Cloud Misconfigurations Pose Serious Security Risk to Businesses
June 15, 2021

Assaf Morag
Aqua Security

Organizations of all sizes and industries are increasingly adopting cloud native approaches. The benefits to the business are enormous, but at the same time, the transition introduces new threats and a wider attack surface. New research from Aqua Security reveals that organizations struggle to keep pace and to detect and secure the ever-growing attack surface.

In fact, findings from Aqua's 2021 Cloud Security Report: Cloud Configuration Risks Exposed, showed that 90% of companies surveyed are vulnerable to security breaches due to cloud misconfigurations.


When considering the factors that facilitate this trend, we should remember that cloud native is about componentizing the application. Instead of one monolith that is complex to maintain, a typical cloud application will have many smaller components, interacting with each other. This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface.

Furthermore, Cloud Service Providers, such as Amazon, Microsoft, Google and others, are innovating at cloud speed. Which means that new and updated services are introduced on a weekly basis. To keep up with the security implications of these changes, it requires a dedicated team of experts that must constantly learn and evolve in order to keep ahead of the threats.

And finally, the introduction of shift-left approaches, where developers have end-to-end responsibility for their apps and components, also means that traditional checkpoints and reviews by a centralized team of security experts are not always possible for all changes in a continuous delivery model.

These factors may introduce critical configuration issues, and unfortunately they are not easy to detect or respond to efficiently. This is especially true at larger enterprises – our data showed they take an average of 88 days to address issues after discovery.

Over 12 months, Aqua's research team analyzed anonymized cloud infrastructure data from hundreds of organizations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources. In our research, we sought to understand both the scale of vulnerabilities as well as how organizations cope with key issues: storage bucket and blob misconfigurations, IAM misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation.

Our findings align with other industry reports such as Verizon's 2020 Data Breach Investigations Report showing that cloud misconfiguration errors had increased from 10% in 2017 to 40% in 2019.

A survey by global market intelligence firm IDC also showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months.

In addition, 67% of the participants noted that their main IaaS and PaaS security concerns were misconfigurations.

We found, for instance, that in a one-year period 82.4% of all organizations had at least one storage resource (e.g., AWS S3 bucket) publicly open to all inbound traffic. When considering that opening a storage resource to the world can be an integral functionality of the basic design of the application, this is not a disturbing finding by itself. But 73.3% of all cases were closed after receiving an alert. It took organizations on average 2.5 months to close these storage resources. When realizing that these storage resources shouldn't have been open, this finding looks alarming.

Read here how a security researcher was able to find and access an S3 bucket open to the world.

Another troubling finding shows that 40.6% of organizations had at least one case of a misconfigured Docker API over a one-year period. Approximately 90% of these issues were fixed, but it took an average of two months to do so.

Another research finding by Team Nautilus also showed that attackers are now using large botnets to scan the internet, looking exactly for this misconfiguration. When finding a vulnerable host, they run malicious container images that run cryptominers, steal credentials and leave backdoors. The adversaries often infect the host with a worm that keeps spreading this attack. Research showed that it takes five hours on average to find new vulnerable hosts making two months an eternity compared to the time it takes attackers to detect the host and launch an attack.

We recommend finding a solution that goes beyond host-based security tools. This requires a Cloud Security Posture Management (CSPM) solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This is important because it provides needed visibility into the configuration of the cloud services.

Also, automated capabilities are key to validate hundreds of settings across regions and accounts and can help to:

■ Identify misconfigured storage blobs and buckets that are exposed publicly

■ Find compute and database resources with unintended public access settings

■ Ensure the encryption in transit and at rest across cloud services

■ Enforce user policy definitions to ensure least-privileged access to resources

■ Detect changes to critical resources such as firewall rules, logging groups, or account settings

■ Catch activity in unused or unexpected cloud provider regions or locations

Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats which will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.

Assaf Morag is a Lead Data Analyst at Aqua Security
Share this

Industry News

July 29, 2021

Couchbase announced the general availability of Couchbase Server 7.

July 29, 2021

Cycloid has unveiled Infra Import, a tool that automatically reverse engineers Terraform Infra-as-Code (IaC) from manually deployed infrastructure.

July 29, 2021

Launchable closed a $9.5 million Series A investment.

July 29, 2021

Rafay Systems announced automation and monitoring enhancements to its flagship Kubernetes Management Cloud (KMC).

July 28, 2021

Progress announced the R2 2021 release of Progress Telerik Test Studio, the enterprise UI test automation platform.

July 28, 2021

Synopsys announced the availability of new Rapid Scan capabilities within the company's Coverity static application security testing (SAST) and Black Duck software composition analysis (SCA) solutions.

July 28, 2021

Bitdefender announced GravityZone Security for Containers, expanding its cloud workload security (CWS) offering with run-time support for containers and Linux kernel independence.

July 28, 2021

Armory announced Armory Enterprise on AWS Quick Starts, automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners.

July 27, 2021

Katalon introduced Katalon TestOps, an open and comprehensive test orchestration platform designed to help enterprises scale test automation and streamline DevOps pipelines.

July 27, 2021

Digital.ai achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status for an Enterprise Agile Planning (EAP) tool.

July 27, 2021

Aqua Security rolls out the availability of its new Aqua Platform, with a unified console to ease the journey from scanning and visibility to workload protection in cloud native environments.

July 26, 2021

Parallel Agile announced a new version of CodeBot, a low-code MERN stack application generator.

July 26, 2021

Appian unveiled its new Appian Japan regional office.

July 26, 2021

CloudTruth raised $5.25 million in seed funding led by Glasswing Ventures and Gutbrain Ventures, with additional funding from Stage 1 Ventures and York IE.

July 22, 2021

Postman successfully obtained the System and Organization Controls (SOC) 2 Type 2 and SOC 3 Type 2 reports for the Postman API platform, meeting critical industry standards relative to the Trust Services Criteria for security, availability, and confidentiality.