For those utilizing Amazon Web Services (AWS), it is essential to recognize that the security of their cloud environment is not entirely handled by AWS. Although AWS secures its infrastructure, the security within the cloud remains the responsibility of the customer.
A suitable analogy for AWS security is comparing it to protecting a building. AWS provides a strong foundation and structure, similar to the walls and roof of a building. However, the customer is responsible for ensuring the security of the interior, including the installation of locks and alarm systems, as well as safeguarding valuables from exposure.
This article aims to clarify the aspects of security that AWS does not cover, highlight real-world vulnerabilities, and demonstrate how cloud security scanners, such as Intruder, can assist in addressing these issues.
Understanding the AWS Shared Responsibility Model
AWS operates based on a Shared Responsibility Model. In essence, this model dictates that:
- AWS is responsible for securing the underlying infrastructure, including hardware, networking, and data centers, which can be thought of as the “walls and roof” of the cloud environment.
- The customer is responsible for securing their data, applications, and configurations within AWS, akin to the “locks and alarms” in the building analogy.
It is crucial to understand this distinction to maintain a secure AWS environment.
5 Real-World AWS Vulnerabilities You Need to Address
Let’s examine some real-world vulnerabilities that fall under the customer’s responsibility and discuss ways to mitigate them.
Server-Side Request Forgery (SSRF)
Applications hosted in AWS are still susceptible to attacks like SSRF, where attackers deceive a server into making requests on their behalf. These attacks can result in unauthorized data access and further exploitation.
To defend against SSRF:
- Regularly scan and fix vulnerabilities in applications.
- Enable AWS IMDSv2, which provides an additional security layer against SSRF attacks. Although AWS offers this safeguard, configuration is the customer’s responsibility.
Access Control Weaknesses
AWS Identity and Access Management (IAM) allows customers to manage access to resources, but its effectiveness depends on its implementation. Customers are responsible for ensuring that users and systems only have access to the resources they truly need.
Common mistakes include:
- Overly permissive roles and access
- Missing security controls
- Accidentally public S3 buckets
Data Exposures
AWS customers are responsible for the security of the data they store in the cloud and how their applications access that data.
For example, if an application connects to an AWS Relational Database Service (RDS), the customer must ensure that the application does not expose sensitive data to attackers. A simple vulnerability like an Insecure Direct Object Reference (IDOR) could allow an attacker with a user account to access data belonging to all other users.
Patch Management
It is essential to note that AWS does not patch servers. Customers who deploy EC2 instances are fully responsible for keeping the operating system (OS) and software up to date.
Consider Redis deployed on Ubuntu 24.04 as an example – the customer is responsible for patching vulnerabilities in both the software (Redis) and the OS (Ubuntu). AWS only manages underlying hardware vulnerabilities, such as firmware issues.
AWS services like Lambda reduce some patching responsibilities, but customers are still responsible for using supported runtimes and keeping things up to date.
Firewalls and Attack Surface
AWS provides customers with control over their attack surface but is not responsible for what they choose to expose.
For instance, if a GitLab server is deployed on AWS, the customer is responsible for layering it behind a VPN, using a firewall, or placing it inside a Virtual Private Cloud (VPC) while ensuring their team has a secure way to access it. Otherwise, a zero-day vulnerability could compromise the data, and AWS would not be at fault.
The Key Takeaway
These examples demonstrate that cloud security is not a default setting. While AWS secures the underlying infrastructure, everything built on top of it is the customer’s responsibility. Overlooking this fact can expose an organization to significant risk, but with the right tools, staying secure is entirely achievable.
Level Up Your Cloud Security With Intruder
Intruder helps you stay ahead of these vulnerabilities and more by combining agentless cloud security scanning, vulnerability scanning, and attack surface management in one powerful, easy-to-use platform.
Here’s why it’s a game-changer:
- Find what others miss: Intruder combines external vulnerability scanning with information from AWS accounts to find risks that other solutions might miss.
- No false alarms: Cloud Security Posture Management (CSPM) tools can overhype severity. Intruder prioritizes real risks, so you can focus on what truly matters.
- Crystal-clear fixes: Issues are explained in plain English with step-by-step remediation guidance.
- Continuous protection: Stay ahead with continuous monitoring and alerts when new risks emerge.
- Predictable pricing: Unlike other cloud security tools that can rack up unpredictable costs, there are no surprise charges with Intruder.
Get set up in minutes and receive instant insights into your cloud security – start your 14-day free trial today.
