News

High Number of AWS Misconfigurations Leaves Huge Security Holes

Security organization calls situation "egregious."

• By David Ramel
• 04/19/2017

The last day of February 2017 saw a big part of the Internet break, when Amazon Web Services Inc. (AWS) experienced a massive outage.

The outage was deemed to be the result of a misconfiguration, and it gave AWS a big black eye. But misconfigurations aren't limited to AWS -- not by a long shot.

An analysis of AWS cloud usage by Threat Stack Inc. revealed widespread critical security misconfigurations affecting nearly three-quarters of more than 200 surveyed organizations.

"Among the most egregious were AWS Security Groups configured to leave SSH wide open to the Internet in 73 percent of the companies analyzed," the company said in a new release today. "This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the Internet using the root account, which could have severe security repercussions."

Threat Stack CTO Sam Bisbee expressed surprise at the findings, which came to light despite extensive advice and guidance from AWS and others.

For example, AWS has been providing SSH best practice guidance for years, as evidenced in a 2008 blog post that addressed SSH issues. That post says in part: "For example, you can use the AWS Management Console to create a security group that restricts SSH access to only the 206.209.15.0/24 network while allowing anyone HTTP/HTTPS access from anywhere."

The company's OpsWorks user guide also contains an entire section on "Managing SSH Access."

Despite such ongoing efforts, Threat Stack has found many organizations are failing to follow even the most basic of security precautions, to the amazement of Bisbee.

"The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren't even taking full advantage of the basic security tools available to them as AWS users," he said. "Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely. Hopefully, this data will serve as a wakeup call."

That data also revealed that 62 percent of companies analyzed weren't following the well-known best practice of requiring multi-factor authentication for AWS users. That, according to Threat Stack, makes brute force attacks easier. Furthermore, users aren't taking advantage of AWS-native security services like CloudTrail, which weren't being deployed universally across all regions.

And deeper problems beyond the basics were also discovered.

"While these cloud security best practices are relatively simple to fix, Threat Stack identified a more complex concern," the company said. "Data collected by Threat Stack going back to September of 2016 showed that fewer than 13 percent of the companies analyzed were keeping software updates current. In addition, despite the 'spin up/down' intrigue of the cloud, the majority of those unpatched systems are kept online indefinitely, some more than three years. When combined with the AWS misconfigurations and weak remote administration, it becomes clear that companies need to focus on fundamental hygiene immediately."

For its part, Threat Stack in 2015 launched a managed AWS security service, and currently offers a free trial of its Threat Stack Audit tool that customers can use to score their environments against AWS security best practices, and also get steps to follow for improvement.