Introduction
Misconfigurations are common entry points for attackers. Cloud misconfigurations occur when cloud resources are set up with incorrect or insecure settings, leaving them vulnerable to exploitation. Misconfigurations can lead to sensitive data being exposed to the public internet, unauthorized users, or can open up unnecessary ports, services, or permissions that attackers can exploit. Proactive security management for cloud misconfiguration is essential to maintaining a strong security posture.
In this blog, I will walk through a few scenarios of misconfigured AWS Cloud resources and how Microsoft Defender for Cloud can help proactively identify misconfigurations and allow security teams prevent risks and remediate quickly.
Proactively secure your AWS resources
Prerequisites: To protect resources in Amazon Web Services (AWS), you need to set up the connection between your AWS account and Microsoft Defender for Cloud. Please refer guidance here
Defender for Cloud uses AWS environment context to perform a risk assessment of your security issues. Enabling Defender CSPM Plan on your AWS Connector is a mandatory prerequisite to experience contextual security capabilities including Attack Path Analysis, and Cloud Security Explorer. Learn more about the cloud security graph, attack path analysis, and the cloud security explorer.
Use case Scenarios:
The following fictitious scenarios will help you to understand how this capability can assist you to proactive secure your AWS resources. Keep in mind that while these are fictitious scenarios, they are based on real-world situations that our customers face while trying to protect their multicloud resources.
Scenario 1:
Contoso Bank is using Amazon S3 to store sensitive customer data, financial records, and proprietary business information. They have set up a private S3 bucket called "PrivateDataBucket" to store this data securely. The bucket is configured with strict access controls, and data is intended to be accessible only to authorized personnel.
Contoso Bank’s data engineering team decides to set up a data replication process to facilitate data analysis. They intend to replicate data from the "PrivateDataBucket" to another bucket for processing.
During the setup of the data replication process, instead of configuring the replication to another private S3 bucket, the team mistakenly selects a public S3 bucket named "PublicDataBucket" that is accessible to the Internet.
Using Defender CSPM attack path analysis, the data engineering team can identify this scenario and remediate the risk. The attack path “Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket” shows the misconfiguration and the potential impact as shown below:
While the risk involved here is Sensitive Data Exposure, this is a result of data replicating to Internet exposed and publicly accessible S3 bucket. Insights on the target S3 bucket provides more information about the misconfiguration, as shown below:
The remediation step suggests reviewing replication and S3 bucket public access settings to minimize the exposure of data publicly, as shown below:
Scenario 2:
Datum Corporation’s IT Admin team is responsible for managing several applications hosted on AWS EC2 instances. The team wants to implement an automated backup and restore solution for their databases, ensuring data durability and disaster recovery capabilities.
The administrator creates a script that runs on the EC2 instances to initiate automated backup and restore operations at specified intervals. The administrator creates an IAM role with AdministratorAccess to access all the AWS services and associates the IAM role with the EC2 instance.
When an AWS EC2 instance has permissions to an AWS account, it means that the instance has privileges to access other AWS resources within that account. A misconfigured IAM role could lead to over-permissioning, where the instance has access to more resources and actions than it needs. This can expose unnecessary attack surfaces.
By leveraging Defender CSPM attack path capability, the IT Admin team can gain visibility about the potential risk by reviewing the attack path called “Internet exposed EC2 instance has high severity vulnerabilities and high permission to an account”.
The potential impact in this scenario is that a threat actor could exploit the vulnerabilities on the EC2 instance, gain remote code execution, and use its permission to manage the account - create resources, delete resources, and move laterally to additional resources. The possible risk is account takeover and compute abuse.
Defender for Cloud calculates effective permission of identities and helps you understand what resources your identities can access. In this scenario, EC2 instance has 'AmazonSSMManagedInstanceCore', 'AmazonEC2ContainerRegistryReadOnly', 'AmazonEKSWorkerNodePolicy', permissions to account.
The Insights tab on the EC2 instance provides details about the EC2 instance reachable from the internet, has high severity vulnerabilities allowing remote code execution.
The remediation steps suggest granting permission at the resource level and not at the account level, as shown below:
Scenario 3:
Fabrikam Inc hosts a critical application on an Amazon EC2 instance, and this application requires access to encrypted data stored in Amazon S3. To securely retrieve and decrypt this data, the EC2 instance is granted read permissions to a dedicated AWS KMS key. By granting the EC2 instance read permission to the KMS key, the organization ensures that sensitive data remains encrypted and secure both at rest and in transit.
A high severity vulnerability was detected on the EC2 instance, which could potentially be exploited by attackers to gain unauthorized access to the system. If an attacker gains access to the EC2 instance and its associated read permissions for the KMS, they could extract sensitive cryptographic keys. This could result in the compromise of encrypted data across the organization's infrastructure.
Defender CSPM identifies the attack path “Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS” and the potential impact could be stealing credentials from the Key Management Service (KMS).
The EC2 instance has IAM role attached with 'AmazonSSMManagedInstanceCore' permission via IAM policy to AWS Key Management Service (KMS) key. The Insights gives details about the EC2, such as the fact that it is reachable from the internet, and has high severity vulnerabilities allowing remote code execution as shown below:
The Remediation steps suggest hardening the internet exposure to the minimum required, as shown below:
For more detailed list of the attack paths, connections, and insights you might see in Microsoft Defender for Cloud Reference list of attack paths and cloud security graph components - Defender for Cloud | Microsoft ...
Conclusion
Mitigating risks using Attack path analysis is not a one-time activity. It involves continuous monitoring of Attack paths. Security teams can regularly analyze new misconfigurations introduced during changes to the environment. Incorporating attack path analysis into your security strategy helps security teams stay ahead of potential security misconfigurations in AWS environments.
Additional Resources
Please refer the resources below to learn more about these capabilities:
- Microsoft Defender for Cloud Security Posture Management
- Cloud security explorer and Attack path analysis (Video)
- Identify and remediate attack paths
- Reference list of attack paths and cloud security graph components
-
Public Lab: Contextual Security capabilities for AWS using Defender CSPM
Reviewers
Or Serok Jeppa, Senior PM Lead, Microsoft Defender for Cloud
Yuri Diogenes, Principal PM Manager, CxE, Microsoft Defender for Cloud