| Components |
Threats |
| IAM |
- IAM policy allows assume role permission across all services (
assume/pass:*) - Overly permissive IAM roles (wildcards)
- Overly permissive read access allows visibility to some customer data stores
- Elasticsearch IAM policy allows internet traffic
- AWS IAM deprecated managed policies in use by User
- Access to modify security groups/ NACLs/ ENI's/ Route tables is not restricted in Prod
- Access to KMS is not restricted
|
| MFA |
- Users do not have MFA activated for accounts
|
| Root Account |
- MFA is not enabled on Root account
- Root account email is not on a distribution list
|
| Secrets / Keys |
- Access keys are not rotated in line with industry standard best practice (90 days)
- KMS - default keys are used
- KMS - Keys are shared across services and functions where separate envelope keys should be used
- KMS - Access policies are too permissive. Too many services can call decrypt function for keys
|
| S3 |
- AWS S3 Bucket has Global DELETE Permissions enabled via bucket policy
- AWS S3 Bucket has Global GET Permissions enabled via bucket policy
- S3 buckets are accessible to any authenticated user
- S3 buckets are accessible to public
- Log buckets are not sufficiently protected from PUT's (to protect against file over-ride/ deletes etc)
- Versioning is not enabled
- No bucket replication for high value workloads (minimal backups)
|
| EBS |
- EBS snapshots are accessible to public
- No snapshot/ backup policy
- Large number of orphaned volumes with confidential data
|
| WAF |
- CloudFront distributions lack a WAF
- WAF has inadequate policies
- WAF is not consistently in front of all incoming traffic
- WAF is not in blocking mode
- No logging/ alerting on WAF
|
| DDoS |
- Lack of consistent DDoS protection
|
| Encryption |
- AWS CloudFront origin protocol policy does not enforce HTTPS-only
- EBS volumes lack encryption
- S3 lack of encryption
- TLS is not enforced between ELB - EC2
- RDS lack of encryption
- Redshift lack of encryption
|
| Compliance |
- Lack of visibility of current compliance status
- No file integrity monitoring for PCI workloads
- No domain boundary program - lack of documentation around how PCI workloads are isolated (logically or otherwise)
|
| Logging |
- CloudTrail is not enabled on the account
- VPC Flow Logs are not enabled
- No sys logs from EC2
- No centralised logging
- Lack of S3 access logs
- Confidential/secrets/customer data often written to Cloudwatch during debugging
|
| Security Groups |
- AWS Security Groups allow internet traffic to undesired ports
- Default Security Group does not restrict all traffic
- Security groups do not follow least privilege with regards to ports/ CIDR ranges
- Many groups allow RDP/SSH from any ip
|
| Incident Response |
- Insufficient playbooks for AWS incident response
- Insufficient access to comms channels (e.g. Slack/JIRA/Trello/Email) for incidents
- Lack of alerting for high risk events
|
| Vulnerability Management |
- AMIs are not hardened
- No patching process for instances
- No vulnerability scanning on instances
|
| Costs |
- Lack of alerting and reporting for cost control
- Incorrectly sized instances
|
Source: https://cloudonaut.io/aws-security-primer/