Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

73% of Companies Have Critical AWS Security Misconfigurations

by Michal Ferguson Apr 18, 2017 12:44:25 PM

AWS Security Misconfigurations Blog Banner.png

Threat Stack Delivers Wake Up Call

Wide open SSH and infrequent software updates among top risks identified in the majority of cloud-based environments

How effective are your AWS security configurations? And how do you know for sure?

In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

If we caught your attention with that opening statistic, please read on.

Here’s What the Threat Stack Study Found

Our analysis found a surprising number of well-documented security misconfigurations.

  • Among the most egregious were AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions.
  • Additionally, the well-recognized best practice of requiring multi-factor authentication (MFA) for AWS users was not being followed by 62% of companies analyzed, making brute force attacks that much simpler.
  • Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.

“The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users,” said Sam Bisbee, Threat Stack’s CTO.

“Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely.

Hopefully, the data in our new analysis will serve as a wakeup call.”

There’s More . . . Failure to Keep Software Updates Current

While these cloud security best practices are relatively simple to fix, Threat Stack identified a more complex concern.

Data collected by Threat Stack going back to September of 2016 showed that fewer than 13% of the companies analyzed were keeping software updates current. In addition, despite the “spin up/down” intrigue of the cloud, the majority of those unpatched systems are kept online indefinitely, some more than three years.

For a detailed discussion of this problem, see It All Started With a Wager About System Upgrades by Sam Bisbee, Threat Stack’s CTO. For guidance on how to effectively manage the problem, take a look at OS Updates and Package Management by Tom McLaughlin, Threat Stack’s Engineering Advocate.

The Bottom Line

When the problem of software updates is combined with the AWS misconfigurations and weak remote administration, it becomes clear that companies need to focus on fundamental hygiene immediately.

Check Your AWS Configuration Setting with Config Audit

AWS Customers: Identify the types of AWS misconfigurations that can easily be missed in this quick-to-install, self-audit trial from Threat Stack.

Quickly measure your specific AWS configuration settings against AWS security best practices and obtain steps for improvements.

Learn About Our 7-Day Audit Trial

Topics: Cloud Security, AWS Security, AWS Configuration Auditing, Threat Stack Cloud Security Study

Michal Ferguson

Written by Michal Ferguson

As Director of Demand Generation at Threat Stack and a tech & security lover, Michal spends her days finding valuable ways to match Threat Stack’s cloud-based security solution with its ideal customers. Prior to Threat Stack, Michal held marketing management positions at CloudLock (acquired by Cisco), VKernel (acquired by Quest Software, then Dell), and Onaro (acquired by NetApp).

Subscribe via email:

Posts by Topic

see all