Amazon Web Services (AWS) Vulnerability: Shared Responsibility

Amazon Web Services (AWS) Vulnerability: Shared Responsibility

Oct 13, 2021 | Data & Cybersecurity

AWS Vulnerability

From Airbnb to Zillow, some of the internet’s most popular sites and services are built on Amazon Web Services (AWS), the world’s leading cloud computing provider. But, recent industry discussions point to an AWS vulnerability.

 

Evolution of Amazon Web Services (AWS)

Amazon first launched its web services as a side business in the early 2000s. Around this time, Amazon was scrambling to develop internal systems to handle its hyper-growth. During a retreat at Jeff Bezos’ house, executives realized that the Amazon team was “highly skilled at running reliable, scalable, cost-effective data centers out of need.”

First, Amazon released Simple Queue Service (SQS). SQS is a means of transmitting large volumes of data. Next, Amazon introduced Simple Storage Service (S3), Amazon’s seminal cloud service storage solution. Then, Amazon developed Elastic Compute Cloud (EC2) which allowed businesses to build applications fully in the cloud.

 

Vulnerabilities From AWS

Recently, a study from Ermetic, a cloud infrastructure company that provides “holistic protection for AWS, Azure, and Google Cloud,” found that the majority of AWS accounts are vulnerable to ransomware.

Ermetic discovered the greatest security risk comes from identities and S3 buckets (similar to file folders, store objects, which consist of data and its descriptive metadata). Ermetic found that “a compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data.”

The discovery (or disclosure) of this vulnerability by Ermetic spurred us to revisit the shared responsibility model and the importance of a well-architected AWS environment.

 

Shared Responsibility Model

When an organization embarks on migrating business to the cloud, the organization must embrace a shared responsibility model – especially with infrastructure as a service (IaaS).

It is vitally important for cloud consumers to understand what their CSP (Cloud Service Providers) are doing to safeguard storage as well as what measures customers need to implement to collaboratively protect storage in the cloud. Do not assume that security in the cloud is the sole responsibility of CSPs. This assumption will likely lead to a breach.

AWS explicitly outlines shared responsibility stating that “Security and Compliance is a shared responsibility between AWS and the customer.” On their website, AWS outlines and diagrams customer and AWS responsibilities. AWS also offers an exercise for customers to determine the distribution of responsibility based on the customer’s specific use case.

S3 buckets are troves that contain enriched data sought by adversaries. We know ransomware attacks have and will continue to be a top weapon for cybercriminals. Knowing that storage is the target of ransomware, organizations should consider S3 to be yet another storage device anticipating that it is not a matter of if but when.

 

Architecting AWS

Any digital asset exposed to the Internet improperly configured is susceptible to a multitude of attacks, including ransomware. Security breaches related to AWS S3 buckets result from misconfigurations.

AWS architecture prescribes multiple layers, including web logic (the part the user sees), business or application logic (the part where decisions are made regarding the user request), and data logic (where the information is stored). S3 buckets are separated at the forward edge of the technology stack and are specifically designed to isolate the primary layers.

A well-architected AWS environment should not cause business operations to cease due to an attack on a S3 bucket. There is a multitude of controls, alarms, and versioning that can help to recover from an S3 bucket compromise. Not the least of which is having multiple buckets. That’s the whole point behind cloud computing: it’s elastic and resilient.

 

CYA: Cover Your AWS

As our organizations and third parties move data or continue operations in the cloud, it’s a given that our stored data is a “sitting duck” for adversaries. Thankfully, we can embrace guidelines that protect our data in the cloud by implementing measures such as NIST Cybersecurity Controls and AWS Guidance On Shared Responsibility.

Looking for more information about cloud computing’s impact on risk management? In this webinar recording, you will learn the right questions to ask Cloud Security Providers regarding security, maintenance, and resilience in order to keep the Cloud (and more importantly, your risk management) in check.

Nasser Fattah

A Senior Advisor to Shared Assessments, Nasser has 20+ years as a Cybersecurity, Supply Chain and IT leader. With a focus on customer-first and team building approaches, Fattah is able to align programs to support company strategies, regulatory requirements, and growth initiatives. He drives cybersecurity, supply chain and IT as enablers for enterprise-wide transformation initiatives.  He partners with executives to identify and select strategic external partners to deliver essential IT and cybersecurity services to the business. Nasser worked with global parent company and subsidiaries to establish technology standards to maximize investments and operations efficacy to best support business needs and growth. Nasser has a strong, consistent record working successfully with Business and IT executives, regulators, auditors, and risk partners. Nasser also teaches cybersecurity at several colleges, and is the chair for North America Shared Assessments – an industry best practices for supply chain.


Ron Bradley

Ron Bradley has been involved with Shared Assessments in some capacity for over 15 years. Notably, Bradley wrote some of the very first questions for the Standardized Information Gathering (SIG) Questionnaire. In this course of time, his hair has transitioned from an afro to his current distinguished style.

With a depth of experience building TPRM programs in financial services (Bank of America) and manufacturing (Reynolds, Trane Technologies), Ron understands how cultures and organizations drive the supply chain and third party process. As Vice President, Ron strives to use his extensive knowledge of Third Party Risk Management to help organizations build programs that realize the full potential of the Shared Assessments toolkit.

Ron’s experience in Europe, Asia and South America has allowed him to assess different vendor environments and to build Third Party Risk Management operations from the ground up across the world. Ron is an expert in risk in the manufacturing environment, Operational Technology, and Operational IoT.

Ron lives in Charlotte, North Carolina, and takes frequent trips to Scottsdale, Arizona. He loves golf, travel, and his Big Green Egg, which brings the people around Ron excessive quantities of love, joy, and happiness. Ron’s 24-year-old daughter and his famed sister Kathleen Bradley (first black game hostess!) bring him great delight.

Connect with Ron on LinkedIn or by email.


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics