Threats
Components | Threats |
IAM | - IAM policy allows assume role permission across all services (
assume/pass:* ) - Overly permissive IAM roles (wildcards)
- Overly permissive read access allows visibility to some customer data stores
- Elasticsearch IAM policy allows internet traffic
- AWS IAM deprecated managed policies in use by User
- Access to modify security groups/ NACLs/ ENI's/ Route tables is not restricted in Prod
- Access to KMS is not restricted
|
MFA | - Users do not have MFA activated for accounts
|
Root Account | - MFA is not enabled on Root account
- Root account email is not on a distribution list
|
Secrets / Keys | - Access keys are not rotated in line with industry standard best practice (90 days)
- KMS - default keys are used
- KMS - Keys are shared across services and functions where separate envelope keys should be used
- KMS - Access policies are too permissive. Too many services can call decrypt function for keys
|
S3 | - AWS S3 Bucket has Global DELETE Permissions enabled via bucket policy
- AWS S3 Bucket has Global GET Permissions enabled via bucket policy
- S3 buckets are accessible to any authenticated user
- S3 buckets are accessible to public
- Log buckets are not sufficiently protected from PUT's (to protect against file over-ride/ deletes etc)
- Versioning is not enabled
- No bucket replication for high value workloads (minimal backups)
|
EBS | - EBS snapshots are accessible to public
- No snapshot/ backup policy
- Large number of orphaned volumes with confidential data
|
WAF | - CloudFront distributions lack a WAF
- WAF has inadequate policies
- WAF is not consistently in front of all incoming traffic
- WAF is not in blocking mode
- No logging/ alerting on WAF
|
DDoS | - Lack of consistent DDoS protection
|
Encryption | - AWS CloudFront origin protocol policy does not enforce HTTPS-only
- EBS volumes lack encryption
- S3 lack of encryption
- TLS is not enforced between ELB - EC2
- RDS lack of encryption
- Redshift lack of encryption
|
Compliance | - Lack of visibility of current compliance status
- No file integrity monitoring for PCI workloads
- No domain boundary program - lack of documentation around how PCI workloads are isolated (logically or otherwise)
|
Logging | - CloudTrail is not enabled on the account
- VPC Flow Logs are not enabled
- No sys logs from EC2
- No centralised logging
- Lack of S3 access logs
- Confidential/secrets/customer data often written to Cloudwatch during debugging
|
Security Groups | - AWS Security Groups allow internet traffic to undesired ports
- Default Security Group does not restrict all traffic
- Security groups do not follow least privilege with regards to ports/ CIDR ranges
- Many groups allow RDP/SSH from any ip
|
Incident Response | - Insufficient playbooks for AWS incident response
- Insufficient access to comms channels (e.g. Slack/JIRA/Trello/Email) for incidents
- Lack of alerting for high risk events
|
Vulnerability Management | - AMIs are not hardened
- No patching process for instances
- No vulnerability scanning on instances
|
Costs | - Lack of alerting and reporting for cost control
- Incorrectly sized instances
|
Source: https://cloudonaut.io/aws-security-primer/