9512b7438d1d3704f rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.src.rpm     MD5: 4ccc899d9fc7566fb87b483d324138a2SHA-256: c7185f33d1479f4ca2c7828b3dad2787b6051f8cf7d91127ec889bed8c20abb8 rh-ruby22-rubygem-thin-1.7.0-1.el7cf.src.rpm     MD5: c2b632982f988492d7b2a60c4f2115e8SHA-256: 3c49e958de179d6f6a970601a34e5c8a4b1c048398221eb2911b438feec68333   x86_64: cfme-     MD5: f44a16be40b53bfd0ddc30c7efd9a3f0SHA-256: 184a87fe0a7115bae4ba47602d568d64a60d45ca5997b5b4499f26d5faf3feaf cfme-appliance-     MD5: 41796182ab044650036fb67ce9024dd0SHA-256: a9df3744fb333988ee6020dbe8c899ebb09a8da4e312dc0c51bc9e4d67559de3 cfme-gemset-     MD5: a9ad53e5d7c51a425e9dbb1689472178SHA-256: 449d34f8aae1cd858bf360f5e7ad14c6e48971a6d89fcea499deeab4b3e0c6be rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.x86_64.rpm     MD5: 70a302fcc119d189f2c6008b64416ed1SHA-256: d1b263246254921445b4fe514d16d4b0b33b4d2f6044a09d21aefd11c3266cd8 rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.noarch.rpm     MD5: f71dc8b43f55ebb00fc7e1ed0e48e21aSHA-256: 288a31b71ad41c60c68b97249ad5e32f220eb501a39babb2751446c92614cf8f rh-ruby22-rubygem-pkg-config-doc-1.1.7-1.el7cf.noarch.rpm     MD5: 1b9db3e37bf119a93fc00163833df3f8SHA-256: 1f69fe30fcf771f39aff88cb7c782b45e4ff711cd7c86fe80997e8f70979a556 rh-ruby22-rubygem-thin-1.7.0-1.el7cf.x86_64.rpm     MD5: ec0b655f82936ad2b579772b07e10188SHA-256: 60dd1b5a87bd59e6f2d8901d5304a6735cdec35062f8ebb76ea273b6f800a4c0   (The unlinked packages above are only available from the Red Hat Network) 1337552 - Common datastore across multiple vcenter causes inventory confusion for provisions1337577 - service requests don't show dynamic drop down selections1343517 - When using external auth and removing a user from all groups the user's groups are not updated and he is still able to log-in to CFME Web-UI1343717 - Openstack cloud provider - when using Keystone v3 domain for registration we need to ignore the projects that the user doesn't have access to1343719 - Provisioning from RHEVM 3.6 template loses template boot sequence1346953 - [RFE] Unable to set number_of_vms in non-generic service catalog items1346989 - [RFE] Keystone domains support1346990 - VM refreshes are failing but the message status from each of the EmsRefresh.refresh commands shows 'ok' in error1347278 - [RFE] - lifecycle button missing from cloud images1347330 - [ja_JP] Translations are missing in 'Compute'-'Clouds' menu and its sub menus1347692 - [ja_JP] Translation issues on cloud intelligence->chargeback->assignments page.1348631 - CPU Right Size recommendations only take into account CPU sockets, not cores per socket1348637 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page.1348644 - [ja_JP] Translation issues on Services -> Requests page1348648 - [ja_JP] Translations are missing in Compute-Services menu1348649 - [ALL LANG] All contents are unlocalized under Control->Log.1349059 - [ja_JP] Translations are either misplaced or missing on Settings->Configuration->Settings1349423 - Dynamic Dropdown list of AWS instance Type for AWS GovCloud seems to be returning instance types that are not supported by AWS GovCloud1351332 - [RFE] [SDN] - No providers tags relations displayed in Tolopogy1352016 - Missing policy button on some of the Network Manager Relationship pages1353291 - String interpolations must not be present in toolbar definitions1354503 - OSP refresh fails with Policy doesn't allow os_compute_api:os-availability-zone:detail to be performed.1357865 - RHEV VM Reconfigure: Set memory to a size smaller than guaranteed memory fail1358323 - In Networks menu should all names in plural1361175 - Error when canceling orchestration stack retirement form1361176 - [RFE] Chargeback of containers based on tags1361178 - Cannot Cancel Smart State Analysis of Container that is not completing -1361693 - Advanced search in workloads expression element "Registry" hides select bar for element type1362227 - Clicking on Reset button while editing a provider throws error message in UI for firefox browser1362627 - [RFE] Allow reporting relationship between OpenShift pods and the image they run1362631 - Maintain uniformity in dropdown values in japanese locale1362634 - Package/Application icon in CloudForms looks like Apple AppStore logo1362704 - Stack : Link " ManageIQ/Providers/Cloud Manager/Orchestration Stacks" shows "Page does not exists"1363753 - SSUI : All languages are not shown in SSUI login dropdown1363754 - [RFE] 'LDAP Group Look Up' string needs to changed to 'External auth Group Look Up' when auth mode is set to external(httpd)1363891 - Datastores: " ActionController::RoutingError " when clicking on reload button1364222 - Accessing the tags method of an MiqAeServiceLan object results in a NoMethodError exception1364501 - Customer reporting growth of sessions table to an enormous size and postgresql logs don't indicate any auto-vacuum activity is happening1366358 - SSUI: logo not displayed on login screen1366596 - Container SSA results are aggregated instead of updated1366597 - unable to tag datastores via rest api or UI1366598 - Failed container scanning job does not timeout1366599 - Image List shows "Unknown image source" for images1368165 - Start date for report schedule is set to tomorrow1368167 - Service provisioning messages overlapped in self service ui1368168 - Editing RHEVM has default API Port 5000 in UI even though no port was set when creaing1368170 - GCE instance was retired, but was not power off1369583 - [Configuration management Jobs] - Wrong title of downloaded files1370196 - LDAP group lookup fails with json UTF conversion errors1370198 - Cloud tenant and AZ from overcloud show up in undercloud relationships1370202 - page doesn't exist after session timeout on provider timeline page1370208 - Unable to authenticate to RHEV provider after migration from cfme- (3.2) to cfme- (4.1)1370209 - Request to restore diagnostic functionality critical to support (ie, current appliance settings) removed in the CFME 4.11370211 - Azure: undefined method `downcase'1370216 - Azure provider fails EMS refresh1370309 - missing rights to show AWS security groups caused null1370310 - add support for secondary fixed IP addresses for AWS ENI interfaces1370476 - No html Id's defined for the bootstrap switches in manage quota form1370478 - "unexpected token at ..." error when validating Tower which returns internal server error 5001370480 - Incorrect name is used for default Azure provider during discovery1370481 - Catalog item becomes corrupt after removing template it was using1370488 - Changing default instance_name in custom button from "Automation" to "Request"1370568 - METHOD:: does not accept a full path to a method1370569 - VMware folder support showing more than just folders1370574 - Errno::ETIMEDOUT: Connection timed out on Azure at gallery.azure.com1370575 - Region description doesn't change1370586 - Multi-rate chargeback report can not be queued.1371174 - After adding generic/orchestration catalog item infinispinner and 502 error(appliance crashed)1371267 - Unable to get to Topology link in breadcrumb trail on Network Manager entities page1371268 - [RFE] Add Global filters for RHEV block datastores1371269 - C&U collection tab can sometimes be blank1371270 - Cloud network manager availability zones back button redirects me to cloud provider1371272 - unable to use {nil => "<default>"} with self provisioning when selecting dialog_tenant_name1371311 - [Ansible Tower] Provider cannot be removed when selected from accordion tree1371640 - [RFE] Create AWS EC2 appliance1371666 - [ja_JP, zh_CN] Need to translate the title and tool-tips on Control -> Log page.1371668 - [ja_JP, zh_CN] Need to translate drop-down config. menu options on Compute -> Containers -> Providers1371669 - [ja_JP, zh_CN] Need to translate menu options under configuration on Networks -> providers.1371670 - [ja_JP, zh_CN] Need to translate drop-down options and some strings on Optimize -> Planning page.1371671 - [ja_JP, zh_CN] Need to translate strings on Automate -> Requests page1371979 - Error:undefined method `size' for nil:NilClass when clicked on cloud provider after deleting network manager1371980 - Automation Method Error When Accessing 'host'/'hosts' From a Switch1371981 - Type Template/VM filter under VMs is useless1372413 - UI: Inconsistent behavior when adding duplicate provider; infra provider X configuration manager1372775 - Refresh Configuration Management Provider does not work when selected from the explorer tree1372801 - Add ability to swap the default threaded puma web server for thin1374377 - [RFE] Reporting on OpenShift Custom Labels1374420 - multiple ip address for the same network_port_id for openStack provider1374423 - Select button options " By Infrastructure providers" and "All VMs" should be renamed1374450 - Compliance check history isn't shown if compliance policy is unconditional1374695 - Multi-tenancy - tenant name not renamed in Set group ownership dropdown menu1374696 - Adding rhevm infrastrcture provider and filling in bad IP bad user/pass error1374815 - Error on Azure Cloud Discovery: wrong number of arguments1375205 - SSUI displays "null" for azure resource group or fails if <new resource group> is selected1375311 - validate_request for cloud does not include support for flavors1375326 - Providers quick search should have searched string in brackets next to the title like all other pages1375330 - Azure provisioning missing pre and post methods.1375343 - Upgrade azure-armrest to - Amazon Image details doesn't open1376130 - Utilization tree remembers selected node1376132 - :cold_sweat: Don't include AvailabilityMixin into Object, that's really bad1376137 - Fix report scheduler timer_types1376138 - Change column type of cpu_cores_used_cost in reports to currency1376139 - Fixed port_scan.rb file and related changes1376140 - Memoize image_path helper in build_tags_tree1376141 - Add single select false to guest access pair options on EC21376143 - Move _('locale_name') to Vmdb::FastGettextHelper1376144 - ChargebackContainerProject - Filter project by tag1376146 - Discrepancy in objects count in Containers Overview following Provider overview1376147 - Re-check Authentication button for Providers in the GTL view1376150 - Fix the toolbar button tooltip for Providers in GTL view1376151 - Container Chargeback report: Rate Range by Project1376153 - Update x1.32xlarge to enhanced and clustered networking.1376154 - Replace corrupted PNGs1376155 - cap&u dont puke when _debug1376157 - SSUI : language : Shopping cart validation message needs to switch language when one is selected1376158 - Update gettext catalogs from Zanata1376159 - Use Rails version or higher1376160 - Relationships filter_by_resource_type scope1376161 - Azure - Enhanced C&U support1376162 - Azure cache1376163 - Move join region logic into a rake task1376164 - recent version of draper gem1376165 - Changing default instance_name in custom button from "Automation" to "Request"1376167 - Reworked building VMware nested datacenter folders in factory girl1376168 - Fix Caching Issues for MiqDiskCache Module1376169 - Show provider status color by bearer type authentication on container topology1376170 - Multi endpoints dialog message1376171 - Update required ovirt_metrics version1376172 - BAT Handling in Checkpoint Disks Issues1376173 - With the updated net-ldap 0.14.0, Net::LDAP:LdapError is no longer used.1376174 - Make connection_configuration respect the default authentication type1376175 - ArVirtual - Ownership uses virtual attributes / delegates1376176 - Modify Azure Runner to use existing EMS1376177 - Take 2: Speed up "VMs & Instances in My LDAP Group" filter in /vm_or_template/explorer1376178 - Allow more than one iso datastore per type of EMS1376513 - Unexpected error when clicked on service request1376520 - service template provision tasks failing in check provision method1376528 - [RHV 4.0] Provision VM ends up with "Validating New Vm" endless retries1376557 - Clicking Automate triggers an error.1376574 - Azure Enterprise Agreement subscriptions not catching events1377416 - Unknown Error while refreshing Azure1377420 - [ja_JP, zh_CN] User login credentials verification fail message is not localized These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: