Protect your AWS workloads from threats with our curated bundle of security best practices. Gain insights into S3 security, security group management, and more to ensure the confidentiality, integrity, and availability of your data.
In this article, we’ll discuss typical cloud security pitfalls and how AWS uses CSPM solutions to tackle these complexities and challenges, from real-time compliance tracking to detailed risk assessment.
Wiz Experts Team
8 minutes read
Cloud security posture management (CSPM), coined by Gartner in 2021, is a cloud-first practice designed to automatically monitor, identify, and mitigate security risks across the cloud environment.
All major public cloud vendors have adopted the CSPM strategy as a proactive approach to enhancing security. The practices involved focus on helping customers manage their part of the shared responsibility model with tools and features that let users continuously monitor and improve the security of their applications and data in the cloud.
In this article, we’ll discuss typical cloud security pitfalls and how AWS uses CSPM solutions to tackle these complexities and challenges, from real-time compliance tracking to detailed risk assessment.
The shared responsibility model is all about customers maintaining full/shared responsibility for security across all service offerings, while the provider takes care of securing infrastructure. Already back in 2021, Deloitte highlighted how cloud misconfigurations are a primary cause of cloud security breaches, with an average of 3,500 such incidents every month.
What typical misconfigurations do you see in AWS today? These fall under the categories of storage, compute, and identity and access control. Let’s discuss.
Storage misconfigurations
Amazon S3 is a highly scalable and secure object storage option within the AWS family that supports multiple types of applications. With the increasing amount of critical data that businesses handle, it’s the responsibility of both cloud providers and customers to properly manage storage security.
Unfortunately, we still see incidents like logistics giant D.W. Morgan exposing 2.5 million files containing 3TB of sensitive data on their airport employees across Colombia and Peru. This was a perfect example of how much damage a simple S3 misconfiguration can cause:
Public bucket access: By default, S3 buckets are private, but they can be set up to permit public access—either intentionally or by mistake, e.g., via bucket policies or access control lists (ACLs).
Unencrypted data storage: S3 supports server-side encryption (SSE) and client-side encryption (CSE), but it has to be configured properly. If you don’t enable encryption for data at rest, unauthorized access can occur, meaning compromised data.
Disabled access logging: AWS S3 access logging is disabled by default. So switch it on! Saving these access logs helps detect and trace malicious acts.
Note: Storing accumulated logs requires a target bucket, which may add extra costs, so make sure to have a log deletion mechanism, too
Disabled versioning: For fast and easy recovery from accidental deletions or application errors, you’ll want more than one version of an object in the same bucket. So make sure to enable S3 versioning!
Disabled object lock feature: S3 object lock stores data in write once, read many (WORM) mode, and this helps prevent accidental deletion of data. Again, switch it on.
Incorrect bucket policies and ACLs: Improper permissions let unauthorized parties or even other AWS accounts to get into your stored data, potentially manipulating it and leaving you with a data breach or loss.
Note: AWS documentation recommends disabling ACLs so that the bucket owner maintains ownership of all objects in the bucket, meaning only the owner can regulate access to the data using access management policies.
AWS offers users powerful computing services like EC2, Lambda, and Elastic Load Balancing (ELB). Debs around the world use these to run applications, making them a popular target for hackers.
Take EC2. Nothing hammers in the importance of avoiding EC2 misconfigurations like the Capital One data breach that exposed 100 million people’s personal data or the T-Mobile data breach, which saw hackers breach the T-Mobile system and walk away with personal details of more than 50 million customers.
Common EC2 compute misconfigurations include:
Improper IAM role configurations: IAM roles for EC2 instances give them permission to access other AWS resources. The problem? Overly permissive roles or misconfigured policies can end up giving instances more privileges than required. (See Figure 2.)
Public/shared/non-encrypted snapshots: Snapshots in EC2 serve as data backups. These are private by default, but security issues pop up when snapshots are accidentally set to public or shared without encryption.
Default EC2 key pairs: EC2 key pairs are used for SSH authentication. Which is great. But relying on default or widely shared key pairs can expose instances to unauthorized SSH access.
Public and unencrypted Amazon Machine Images (AMIs): If an AMI created for EC2 contains unencrypted volumes or is inadvertently set to public, it could expose sensitive data.
Identity and access management (IAM) misconfigurations
IAM concerns properly managing users, groups, and roles. This includes defining the policies that dictate what AWS services and resources get what permissions.
Unfortunately, a recent report from Microsoft revealed that over 70% of identities that had been granted permissions were inactive. That means they hadn’t even used any of their assigned permissions in the past 90 days. This oversight essentially hands malicious actors easy attack vectors to take advantage of an identity with misconfigured permissions.
What types of IAM misconfigurations typically occur?:
Excessive permissions: If an account with broad permissions is compromised, the impact is far worse. This is where the principle of least privilege is your best friend.
Unused or stale credentials: Credentials that are no longer in use, like access keys for former employees or roles that are no longer needed, pose a risk. Make sure to decommission these!
Permissions granted directly without using roles: Just because something is possible does not make it advisable. Assigning permissions directly to users by attaching policies can lead to complex and hard-to-manage permission setups.
Absence of multi-factor authentication (MFA): Admins might skip MFA because they’re in a rush or they just forgot. Either way, you’re asking for trouble. Enforce MFA for all IAM users via IAM policies.
Mitigating IAM Misconfigurations with AWS IAM Access Analyzer
AWS IAM Access Analyzer offers organizations a powerful tool for identifying and reducing unintended external access to resources. By analyzing permissions policies, it detects resources such as S3 buckets, IAM roles, and KMS keys that are shared outside your AWS account and flags them for review.
Identifying Unintended Access: IAM Access Analyzer scans your resource policies and highlights any configuration that grants external access, enabling quick remediation.
Proactive Policy Validation: Use IAM Access Analyzer to validate new or existing policies before applying them. This ensures they conform to security best practices and prevent overly permissive access.
Insights for Cleanup: The analyzer highlights inactive roles and unused permissions, helping you clean up stale configurations and align with the principle of least privilege
Example Use Case:
If an S3 bucket is unintentionally shared with the public or external accounts, IAM Access Analyzer will detect the issue and provide recommendations for policy changes. For instance, it might suggest removing “Allow” statements for public access in the bucket policy or replacing it with explicit user permissions.
Remember: The misconfigurations covered here are often leveraged by threat actors to breach AWS environments, but they’re not the only vulnerabilities you need to worry about. Network settings and serverless function configurations also demand careful monitoring and best practices.
When it comes to compliance standards, AWS supports PCI-DSS, HIPAA, FedRAMP, GDPR, FIPS 140-2, NIST 800-171, and a load of others. Companies know they have to comply with these legal and regulatory requirements, but adherence alone does not guarantee security against all potential risks.
Cloud misconfigurations are a big culprit behind compliance violations. The cloud’s shared responsibility model means extra layers of oversight and management, which is often archived through cloud security posture management (CSPM).
AWS’ automated CSPM solutions help you navigate the complexities of monitoring, identifying, and mitigating misconfigurations and security risks. How? There are several tools in the AWS arsenal:
AWS Security Hub: Prevents data fragmentation from multiple security tools by aggregating, organizing, and prioritizing security findings from the rest of the AWS services in this list
AWS Config: Tracks and logs configurations of AWS resources, and automates comparisons of these recorded configurations against desired settings
Amazon GuardDuty: Continuously scans for malicious actions and unauthorized activities using machine learning and anomaly detection to identify unauthorized or unusual behavior
AWS IAM Access Analyzer: Helps ensure only the necessary and intended external accesses are allowed (e.g., S3 buckets, IAM roles), reducing unnecessary risk
AWS CloudTrail: Offers governance, compliance, and auditing across your AWS services
Amazon Inspector: Scans your applications for vulnerabilities, exposures, and failures in following best practices.
AWS Trusted Advisor: Holds your hand with real-time guidance on resource provisioning
AWS Audit Manager: Automates the auditing of your AWS usage so that assessing risk and compliance with regulations and industry standards is a lot easier
AWS CSPM architecture
The architecture behind CSPM in AWS gives you a comprehensive approach to cloud security, emphasizing an integrated workflow. The system begins with data collection and monitoring from both AWS security services and third-party solutions like Wiz.
These outside partners broaden the scope of AWS Security Hub with extra intelligence and monitoring features. For example, Wiz can spot misconfigurations and vulnerabilities across your entire cloud stack, including areas that AWS-native tools aren’t equipped to fully cover, like third-party applications and multi-cloud setups.
At the core of AWS’ CSPM strategy is AWS Security Hub. It aggregates data from multiple sources—native AWS services, third-party tools, and AWS Detective for more rigorous investigations. This central hub simplifies security and compliance analysis across your AWS environment. What does this mean for you? Far easier oversight and management.
Breaking down a security incident with AWS’ CSPM architecture
AWS CSPM’s automated rapid response to security incidents is multipronged:
AWS Lambda responds to Security Hub findings by executing scripts that adjust configurations or permissions automatically to mitigate risks.
AWS Detective enhances the above capabilities with even more data on the activities leading up to and surrounding an incident.
AWS Systems Manager gives you the tools you need to ideally manage resources and ensure compliance on a larger scale.
AWS Audit Manager automatically collects all the evidence required from your AWS security services to demonstrate compliance and audits.
AWS Lake Formation and Amazon S3 organize and store all your security and compliance data for analysis and long-term retention needs.
Amazon QuickSight takes all those Security Hub findings from above and visualizes them using dashboards and reports; this way, stakeholders have the full picture of their security and compliance status.
Amazon CloudWatch and AWS SNS make sure your security teams receive real-time alerts on critical incidents or changes in compliance.
Integration with AWS Services: Wiz seamlessly integrates with AWS native security services such as Amazon GuardDuty, AWS Security Hub, AWS CloudTrail, and AWS Access Advisor. This integration enables unified visibility and management of security findings across AWS resources, facilitating efficient remediation workflows.
Agentless Visibility: By connecting to AWS environments without the need for agents, Wiz provides organizations with a comprehensive view of their cloud estate. This approach allows for the identification and prioritization of risks, including misconfigurations, vulnerabilities, and potential attack paths.
Risk Prioritization and Remediation: Utilizing machine learning, Wiz assesses and prioritizes risks, enabling security teams to focus on the most critical issues. The platform offers actionable remediation guidance to address identified vulnerabilities effectively.
Securing AI Pipelines with Amazon SageMaker:
Monitoring SageMaker Resources:Wiz provides visibility into SageMaker resources, including notebook instances, training jobs, and endpoints. It monitors configurations and access controls to detect potential security risks, such as public accessibility or excessive permissions.
Data Protection: By analyzing data flows within SageMaker, Wiz identifies sensitive data and ensures it is adequately protected. This includes detecting data leakage or unauthorized access to datasets used in training models.
Attack Path Analysis: Wiz's Security Graph visualizes potential attack paths to SageMaker resources, helping organizations understand and mitigate risks that could lead to data leakage or model compromise.
By integrating with AWS services and offering specialized security features for Amazon SageMaker, Wiz empowers organizations to build and operate securely in the cloud, ensuring both their AWS environments and AI pipelines are protected against evolving threats.
Want to see for yourself how Wiz can protect everything you build and run in the cloud? Schedule a free demo today.
Agentless Full Stack coverage of your AWS Workloads in minutes
Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.
In this article, we’ll take a closer look at everything you need to know about data flow mapping: its huge benefits, how to create one, and best practices, and we’ll also provide sample templates using real-life examples.
Cloud IDEs allow developers to work within a web browser, giving them access to real-time collaboration, seamless version control, and tight integration with other cloud-based apps such as code security or AI code generation assistants.
Data detection and response (DDR) is a cybersecurity solution that uses real-time data monitoring, analysis, and automated response to protect sensitive data from sophisticated attacks that traditional security measures might miss, such as insider threats, advanced persistent threats (APTs), and supply chain attacks.
Enterprise cloud security is the comprehensive set of practices, policies, and controls used by enterprises to protect their data, applications, and infrastructure in the cloud.