Should you’re utilizing AWS, it is easy to imagine your cloud security is dealt with – however that is a harmful false impression. AWS secures its personal infrastructure, however security inside a cloud surroundings stays the client’s duty.
Consider AWS security like defending a constructing: AWS supplies robust partitions and a strong roof, however it’s as much as the client to deal with the locks, set up the alarm programs, and guarantee valuables aren’t left uncovered.
On this weblog, we’ll make clear what AWS does not safe, spotlight real-world vulnerabilities, and the way cloud security scanners like Intruder might help.
Understanding the AWS Shared Accountability Mannequin
AWS operates on a Shared Accountability Mannequin. In easy phrases:
- AWS is answerable for securing the underlying infrastructure (e.g., {hardware}, networking, knowledge facilities) – the “partitions and roof.”
- The client is answerable for securing their knowledge, purposes, and configurations inside AWS – the “locks and alarms.”
Understanding this distinction is important for sustaining a safe AWS surroundings.
5 Actual-World AWS Vulnerabilities You Have to Handle
Let us take a look at some real-world vulnerabilities that fall below the client’s duty and what might be completed to mitigate them.
Server-Facet Request Forgery (SSRF)
Functions hosted in AWS are nonetheless weak to assaults like SSRF, the place attackers trick a server into making requests on their behalf. These assaults can lead to unauthorized knowledge entry and additional exploitation.
To defend towards SSRF:
- Recurrently scan and repair vulnerabilities in purposes.
- Allow AWS IMDSv2, which supplies a further security layer towards SSRF assaults. AWS supplies this safeguard, however configuration is the client’s duty.
Entry Management Weaknesses
AWS Establish and Entry Administration (IAM) permits clients to handle who can entry what sources – however it’s solely as robust as its implementation. Clients are answerable for guaranteeing customers and programs solely have entry to the sources they really want.
Frequent missteps embrace:
- Overly permissive roles and entry
- Lacking security controls
- By chance public S3 buckets
Data Exposures
AWS clients are answerable for the security of the information they retailer within the cloud – and for the way their purposes entry that knowledge.
For instance, in case your utility connects to an AWS Relational Database Service (RDS), the client should be certain that the applying does not expose delicate knowledge to attackers. A easy vulnerability like an Insecure Direct Object Reference (IDOR) is all it might take for an attacker with a person account to entry knowledge belonging to all different customers.
Patch Administration
It nearly goes with out saying, however AWS doesn’t patch servers! Clients who deploy EC2 cases are absolutely answerable for maintaining the working system (OS) and software program updated.
Take Redis deployed on Ubuntu 24.04 for instance – the client is answerable for patching vulnerabilities in each the software program (Redis) and the OS (Ubuntu). AWS solely manages underlying {hardware} vulnerabilities, like firmware points.
AWS companies like Lambda cut back some patching obligations, however you are still answerable for utilizing supported runtimes and maintaining issues updated.
Firewalls and Attack Floor
AWS provides clients management over their assault floor, however is not answerable for what they select to reveal.
As an illustration, if a GitLab server is deployed on AWS, the client is answerable for layering it behind a VPN, utilizing a firewall, or putting it inside a Digital Non-public Cloud (VPC) whereas guaranteeing their workforce has a safe strategy to entry it. In any other case, a zero-day vulnerability might go away your knowledge compromised, and AWS will not be at fault.
The Key Takeaway
These examples make one factor clear: cloud security does not come out of the field. Whereas AWS secures the underlying infrastructure, every little thing constructed on prime of it’s the buyer’s duty. Overlooking that reality can expose a corporation to critical threat – however with the suitable instruments, staying safe is totally inside attain.
Stage Up Your Cloud Safety With Intruder
Intruder helps you keep forward of all these vulnerabilities and extra, by combining agentless cloud security scanning, vulnerability scanning, and assault floor administration in a single highly effective, easy-to-use platform.
Why it is a sport changer:
- Discover what others miss: Intruder combines exterior vulnerability scanning with data from AWS accounts to search out dangers that different options may miss.
- No false alarms: CSPM instruments can overhype severity. Intruder prioritizes actual dangers so you’ll be able to deal with what really issues.
- Crystal clear fixes: Points are defined in plain English with step-by-step remediation steering.
- Steady safety: Keep forward with steady monitoring and alerts when new dangers emerge.
- Predictable pricing: Not like different cloud security instruments that may rack up unpredictable prices, there isn’t any shock expenses with Intruder.
Get arrange in minutes and obtain instantaneous insights into your cloud security – begin your 14 day free trial at this time.
