Swift cloud adoptions spurred on by the global pandemic has led to oversights, errors, or ill-informed cloud service configuration choices (commonly referred to misconfigurations). You may have heard that securing the cloud can be complex, but something as “simple” to stop as a misconfiguration can ultimately lead to the unintended exposure of mission-critical information and assets.
Major cosmetic retailer, Estee Lauder, experienced a major breach due to a misconfiguration, resulting in more than 440 million records being exposed. And they weren’t the only company to face the music. In fact, misconfigurations are most significant risks to cloud environments, causing 65 to 70% of all security challenges in the cloud.
If misconfigurations are relatively straightforward to stop, then why are they so common? The cloud is comprised of a multitude of settings, policies, assets, and interconnected services and resources, making it a sophisticated environment to fully understand and properly set up.
This is especially true for organizations that have been pushed to migrate quickly to the cloud since remote work became the new norm. Unfortunately, when organizations start using any new technology too quickly without fully understanding its many intricacies, misconfigurations can occur.
The responsibility isn’t on your cloud service provider (CSP) either—CSPs do their part in the shared responsibility model by designing, implementing, and constantly reviewing their infrastructure. However, misconfigurations can still occur when cloud assets and services are set up incorrectly on the user side, leaving an impact on the quality of cloud applications.
Clearly, cloud adopters need to know the commonly occurring misconfigurations to mitigate them before malicious actors get wind of them and cause more significant harm. That’s why we analyzed data gathered through Trend Micro Cloud One™ – Conformity within a one-year period (June 30, 2020 to June 29, 2021) to determine the top 10 AWS services with the highest misconfiguration rates regarding the implementation of Conformity rules.
Top 10 AWS services with the highest misconfiguration rates
To determine the top 10 misconfigurations, we looked at the AWS services with the greatest number of Conformity checks. These checks are the result of the Conformity rules scanned or run against our Conformity customers’ configuration of infrastructures or resources. A single cloud service can have numerous Conformity rules regularly scanning it to check for vulnerabilities and risks. These scans will subsequently result in checks. Each Conformity rule comes with a corresponding implementation, and the checks that run against the rules determine the success or failure of these implementations.
It should be noted that the number of checks does not represent the level of misconfiguration or the risk level of a particular service. Conformity users can choose to run a few or numerous checks simultaneously against their infrastructures and resources. We then highlighted their respective misconfiguration rates, which are the percentage of rules found to be unsuccessfully implemented after a scan.
Next, we highlighted their respective misconfiguration rates, as shown in Figure 1. This is the percentage of rules found to be unsuccessfully implemented after a scan.
Figure 1. The misconfiguration rates of the top 10 AWS services with the greatest number of checks that were run based on Conformity data from June 2020 to June 2021
Top misconfigured rules for AWS services
Let’s look at three top misconfigured services for AWS and the Conformity rule for that service with the highest misconfiguration rate.
- AWS CloudTrail configuration changes
With a misconfiguration rate of a whopping 100%, it’s unsurprising this Conformity rule for AWS CloudTrail tops the list. AWS CloudTrail allows users to regularly log and monitor account activity related to actions performed across the AWS infrastructure. It also has a feature that allows users to see AWS account activity history, enabling a more streamlined and efficient security auditing, resource change tracking, and troubleshooting. When left disabled, configuration changes will not be monitored and recorded. This means that users will not know who acted, what action was taken, when the action took place, and which resources were affected by the action. - App-tier EBS encrypted
For the Amazon EBS service, the top misconfigured high-severity rule is “App-tier EBS encrypted,” with a failure rate of 100%. When this feature is not enabled, the data stored in Amazon EBS volumes attached to app-tier EC2 instances will be exposed. This includes data at rest on the volume, disk input and output operations, and all the snapshots taken from the volume. - Enable Amazon S3 block public access for AWS accounts
Meanwhile, “enable Amazon S3 block public access for AWS accounts” is the top misconfigured rule for Amazon S3, with a severity classification of “very high” and a misconfiguration rating of 68.97%. This feature allows bucket owners to efficiently set up controls to limit public access to their Amazon S3 data. When this is not enabled, simple configuration mistakes or errors can open Amazon S3 bucket data to the public, which can result in data breaches.
To counter potential misconfigurations and security risks, Amazon provides the AWS Well-Architected Framework, and security best practices guidelines for keeping Amazon S3 buckets secure. But even with readily available and detailed documentation, it’s still possible for users to fall short and leave Amazon S3 buckets open and publicly accessible. Our research report, “Securing Weak Points in Serverless Architectures: Risks and Recommendations,” discussed the risks associated with open buckets that contained sensitive data and buckets that were not completely open but were indexing accessible data.
In recent years, we saw how organizations reeled from the effects of misconfigured Amazon S3 buckets. This year, over 1.6 million files of citizens from dozens of municipalities were compromised because of 86 unprotected Amazon S3 buckets in the municipalities’ information management software.
Next steps
Knowing which AWS services are commonly misconfigured enables DevSecOps teams to customize automated Conformity scans, ensuring they’re continually checking for misconfigurations on AWS services in their infrastructure. This helps prove compliance and governance without tedious manual tasks, allowing developers to build securely with little interruptions.
Conformity is one of 7 solutions comprising the Trend Micro Cloud One™ security services platform for organizations building in the cloud. It delivers flexible and scalable all-in-one security that helps DevOps and security engineers securely build and innovate as they migrate to and build in the cloud.
Looking to audit your environment to see you hold up? Sign up for a free, 30-day Trend Micro Cloud One trial today.