This blog post is part three of our four-part series on security in the cloud. In part one, we discussed the AWS shared responsibility model, and in part two, we discussed detecting, prioritizing, and remediating vulnerabilities. Today, in part three, we will cover how to handle misconfigurations in the cloud. This blog post was co-authored by Tori Sitcawich and Aaron Sawitsky.
The prevalence of cloud misconfigurations
Misconfigurations in the cloud are becoming a prevalent source of risk for organizations as more and more businesses move their infrastructure to the cloud. In fact, in our 2018 Under the Hoodie report, we discovered that network and service misconfigurations were found 96% of the time during internal penetration testing. The root cause of this increased risk is that in a cloud environment, far more people can setup and deploy network infrastructure, whereas in an on-premises network, that ability is usually restricted to IT professionals who are well-versed in security best-practices.
It’s important to note that while misconfigurations are a risk, they can be effectively managed. With the right tools and processes in place, you can leverage cloud infrastructure in a secure way. Correctly configuring cloud infrastructure requires close collaboration among development, IT, operations, and security teams. It also requires an understanding of proper configurations.
As a result, scanning for vulnerabilities alone is not enough to manage risk in your cloud infrastructure—you also need a strategy to prevent misconfigurations, as well as a purpose-built way to detect them when they still manage to sneak their way through.
Misconfigurations: A gateway to larger attacks
A misconfiguration can leave sensitive information fully exposed, such as an S3 bucket that’s accidentally setup to be publicly accessible on the internet, which can lead to a serious breach. And since misconfigurations don't exist within a computer’s operating system or an application’s source code, they’re less visible to traditional security testing tools, which means they often go undetected (to the delight of attackers).
Misconfigurations are a common way for attackers to get into a network because they’re often easy to spot and all too common. In fact, more often than not, attackers will use a misconfiguration to get to a system, then proceed to leverage a mix of techniques, from user impersonation to data exfiltration, to finish the job. That’s why you, as the defender, need to know whether you have misconfigurations and how serious they are. You then need to be able to fix them to reduce the risk of a serious vulnerability. Thankfully, configurations are a risk that can be managed.
Ideally, you want to make sure that a misconfiguration never happens in the first place. The best way to do this is to have your security team work with your IT, operations, and engineering teams to define a security baseline. The baseline should clearly describe everything from how assets should be configured to an incident response plan. Your teams should consider using resources like the AWS Well-Architected Framework and CIS Benchmarks as starting points.
Once you have defined what your AWS security baseline looks like, you need to enforce it. You can make it easy for developers to adhere to your baseline by providing them with infrastructure templates that have already been properly configured. You can do this using AWS CloudFormation or an infrastructure as code vendor like Terraform. You also need a monitoring solution in place to detect when something is out of compliance with the baseline (either because it was deployed with a misconfiguration or because a change was made after deployment).
How to discover misconfigurations
Cloud Configuration Assessment within InsightVM gathers the configuration settings of your AWS accounts and compares them to industry best-practices, providing visibility on weaknesses that could affect the security of your cloud environment. Included as a standard feature in InsightVM, the combination of Cloud Configuration Assessment and InsightVM’s robust vulnerability risk management capabilities help customers secure their hybrid environments without having to manage multiple solutions or pay extra for cloud-specific functionality.
Cloud Configuration Assessment leverages a library of rule checks based on the complete CIS AWS Foundations Benchmark, best-practice checks from AWS, and proprietary checks from Rapid7 to assess your configuration data for policy compliance.
It determines compliance per rule on a “Pass” or “Fail” basis.Each rule is also ranked based on its severity level so you know what to work on now and what can wait. It also visualizes misconfiguration risks alongside risks from the rest of your IT environment to give you a complete understanding of your real-time risk exposure. And if you need to narrow in on a particular area of your business, you can search and filter for misconfigurations based on certain criteria to make it even easier to begin remediating. Then, as your team gets to work, InsightVM visually reports on progress in an interactive dashboard.
With Cloud Configuration Assessment, your security teams will be able to more effectively collaborate with your AWS team to resolve misconfigurations and reduce the likelihood of compromise.
Taking your cloud security to the next level
Now that you’re familiar with the risks of cloud misconfigurations and how to detect them, stay tuned for our final post in the series to learn how to secure containers and serverless environments.
What other questions do you have about cloud misconfigurations? Comment below or tag us on Twitter @Rapid7.