Cloud Misconfigurations Pose Serious Security Risk to Businesses
June 15, 2021

Assaf Morag
Aqua Security

Organizations of all sizes and industries are increasingly adopting cloud native approaches. The benefits to the business are enormous, but at the same time, the transition introduces new threats and a wider attack surface. New research from Aqua Security reveals that organizations struggle to keep pace and to detect and secure the ever-growing attack surface.

In fact, findings from Aqua's 2021 Cloud Security Report: Cloud Configuration Risks Exposed, showed that 90% of companies surveyed are vulnerable to security breaches due to cloud misconfigurations.


When considering the factors that facilitate this trend, we should remember that cloud native is about componentizing the application. Instead of one monolith that is complex to maintain, a typical cloud application will have many smaller components, interacting with each other. This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface.

Furthermore, Cloud Service Providers, such as Amazon, Microsoft, Google and others, are innovating at cloud speed. Which means that new and updated services are introduced on a weekly basis. To keep up with the security implications of these changes, it requires a dedicated team of experts that must constantly learn and evolve in order to keep ahead of the threats.

And finally, the introduction of shift-left approaches, where developers have end-to-end responsibility for their apps and components, also means that traditional checkpoints and reviews by a centralized team of security experts are not always possible for all changes in a continuous delivery model.

These factors may introduce critical configuration issues, and unfortunately they are not easy to detect or respond to efficiently. This is especially true at larger enterprises – our data showed they take an average of 88 days to address issues after discovery.

Over 12 months, Aqua's research team analyzed anonymized cloud infrastructure data from hundreds of organizations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources. In our research, we sought to understand both the scale of vulnerabilities as well as how organizations cope with key issues: storage bucket and blob misconfigurations, IAM misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation.

Our findings align with other industry reports such as Verizon's 2020 Data Breach Investigations Report showing that cloud misconfiguration errors had increased from 10% in 2017 to 40% in 2019.

A survey by global market intelligence firm IDC also showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months.

In addition, 67% of the participants noted that their main IaaS and PaaS security concerns were misconfigurations.

We found, for instance, that in a one-year period 82.4% of all organizations had at least one storage resource (e.g., AWS S3 bucket) publicly open to all inbound traffic. When considering that opening a storage resource to the world can be an integral functionality of the basic design of the application, this is not a disturbing finding by itself. But 73.3% of all cases were closed after receiving an alert. It took organizations on average 2.5 months to close these storage resources. When realizing that these storage resources shouldn't have been open, this finding looks alarming.

Read here how a security researcher was able to find and access an S3 bucket open to the world.

Another troubling finding shows that 40.6% of organizations had at least one case of a misconfigured Docker API over a one-year period. Approximately 90% of these issues were fixed, but it took an average of two months to do so.

Another research finding by Team Nautilus also showed that attackers are now using large botnets to scan the internet, looking exactly for this misconfiguration. When finding a vulnerable host, they run malicious container images that run cryptominers, steal credentials and leave backdoors. The adversaries often infect the host with a worm that keeps spreading this attack. Research showed that it takes five hours on average to find new vulnerable hosts making two months an eternity compared to the time it takes attackers to detect the host and launch an attack.

We recommend finding a solution that goes beyond host-based security tools. This requires a Cloud Security Posture Management (CSPM) solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This is important because it provides needed visibility into the configuration of the cloud services.

Also, automated capabilities are key to validate hundreds of settings across regions and accounts and can help to:

■ Identify misconfigured storage blobs and buckets that are exposed publicly

■ Find compute and database resources with unintended public access settings

■ Ensure the encryption in transit and at rest across cloud services

■ Enforce user policy definitions to ensure least-privileged access to resources

■ Detect changes to critical resources such as firewall rules, logging groups, or account settings

■ Catch activity in unused or unexpected cloud provider regions or locations

Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats which will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.

Assaf Morag is a Lead Data Analyst at Aqua Security
Share this

Industry News

June 29, 2022

Progress announced the latest release of Progress Flowmon.

June 29, 2022

CodeSee announced the launch of Open Source Hub (OSH).

June 29, 2022

Ambassador Labs announced the newest release of Ambassador Edge Stack, an integrated edge solution that empowers developer teams to quickly configure the edge services required to build, deliver, and scale applications for Kubernetes.

June 29, 2022

Ondat released into general availability version 2.8 of its Ondat platform for stateful workloads in Kubernetes.

June 28, 2022

Hewlett Packard Enterprise (HPE) unveiled platform enhancements and new cloud services for HPE GreenLake, the company’s flagship offering that enables organizations to modernize all their applications and data.

June 28, 2022

Sysdig announced Drift Control to prevent container attacks at runtime. Teams can detect, prevent, and speed incident response for containers that were modified in production, also known as container drift.

June 28, 2022

ShiftLeft announced an investment from and go-to-market partnership with Wipro Ventures.

June 27, 2022

Delinea announced the latest release of DevOps Secrets Vault.

June 27, 2022

Jit announced a $38.5 million seed funding round and launched a free beta version which automates product security.

June 27, 2022

Platform.sh raised $140 million in Series D funding.

June 23, 2022

Akana by Perforce now offers BlazeMeter to customers, previously a solution with Broadcom Layer7.

June 23, 2022

Coder announced the release of a new open source project that gives developers and data scientists a consistent, secure, yet flexible way to create cloud workspaces in minutes.

June 23, 2022

GitGuardian is announcing a series of new features to address developer experience in securing the software development lifecycle.

June 22, 2022

OctoML released a major platform expansion to accelerate the development of AI-powered applications by eliminating bottlenecks in machine learning deployment.

June 22, 2022

Snow Software announced new functionality and integrations for Snow Atlas, a purpose-built platform that provides a framework to accelerate data-driven technology decision-making.