If you are using AWS, it’s easy to assume that cloud security is handled, but that’s a dangerous misconception. While AWS protects its own infrastructure, security within the cloud environment remains the responsibility of the customer.
Think about AWS security, such as building protection. AWS offers strong walls and solid roofs, but it’s up to the customer to handle locks, install alarm systems and make sure your valuables are not exposed.
In this blog, we will clarify what AWS is not safe, highlight real vulnerabilities, and clarify how cloud security scanners like intruders can help.
Understanding the AWS Shared Responsibility Model
AWS works with a shared responsibility model. Simply put:
AWS is responsible for ensuring the underlying infrastructure (hardware, networking, data centers, etc.) – “walls and roofs.” Customers are responsible for protecting data, applications, and configurations, namely “locks and alarms” within AWS.
Understanding this distinction is essential to maintaining a secure AWS environment.
Five real-world AWS vulnerabilities need to be addressed
Let’s look at real-world vulnerabilities in customer liability and what can be done to mitigate them.
Server-side request forgery (SSRF)
Applications hosted on AWS are still vulnerable to attacks like SSRF, where attackers trick the server into making requests for themselves. These attacks could lead to unauthorized access to data and further exploitation.
To protect SSRF:
Scan and fix vulnerabilities in your application periodically. Enable AWS IMDSV2, which provides an additional layer of security against SSRF attacks. AWS offers this safeguard, but it is the customer’s responsibility to configure it.
Access weaknesses of control
AWS Identification and Access Management (IAM) allows customers to manage who has access to which resources, but it’s as powerful as implementations. Customers are responsible for ensuring that users and systems have access to only the resources they truly need.
Common failures are:
Overly generous roles and lack of access security controls accidentally public S3 buckets
Data exposure
AWS customers are responsible for the security of data they store in the cloud and how applications access that data.
For example, if your application is connected to AWS Relational Database Services (RDS), the customer must ensure that the application does not expose sensitive data to an attacker. Simple vulnerabilities like the insecure direct object reference (IDOR) are everything an attacker with a user account needs to access data belonging to all other users.
Patch Management
Needless to say, AWS does not patch your servers! Customers deploying EC2 instances are entirely responsible for keeping their operating system (OS) and software up to date.
Take Redis, deployed on ubuntu 24.04 as an example – the customer is responsible for patching vulnerabilities in both software (Redis) and OS (Ubuntu). AWS manages only underlying hardware vulnerabilities, such as firmware issues.
AWS services like Lambda reduce the responsibility of some patching, but are responsible for using supported runtimes and keeping you up to date.
Firewall and attack surface
AWS allows customers to control the attack surface, but is not responsible for what is exposed.
For example, if your GitLab server is deployed on AWS, customers are responsible for ensuring a secure way to access their teams, layering behind a VPN, using firewalls, or placing them inside a virtual private cloud (VPC). Otherwise, zero-day vulnerabilities can compromise your data and AWS is not negligent.
Important points
These examples make one thing clear. Cloud security is not out of the box. AWS ensures that the underlying infrastructure is built on it, but everything that’s built on it is the customer’s responsibility. Looking down on that fact, you can put your organization at serious risk, but with the right tools, it’s completely within reach of safety.
Level up cloud security with intruders
Intruders can help them get ahead of all these vulnerabilities and more by attacking surface management with no agent cloud security scans, vulnerability scans, and one powerful, easy-to-use platform.
Why is it a game changer:
Find what others are missing: Intruders combine external vulnerability scans with information from AWS accounts to find risks other solutions may miss. No false alarms: CSPM tools can exaggerate the severity. Intruders prioritize real risk, so they can focus on what is really important. Crystal Clear Fix: Issues are explained in plain English with step-by-step repair guidance. Continuous Protection: Continuous monitoring and alert you when new risks arise. Predictable Pricing: Unlike other cloud security tools that can earn unpredictable costs, there are no surprise fees with intruders.
Set up in minutes and receive instant insight into cloud security. Start your 14-day free trial today.
Source link
