AWS Cloud Security: How to Prevent Common Vulnerabilities

Explore the most common security flaws in AWS environments, how to prevent them, and strategies for improving your AWS cloud security.

AWS is the runaway leader in cloud infrastructure, with a staggering 31% of the market as of Q3 2024. So it’s no surprise that, as a pentesting provider, we spend a lot of time testing AWS assets and get asked fairly frequently about Amazon cloud security vulnerabilities. (For a primer on AWS cloud security and performing pentests to address AWS security concerns, check out our blog, “What You Need to Know About AWS Pentesting.”)

And we’ve noticed something. Through all our testing, we see a small number of vulnerabilities arise time and time again across a wide range of industries, asset types, and organization sizes.

We held a virtual panel where four of our pentesters discussed the most common security flaws in AWS environments and how to prevent them. This article is a summary of that virtual panel, and includes some suggested strategies for improving AWS cloud security. We've added some sections to address common EC2 security issues.

8 Common AWS Vulnerabilities

1) Overuse of Public Subnets

Many organizations use the default Virtual Private Cloud (VPC) built into AWS, making few changes to the configuration. When they need to spin up an application, they take the simplest approach: using the VPC’s default public subnet.

However, this approach can be extremely dangerous. Public subnets are routed to Internet gateways, making them accessible via the public Internet. As a result, any sensitive information hosted on the subnet is placed in harm’s way.

Solution: Public subnets are suitable for blogs or simple websites, but not critical applications or databases. Instead, use private subnets and ensure all subnets are properly configured for the security needs of the assets involved.

If an application needs to be public-facing, you can use a combination of public and private subnets to ensure back end functions and databases are kept out of the public domain.

2) IAM Issues

IAM issues are far from being unique to AWS. However, because cloud infrastructure is designed to be accessed remotely, IAM issues can become an even greater risk and present a valid AWS security concern.

Many organizations don’t enable multi-factor authentication for privileged accounts. Worse, insecure privileged accounts are often overused — including for trivial tasks that could be performed from any account — putting them further at risk from social engineering and other credential theft attacks.

Solution: Use an identity solution provider to centralize authentication and use single sign-on so you don’t have to manually create IAM users and attach policies to them.

For sensitive assets, use a tool to create short term keys that expire after a predetermined period. That way, if access and secret keys are leaked, nobody will have persistent access to your AWS environment.

From a structural perspective, create different AWS accounts for different environments, and use a single AWS organization to enforce policies for sub environments.

3) Misconfigured S3 buckets

The most common problem with S3 buckets is permission misconfiguration. Organizations create S3 buckets for various purposes, and even though the buckets are private by default, we as humans make the buckets publicly writeable and readable to make our jobs easier. With this, there is an inevitable threat of malicious users finding the misconfigured S3 buckets and either dumping all the contents or deleting it. Misconfigured S3 buckets can be disastrous if there are sensitive files, db backups, or application logs in it.

Solution: If you want to store content in the bucket, that should be accessed publicly, use AWS Cloudfront. Keep the bucket private and use it as the origin of Cloudfront distribution. With this configuration, you will be allowing only Cloudfront to access content from the bucket. Any entities requiring access to the content from the bucket would need a full URI path that includes Cloudfront domain and doesn’t expose your S3 bucket for enumeration.

There are other hardening techniques provided by AWS such as signed URLs and signed cookies for serving private contents. Make sure to read up on the AWS documentation for insights on what to avoid. Further, read more about the dangers of misconfigurations.

4) Exposed Database Origin Servers

The IP addresses of database origin servers should never be available to any person or application unless specifically required. Unfortunately, these IPs are often available as a result of improperly configured CDNs and other solutions.

One of our pentesters gave an example of how this can lead to a security breach. While testing an HR system, the tester discovered that origin server IPs were available due to a misconfigured CDN. Once he had the IPs, he discovered that the AWS instance wasn’t set up to restrict inbound access to specific applications. Within a short period of time, he was able to access the system directly as a privileged user.

Solution: Secure configuration can be a challenge, because applications and infrastructure can each potentially have thousands of configuration options. Pentesters and cyber criminals use tools — many of which are free and open source — to help them identify when configuration issues exist.

To avoid falling victim to configuration issues, it makes sense for security teams to use a similar approach to identify and resolve configuration issues preemptively.

5) Server-Side Request Forgery (SSRF)

SSRF is an attack that abuses legitimate AWS functionality to gain access to instance metadata. If successful, an attacker may be able to extract credentials for an IAM role attached to the instance, and gain privileged access to the target application.

An attack similar to this was used in the 2019 CapitalOne breach.

Solution: Thankfully, preventing SSRF attacks against AWS is straightforward. Only version one of the Instance Metadata Service (IMDSv1) is vulnerable, so simply update to version two (IMDSv2).

6) Hanging DNS Records

In the course of working with AWS, most organizations create and delete plenty of S3 buckets. However, when an S3 bucket is deleted, many organizations forget to remove references to it across all subdomains.

This is a problem, because if a subdomain’s DNS records stay pointed to a deleted S3 bucket, an attacker can use subdomain enumeration to identify the issue and simply take over the subdomain.

Solution: Our pentesters offered a surprisingly low tech solution to this problem — simply keep track of all S3 buckets using a spreadsheet, and record all references to each bucket. Whenever an S3 bucket is deleted, use the spreadsheet to ensure all references to it are removed.

7) Misconfigured EC2 Security Groups

The scalable AWS EC2 solution uses security groups that act as firewalls controlling inbound and outbound traffic. A security group assigns an EC2 instance inbound rules specifying sources, port ranges, and protocols and outbound rules specifying destinations, port ranges, and protocols. You can assign up to five security groups per network interface to an EC2 instance.

Misconfigured EC2 groups can create security issues. Lax controls can allow unauthorized access to your instances, while excessively strict controls can block legitimate access. For example, lax misconfigurations might open private cloud instances to the public Internet, expose unnecessary ports, or use excessively broad IP ranges.

Solution: Follow security group best practices when configuring EC2 instances. Only allow designated IAM principles to create or edit security groups. Create only as many security groups as you actually need, using tags and labels to keep your groups organized. Review and update your security group rules regularly. Authorize only specified ranges in inbound rules. Avoid opening large port ranges, and limit access to required sources and destinations. Consider adding a security layer by creating access-control lists with rules paralleling your security groups.

8) Insecure EC2 Credentials

Unprotected credentials can expose your EC2 instance to unauthorized access. Credentials can be compromised by using default passwords, weak passwords, reused usernames and passwords from other accounts or services, or insecure storage practices. This can open your EC2 instance to risks such as phishing, brute force attacks, or credential theft. For example, leakage can expose unencrypted credentials stored in plain text in code, logs, or configuration files.

Solution: Follow credentials management best practices. Use strong, unique usernames and passwords. Rotate credentials regularly. Use secure storage and transmission methods for handling credentials.

Treat AWS Like an Internal Network

To finish the webinar, our pentesters provided two powerful pieces of advice to help organizations improve the security of AWS environments.

First, always remember that cloud providers aren’t responsible for the security of anything you build in the cloud. AWS is just any other computer network, and you should be just as diligent with the security and privacy of your AWS network as with your internal network.

Second, keep in mind that developers generally aren’t security experts. Providing training on secure development practices can have a profound impact on the security of new code. It can also be helpful to implement basic checks — potentially including automated vulnerability scanners — into the development workflow to identify simple vulnerabilities before they are pushed live.