Cloud Misconfigurations Pose Serious Security Risk to Businesses
June 15, 2021

Assaf Morag
Aqua Security

Organizations of all sizes and industries are increasingly adopting cloud native approaches. The benefits to the business are enormous, but at the same time, the transition introduces new threats and a wider attack surface. New research from Aqua Security reveals that organizations struggle to keep pace and to detect and secure the ever-growing attack surface.

In fact, findings from Aqua's 2021 Cloud Security Report: Cloud Configuration Risks Exposed, showed that 90% of companies surveyed are vulnerable to security breaches due to cloud misconfigurations.

When considering the factors that facilitate this trend, we should remember that cloud native is about componentizing the application. Instead of one monolith that is complex to maintain, a typical cloud application will have many smaller components, interacting with each other. This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface.

Furthermore, Cloud Service Providers, such as Amazon, Microsoft, Google and others, are innovating at cloud speed. Which means that new and updated services are introduced on a weekly basis. To keep up with the security implications of these changes, it requires a dedicated team of experts that must constantly learn and evolve in order to keep ahead of the threats.

And finally, the introduction of shift-left approaches, where developers have end-to-end responsibility for their apps and components, also means that traditional checkpoints and reviews by a centralized team of security experts are not always possible for all changes in a continuous delivery model.

These factors may introduce critical configuration issues, and unfortunately they are not easy to detect or respond to efficiently. This is especially true at larger enterprises – our data showed they take an average of 88 days to address issues after discovery.

Over 12 months, Aqua's research team analyzed anonymized cloud infrastructure data from hundreds of organizations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources. In our research, we sought to understand both the scale of vulnerabilities as well as how organizations cope with key issues: storage bucket and blob misconfigurations, IAM misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation.

Our findings align with other industry reports such as Verizon's 2020 Data Breach Investigations Report showing that cloud misconfiguration errors had increased from 10% in 2017 to 40% in 2019.

A survey by global market intelligence firm IDC also showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months.

In addition, 67% of the participants noted that their main IaaS and PaaS security concerns were misconfigurations.

We found, for instance, that in a one-year period 82.4% of all organizations had at least one storage resource (e.g., AWS S3 bucket) publicly open to all inbound traffic. When considering that opening a storage resource to the world can be an integral functionality of the basic design of the application, this is not a disturbing finding by itself. But 73.3% of all cases were closed after receiving an alert. It took organizations on average 2.5 months to close these storage resources. When realizing that these storage resources shouldn't have been open, this finding looks alarming.

Read here how a security researcher was able to find and access an S3 bucket open to the world.

Another troubling finding shows that 40.6% of organizations had at least one case of a misconfigured Docker API over a one-year period. Approximately 90% of these issues were fixed, but it took an average of two months to do so.

Another research finding by Team Nautilus also showed that attackers are now using large botnets to scan the internet, looking exactly for this misconfiguration. When finding a vulnerable host, they run malicious container images that run cryptominers, steal credentials and leave backdoors. The adversaries often infect the host with a worm that keeps spreading this attack. Research showed that it takes five hours on average to find new vulnerable hosts making two months an eternity compared to the time it takes attackers to detect the host and launch an attack.

We recommend finding a solution that goes beyond host-based security tools. This requires a Cloud Security Posture Management (CSPM) solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This is important because it provides needed visibility into the configuration of the cloud services.

Also, automated capabilities are key to validate hundreds of settings across regions and accounts and can help to:

■ Identify misconfigured storage blobs and buckets that are exposed publicly

■ Find compute and database resources with unintended public access settings

■ Ensure the encryption in transit and at rest across cloud services

■ Enforce user policy definitions to ensure least-privileged access to resources

■ Detect changes to critical resources such as firewall rules, logging groups, or account settings

■ Catch activity in unused or unexpected cloud provider regions or locations

Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats which will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.

Assaf Morag is a Lead Data Analyst at Aqua Security
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.