The 10 Most Common AWS Misconfigurations 1

The 10 Most Common AWS Misconfigurations

WHITEPAPER

The 10 Most Common AWS Misconfigurations 2

Copyright NoticeExternal Publication of CloudCheckr Inc mdash Any information that is to be used in advertising press releases or promotional materials requires prior written approval from CloudCheckrrsquos CEO A draft of the proposed document should accompany any such request CloudCheckr reserves the right to deny approval of external usage for any reason Copyright 2017 CloudCheckr Reproduction without written permission is completely forbidden

Table of Contents

Overview 3

Security Best Practice Checks 41 Inadequate Password Policies 42 Inadequate or Inconsistent Use of AWS S3 Encryption 53 CloudTrail Not Enabled 54 VPC Security Groups with Overly Permissive Inbound Rules 6

Cost Best Practice Checks 65 Idle Resources 66 Previous Generation Resources 77 Not Leveraging Reserved Instances 7

Operational Best Practice Checks 88 Underutilized Reserved Instances 89 Ineffective Tagging Strategies 910 Unintentionally Exposing Resources to the Public 9

Take Action Today 10

Reference Links 10

About CloudCheckr 10

The 10 Most Common AWS Misconfigurations 3

Overview

Getting started on Amazon Web Services (AWS) cloud is relatively straightforward and empowers teams as never before to accelerate their business and innovate faster

To make the most of AWS organizations must ensure compliance and security of their infrastructure while optimizing cloud cost and expenses Yet with AWS releasing new features and services nearly every day this can prove challenging in a continuously evolving environment

In this white paper we will discuss ten of the most common AWS misconfigurations and typical recommendations for resolving them Wersquove broken down these common errors in three buckets security cost and operational best practices

The 10 Most Common AWS Misconfigurations 4

Security Best Practice ChecksBelow are some of the most popular pitfalls in cloud security Checking for each of these across your AWS accounts is a MUST in order to support secure and stable infrastructure

1 Inadequate Password PoliciesWhen a new AWS account is created it is enabled with a password of six-characters minimum however other checks such as password rotation password complexity password reuse are not enabled It is important for any organization to ensure the AWS account password policy meets internal compliance standards

As the above image demonstrates AWS provides comprehensive password policy checks which you should always ensure are properly enabled Any deviation from the standardized password policy should immediately be flagged

AWS automatically exposes APIs to check for the password policy across AWS accounts Leveraging APIs one can pull the existing password policy and compare it against the defined standard Automatic alerts can be set to trigger if there is ever any deviation which can then be handled by the support team and used in any subsequent investigation Additionally there are various third-party solutions available to help validate the password policy CloudCheckr recommends adjusting password policies regarding complexity length composition expiration etc

The 10 Most Common AWS Misconfigurations 2

Copyright NoticeExternal Publication of CloudCheckr Inc mdash Any information that is to be used in advertising press releases or promotional materials requires prior written approval from CloudCheckrrsquos CEO A draft of the proposed document should accompany any such request CloudCheckr reserves the right to deny approval of external usage for any reason Copyright 2017 CloudCheckr Reproduction without written permission is completely forbidden

Table of Contents

Overview 3

Security Best Practice Checks 41 Inadequate Password Policies 42 Inadequate or Inconsistent Use of AWS S3 Encryption 53 CloudTrail Not Enabled 54 VPC Security Groups with Overly Permissive Inbound Rules 6

Cost Best Practice Checks 65 Idle Resources 66 Previous Generation Resources 77 Not Leveraging Reserved Instances 7

Operational Best Practice Checks 88 Underutilized Reserved Instances 89 Ineffective Tagging Strategies 910 Unintentionally Exposing Resources to the Public 9

Take Action Today 10

Reference Links 10

About CloudCheckr 10

The 10 Most Common AWS Misconfigurations 3

Overview

Getting started on Amazon Web Services (AWS) cloud is relatively straightforward and empowers teams as never before to accelerate their business and innovate faster

To make the most of AWS organizations must ensure compliance and security of their infrastructure while optimizing cloud cost and expenses Yet with AWS releasing new features and services nearly every day this can prove challenging in a continuously evolving environment

In this white paper we will discuss ten of the most common AWS misconfigurations and typical recommendations for resolving them Wersquove broken down these common errors in three buckets security cost and operational best practices

The 10 Most Common AWS Misconfigurations 4

Security Best Practice ChecksBelow are some of the most popular pitfalls in cloud security Checking for each of these across your AWS accounts is a MUST in order to support secure and stable infrastructure

1 Inadequate Password PoliciesWhen a new AWS account is created it is enabled with a password of six-characters minimum however other checks such as password rotation password complexity password reuse are not enabled It is important for any organization to ensure the AWS account password policy meets internal compliance standards

As the above image demonstrates AWS provides comprehensive password policy checks which you should always ensure are properly enabled Any deviation from the standardized password policy should immediately be flagged

AWS automatically exposes APIs to check for the password policy across AWS accounts Leveraging APIs one can pull the existing password policy and compare it against the defined standard Automatic alerts can be set to trigger if there is ever any deviation which can then be handled by the support team and used in any subsequent investigation Additionally there are various third-party solutions available to help validate the password policy CloudCheckr recommends adjusting password policies regarding complexity length composition expiration etc

The 10 Most Common AWS Misconfigurations 3

Overview

Getting started on Amazon Web Services (AWS) cloud is relatively straightforward and empowers teams as never before to accelerate their business and innovate faster

To make the most of AWS organizations must ensure compliance and security of their infrastructure while optimizing cloud cost and expenses Yet with AWS releasing new features and services nearly every day this can prove challenging in a continuously evolving environment

In this white paper we will discuss ten of the most common AWS misconfigurations and typical recommendations for resolving them Wersquove broken down these common errors in three buckets security cost and operational best practices

The 10 Most Common AWS Misconfigurations 4

Security Best Practice ChecksBelow are some of the most popular pitfalls in cloud security Checking for each of these across your AWS accounts is a MUST in order to support secure and stable infrastructure

1 Inadequate Password PoliciesWhen a new AWS account is created it is enabled with a password of six-characters minimum however other checks such as password rotation password complexity password reuse are not enabled It is important for any organization to ensure the AWS account password policy meets internal compliance standards

As the above image demonstrates AWS provides comprehensive password policy checks which you should always ensure are properly enabled Any deviation from the standardized password policy should immediately be flagged

AWS automatically exposes APIs to check for the password policy across AWS accounts Leveraging APIs one can pull the existing password policy and compare it against the defined standard Automatic alerts can be set to trigger if there is ever any deviation which can then be handled by the support team and used in any subsequent investigation Additionally there are various third-party solutions available to help validate the password policy CloudCheckr recommends adjusting password policies regarding complexity length composition expiration etc

The 10 Most Common AWS Misconfigurations 4

Security Best Practice ChecksBelow are some of the most popular pitfalls in cloud security Checking for each of these across your AWS accounts is a MUST in order to support secure and stable infrastructure

1 Inadequate Password PoliciesWhen a new AWS account is created it is enabled with a password of six-characters minimum however other checks such as password rotation password complexity password reuse are not enabled It is important for any organization to ensure the AWS account password policy meets internal compliance standards

As the above image demonstrates AWS provides comprehensive password policy checks which you should always ensure are properly enabled Any deviation from the standardized password policy should immediately be flagged

AWS automatically exposes APIs to check for the password policy across AWS accounts Leveraging APIs one can pull the existing password policy and compare it against the defined standard Automatic alerts can be set to trigger if there is ever any deviation which can then be handled by the support team and used in any subsequent investigation Additionally there are various third-party solutions available to help validate the password policy CloudCheckr recommends adjusting password policies regarding complexity length composition expiration etc

The 10 Most Common AWS Misconfigurations 5

2 Inadequate or Inconsistent Use of AWS S3 EncryptionWhile security is paramount organizations often make the mistake of not encrypting their data stored on Amazon S3 It is recommended to encrypt confidential data both going in and out of Amazon S3 AmazonS3 offers encryption capabilities to data in transit by leveraging SSL or client side encryption Amazon also provides server side encryption and client-side encryption for data encryption at rest However though sometimes an organization does use encryption to encrypt their data stored on Amazon S3 it is sometimes done in an inadequate or inconsistent manner It is therefore recommended that the organization choose how to store encrypted data on Amazon S3 If it is the server-side encryption one can use AWS KMS and Amazon S3 Encryption solutions On the other hand for client-side encryption users can upload encrypted data on AWS S3 where they control the encryption keys protocol etc It is important to run periodic scans across AWS S3 buckets and ensure the data stored on them is encrypted One can leverage AWS S3 APIs to check the status of the encryption and take the necessary corrective actions Third-party tools such as CloudCheckr also provide capabilities to identify and report on the encryption state of the AWS S3 buckets

3 CloudTrail Not EnabledCloudTrail is one of the essential services used across AWS to audit and track changes happening across the environment along with user and IP information For any organization it is critical to monitor changes and ensure any unauthorized change is immediately detected and followed up on In a rapidly scaling environment it can be relatively easy to miss enabling CloudTrail to help enforce cloud security Consequently the organization would miss out on the ability to track any changes happening to their environment

Enabling CloudTrail service should be an organizationrsquos priority after they create their AWS account It should not only be enabled in onersquos default region but also across all regions to ensure coverage of global services However enabling CloudTrail service is just the first stepmdashthe next step requires ensuring that CloudTrail services are always enabled and working efficiently with logs delivered to Amazon S3 bucket Third-party tools like CloudCheckr offer the capability to continuously monitor the state of onersquos CloudTrail and report whenever any deviation from best practice is observed

Try CloudCheckrrsquos free S3 Bucket Check tool to check if your buckets are secure

The 10 Most Common AWS Misconfigurations 6

4 VPC Security Groups with Overly Permissive Inbound RulesThe majority of the attacks on an environment can be avoided by following simple cloud security rules which include avoiding overly permissive inbound security group rules Amid the focus to ensure that things work on AWS engineers may overlook locking down their security groups to restricted IP addresses leaving the environment vulnerable to various attacks

It is not easy for any organization to constantly keep watch over security group configurations CloudCheckr identifies through several best practice checks VPCs that allow traffic from all IPs and ports or overly broad ranges of IPs and ports Once reported an organization can take necessary mitigation actions and close down the overly exposed ports or IPs Also customers can implement alerts linked to Amazon CloudTrail to alert themselves whenever a user launches an instance with ports exposed to 00000

Cost Best Practice ChecksOf course security is just part of the picture Several potentially problematic areas of AWS cost management can wreak havoc on budgets and prevent organizations from making the most of their cloud Considering each of thesemdashon a continuing basismdashwill help lower costs and ensure the benefits of using AWS

5 Idle ResourcesIdle resources including AWS EC2 Instances AWS Elastic Load Balancers AWS ElastiCache Nodes AWS RDS DB Instances and AWS RedShift Nodes can all wind up adding hidden costs to your AWS usage One of the reasons people end up spending more on AWS than anticipated is because they end up provisioning more resources than they need For example a developer might predict that his or her application will require an m4large instance type considering the workload and compute requirements But after deployment idle resources and an over-provisioned environment may become apparent This results in paying for more than is needed There is also a possibility that some resources are just provisioned but not in use

It is recommended to perform periodic reviews of onersquos resources to ensure they are used to their full capacity If not it is recommended to downgrade the environment and save on cloud expenses However the definition of ldquoidlerdquo is abstractable Before considering any resource as idle one should first review every aspect of the resources from CPU Memory and Network INOUT It is also recommended to clean up resources not in use Amazonrsquos Trusted Advisor service allows customers to review underutilized resources and suggests to downgrade or decommission them as do other third-party tools such as CloudCheckr With CloudCheckr organizations can easily turn off instances with the click of a buttonmdashor automate this task to happen according to predetermined settings

The 10 Most Common AWS Misconfigurations 7

6 Previous Generation ResourcesAs long as previous generation resources are seemingly working fine many users may not make it a priority to upgrade the resources to the latest generation This however can be a problem as the current generation instance types offer better performance at a relatively lower cost than the old

To make efficient use of AWS resources it is recommended to periodically perform an audit of them and see about migrating them to the current generation ones to achieve better performance and cost

7 Not Leveraging Reserved InstancesOne of the most common mistakes made by clients is that they donrsquot purchase Reserved Instances for their environment Amazon EC2 Reserved Instances can allow you to save 25-40 on cloud spend with various discounted purchase options like Full Upfront Partial Upfront and No Upfront This year Amazon evolved their Reserved Instances offerings by introducing convertible Reserved Instances and making it even easier to make changes to Reserved Instances from operating system to instance family to availability zones etc

Customers should cautiously analyze their environment for reserved instance purchases for Amazon EC2 RDS Elasticache and others as they might be signed up for the wrong kind something that can be locked into for one to three years To take some of the guesswork out of reserved instance purchasing some third-party solutions offer Reserved Instances recommendations with ROI cost comparisons and ROI projections enabling customers to make more efficient purchase decisions

The 10 Most Common AWS Misconfigurations 8

Operational Best Practice ChecksBeyond cost and security challenges there are a few operational considerations organizations should keep in mind to derive more value from their AWS investment

8 Underutilized Reserved InstancesIt is essential to ensure that reserved instances are utilized properly and any underutilized reserved instances are immediately highlighted so that necessary corrective actions can be taken to ensure full usage Customers may miss this part and assume that things are going in the right directionmdashthat is until they get their monthly invoice from AWS and see that it is much higher than they expected Customers should regularly audit the usage of their Reserved Instances AWS has started offering reserved instance utilization reports allowing customers to track their RI usage CloudCheckr also identifies underutilized Reserved Instances offering automation tools to reallocate and rebalance instances with the click of a button

The 10 Most Common AWS Misconfigurations 9

9 Ineffective Tagging StrategiesTag management plays a very crucial role in the overall management of resource utilization Teams can develop automation scripts around tags to trigger necessary actions For example they might use a script to automatically shut down resources tagged with ldquoEnvironment Devrdquo during night hours to reduce unnecessary spend These tags can also be applied in cost allocation reports to better understand expenses and to differentiate between development testing and production costs Often however teams create different tagging standards that complicate the simplifying objective of tag management For instance using the tag ldquoDevelopmentrdquo instead of the simpler tag ldquoDevrdquo

It is important to continuously review tagging standards and applied tags across the resources and immediately identify and address any variations Tools like CloudCheckr offer insightful reports on what is tagged and how it is tagged Tag Mapping allows users to readily report and clean up inconsistent tag names Tag management is a regular exercise and the team should be regularly educated on this

10 Unintentionally Exposing Resources to the Public It is no secret how much damage publically exposed resources can cause to organizations There are hundreds of examples on the web where organizations accidently left confidential data in a public AWS S3 bucket or left passwordless MongoDB instances on public subnet instances with EIPs attached These ldquoaccidentalrdquo or ldquohuman mistakesrdquo not only result in exposing confidential information but can also give the organization a bad name and attract lawsuits that might greatly impact the business It is an organizationrsquos responsibility to have the necessary checks enabled across their environment to avoid such mistakes and keep data safe Organizations can use a combination of Amazon Trusted Advisor Checks and third-party tools to enable proactive monitoring on their environments Tools like CloudCheckr provide perimeter assessment reports allowing users to readily determine publically accessible resources on a region by region basis for a wide variety of services including EC2 ELB S3 RDS etc

Watch ldquoBest Practices for Billing and Taggingrdquo to learn how to tag your resources efficiently

Download Hackproof Your Cloud to learn more about the cloud security paradigm

The 10 Most Common AWS Misconfigurations 9

9 Ineffective Tagging StrategiesTag management plays a very crucial role in the overall management of resource utilization Teams can develop automation scripts around tags to trigger necessary actions For example they might use a script to automatically shut down resources tagged with ldquoEnvironment Devrdquo during night hours to reduce unnecessary spend These tags can also be applied in cost allocation reports to better understand expenses and to differentiate between development testing and production costs Often however teams create different tagging standards that complicate the simplifying objective of tag management For instance using the tag ldquoDevelopmentrdquo instead of the simpler tag ldquoDevrdquo

It is important to continuously review tagging standards and applied tags across the resources and immediately identify and address any variations Tools like CloudCheckr offer insightful reports on what is tagged and how it is tagged Tag Mapping allows users to readily report and clean up inconsistent tag names Tag management is a regular exercise and the team should be regularly educated on this

10 Unintentionally Exposing Resources to the Public It is no secret how much damage publically exposed resources can cause to organizations There are hundreds of examples on the web where organizations accidently left confidential data in a public AWS S3 bucket or left passwordless MongoDB instances on public subnet instances with EIPs attached These ldquoaccidentalrdquo or ldquohuman mistakesrdquo not only result in exposing confidential information but can also give the organization a bad name and attract lawsuits that might greatly impact the business It is an organizationrsquos responsibility to have the necessary checks enabled across their environment to avoid such mistakes and keep data safe Organizations can use a combination of Amazon Trusted Advisor Checks and third-party tools to enable proactive monitoring on their environments Tools like CloudCheckr provide perimeter assessment reports allowing users to readily determine publically accessible resources on a region by region basis for a wide variety of services including EC2 ELB S3 RDS etc

Watch ldquoBest Practices for Billing and Taggingrdquo to learn how to tag your resources efficiently

Download Hackproof Your Cloud to learn more about the cloud security paradigm

The 10 Most Common AWS Misconfigurations 10

Take Action TodayThe above checks are not the only ones that matter across AWS environments Each service on AWS offers a laundry list of checks regarding security budget and operations aspects As AWS uses a shared responsibility model management of AWS resources is not only their responsibility some aspects of AWS services are entirely the customerrsquos responsibility to ensure Proper controls must be utilized in order to tackle every changing AWS environment while it may seem like a major undertaking organizations operating in the cloud should do whatever they can as soon as they can to ensure a stable and sound security posture

Reference Links1 AWS Security Whitepaper httpsawsamazoncomwhitepapersaws-security-best-practices 2 Cost Optimization with AWS httpsd0awsstaticcomwhitepapersCost_Optimization_with_AWSpdf 3 AWS Operational Checklist httpsd0awsstaticcomwhitepapersaws-operational-checklistspdf 4 Monitoring Security in AWS httpcloudcheckrcomdocumentmonitoring-security-amazon-cloud

Try CloudCheckr for free for 14 days to see how we can help fix these and many more misconfigurations in your cloud environment

The CloudCheckr platform offers a single pane of glass across infrastructure to ensure total security and compliance while optimizing cost and expenses With continuous monitoring 450 best practice checks and built-in automation CloudCheckr helps organizations to ensure compliance for highly regulated industries with alerts monitoring and audits to meet FedRAMP DFARS HIPAA PCI and other security standards With deeper intelligence across cloud infrastructure and a unified cloud management solution organizations can prevent risks and mitigate threats before they occur Get started at cloudcheckrcomgetstarted

About CloudCheckr

VISIT US ONLINE