Many of the biggest security threats on Amazon Web Services (AWS) come from misconfigurations. Default settings can leave resources publicly accessible and unprotected. These are the configuration errors you need to avoid:
- Empowered root accounts. Root accounts are powerful by design, and they can do extreme damage if accessed by unauthorized users. It's important to limit access to the accounts and to limit what the account can do. Require multifactor authentication for root account logins and don't create a key for root API access.
- Missing IP restrictions. Big security groups are easier to manage but provide fewer controls. Limit the IP ranges in security groups to restrict access to only the devices that need it. In addition to limits in security groups, place similar restrictions in Network Access Control Lists.
- CloudTrail turned off. CloudTrail is one of the important tools AWS provides so you can monitor your AWS infrastructure. If CloudTrail is disabled, you lack records of access to your account and won't be able to detect unauthorized access. Similarly, you should make sure logging is enabled on your S3 buckets.
- Too many user privileges. When user privileges are assigned directly, they become difficult to understand and to manage. Instead of assigning privileges directly to users, create groups with the correct privileges for specific roles, and assign users to those groups.
- Too-generous storage privileges. Simple Storage Service allows access privileges to be granted to "Everyone." Instead, assign the specific appropriate permissions. You can create custom bucket policies if you need more flexibility than the defaults allow.
- Public machine images. Mistakenly setting an Amazon machine image as public allows the image to be launched by any account and makes the image visible in the AMI catalog. All machine images should be made private to protect sensitive data unless there is a deliberate reason to make it accessible.
- Multi-factor authentication turned off. Not using multi-factor authentication makes it easier for unauthorized users to access your Amazon services.
- Failing to use encryption. If your data is encrypted, an unauthorized user who gains access won't be able to use it. All Amazon databases and storage should be configured with encryption active in order to keep your data protected.
Amazon Web Services provides tools that help you monitor and verify your AWS configuration. You can also rely on managed AWS services from dcVAST to ensure your AWS services are configured properly and providing the necessary capacity and performance. Contact us to learn how managed AWS can help you keep your cloud secure.