In the event you’re utilizing AWS, it is easy to imagine your cloud safety is dealt with – however that is a harmful false impression. AWS secures its personal infrastructure, however safety inside a cloud surroundings stays the shopper’s accountability.
Consider AWS safety like defending a constructing: AWS gives robust partitions and a stable roof, however it’s as much as the shopper to deal with the locks, set up the alarm techniques, and guarantee valuables aren’t left uncovered.
On this weblog, we’ll make clear what AWS would not safe, spotlight real-world vulnerabilities, and the way cloud safety scanners like Intruder may help.
Understanding the AWS Shared Duty Mannequin
AWS operates on a Shared Duty Mannequin. In easy phrases:
- AWS is chargeable for securing the underlying infrastructure (e.g., {hardware}, networking, information facilities) – the “partitions and roof.”
- The client is chargeable for securing their information, purposes, and configurations inside AWS – the “locks and alarms.”
Understanding this distinction is important for sustaining a safe AWS surroundings.
5 Actual-World AWS Vulnerabilities You Must Deal with
Let’s take a look at some real-world vulnerabilities that fall below the shopper’s accountability and what will be carried out to mitigate them.
Server-Facet Request Forgery (SSRF)
Functions hosted in AWS are nonetheless weak to assaults like SSRF, the place attackers trick a server into making requests on their behalf. These assaults can lead to unauthorized information entry and additional exploitation.
To defend towards SSRF:
- Commonly scan and repair vulnerabilities in purposes.
- Allow AWS IMDSv2, which gives a further safety layer towards SSRF assaults. AWS gives this safeguard, however configuration is the shopper’s accountability.
Entry Management Weaknesses
AWS Establish and Entry Administration (IAM) permits prospects to handle who can entry what sources – however it’s solely as robust as its implementation. Prospects are chargeable for guaranteeing customers and techniques solely have entry to the sources they honestly want.
Widespread missteps embrace:
- Overly permissive roles and entry
- Lacking safety controls
- By chance public S3 buckets
Knowledge Exposures
AWS prospects are chargeable for the safety of the info they retailer within the cloud – and for the way their purposes entry that information.
For instance, in case your software connects to an AWS Relational Database Service (RDS), the shopper should make sure that the appliance would not expose delicate information to attackers. A easy vulnerability like an Insecure Direct Object Reference (IDOR) is all it might take for an attacker with a consumer account to entry information belonging to all different customers.
Patch Administration
It virtually goes with out saying, however AWS doesn’t patch servers! Prospects who deploy EC2 cases are absolutely chargeable for holding the working system (OS) and software program updated.
Take Redis deployed on Ubuntu 24.04 for instance – the shopper is chargeable for patching vulnerabilities in each the software program (Redis) and the OS (Ubuntu). AWS solely manages underlying {hardware} vulnerabilities, like firmware points.
AWS companies like Lambda cut back some patching obligations, however you are still chargeable for utilizing supported runtimes and holding issues updated.
Firewalls and Assault Floor
AWS offers prospects management over their assault floor, however is not chargeable for what they select to show.
As an illustration, if a GitLab server is deployed on AWS, the shopper is chargeable for layering it behind a VPN, utilizing a firewall, or inserting it inside a Digital Non-public Cloud (VPC) whereas guaranteeing their crew has a safe approach to entry it. In any other case, a zero-day vulnerability might go away your information compromised, and AWS will not be at fault.
The Key Takeaway
These examples make one factor clear: cloud safety would not come out of the field. Whereas AWS secures the underlying infrastructure, the whole lot constructed on prime of it’s the buyer’s accountability. Overlooking that reality can expose a company to critical threat – however with the suitable instruments, staying safe is fully inside attain.
Degree Up Your Cloud Safety With Intruder
Intruder helps you keep forward of all these vulnerabilities and extra, by combining agentless cloud safety scanning, vulnerability scanning, and assault floor administration in a single highly effective, easy-to-use platform.
Why it is a sport changer:
- Discover what others miss: Intruder combines exterior vulnerability scanning with data from AWS accounts to search out dangers that different options would possibly miss.
- No false alarms: CSPM instruments can overhype severity. Intruder prioritizes actual dangers so you possibly can deal with what really issues.
- Crystal clear fixes: Points are defined in plain English with step-by-step remediation steerage.
- Steady safety: Keep forward with steady monitoring and alerts when new dangers emerge.
- Predictable pricing: In contrast to different cloud safety instruments that may rack up unpredictable prices, there is no shock expenses with Intruder.
Get arrange in minutes and obtain immediate insights into your cloud safety – begin your 14 day free trial right now.
