Amazon Web Services (AWS) Vulnerability: Shared Responsibility

From Airbnb to Zillow, some of the internet’s most popular sites and services are built on Amazon Web Services (AWS), the world’s leading cloud computing provider. But, recent industry discussions point to an AWS vulnerability.


Evolution of Amazon Web Services (AWS)

Amazon first launched its web services as a side business in the early 2000s. Around this time, Amazon was scrambling to develop internal systems to handle its hyper-growth. During a retreat at Jeff Bezos’ house, executives realized that the Amazon team was “highly skilled at running reliable, scalable, cost-effective data centers out of need.”

First, Amazon released Simple Queue Service (SQS). SQS is a means of transmitting large volumes of data. Next, Amazon introduced Simple Storage Service (S3), Amazon’s seminal cloud service storage solution. Then, Amazon developed Elastic Compute Cloud (EC2) which allowed businesses to build applications fully in the cloud.


Vulnerabilities From AWS

Recently, a study from Ermetic, a cloud infrastructure company that provides “holistic protection for AWS, Azure, and Google Cloud,” found that the majority of AWS accounts are vulnerable to ransomware.

Ermetic discovered the greatest security risk comes from identities and S3 buckets (similar to file folders, store objects, which consist of data and its descriptive metadata). Ermetic found that “a compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data.”

The discovery (or disclosure) of this vulnerability by Ermetic spurred us to revisit the shared responsibility model and the importance of a well-architected AWS environment.


Shared Responsibility Model

When an organization embarks on migrating business to the cloud, the organization must embrace a shared responsibility model – especially with infrastructure as a service (IaaS).

It is vitally important for cloud consumers to understand what their CSP (Cloud Service Providers) are doing to safeguard storage as well as what measures customers need to implement to collaboratively protect storage in the cloud. Do not assume that security in the cloud is the sole responsibility of CSPs. This assumption will likely lead to a breach.

AWS explicitly outlines shared responsibility stating that “Security and Compliance is a shared responsibility between AWS and the customer.” On their website, AWS outlines and diagrams customer and AWS responsibilities. AWS also offers an exercise for customers to determine the distribution of responsibility based on the customer’s specific use case.

S3 buckets are troves that contain enriched data sought by adversaries. We know ransomware attacks have and will continue to be a top weapon for cybercriminals. Knowing that storage is the target of ransomware, organizations should consider S3 to be yet another storage device anticipating that it is not a matter of if but when.


Architecting AWS

Any digital asset exposed to the Internet improperly configured is susceptible to a multitude of attacks, including ransomware. Security breaches related to AWS S3 buckets result from misconfigurations.

AWS architecture prescribes multiple layers, including web logic (the part the user sees), business or application logic (the part where decisions are made regarding the user request), and data logic (where the information is stored). S3 buckets are separated at the forward edge of the technology stack and are specifically designed to isolate the primary layers.

A well-architected AWS environment should not cause business operations to cease due to an attack on a S3 bucket. There is a multitude of controls, alarms, and versioning that can help to recover from an S3 bucket compromise. Not the least of which is having multiple buckets. That’s the whole point behind cloud computing: it’s elastic and resilient.


CYA: Cover Your AWS

As our organizations and third parties move data or continue operations in the cloud, it’s a given that our stored data is a “sitting duck” for adversaries. Thankfully, we can embrace guidelines that protect our data in the cloud by implementing measures such as NIST Cybersecurity Controls and AWS Guidance On Shared Responsibility.

Looking for more information about cloud computing’s impact on risk management? In this webinar recording, you will learn the right questions to ask Cloud Security Providers regarding security, maintenance, and resilience in order to keep the Cloud (and more importantly, your risk management) in check.


Blog Footer Cybersecurity