Amazon AWS Security Risks

Amazon AWS provides a great opportunity for the companies to reduce the costs in their IT infrastructure and increase the speed they can release their products to the market. Amazon AWS contains a large number of resources, such as Infrastructure-as-a-Service (called EC2), file storage (S3 buckets), Database-as-a-service (RDS) and many others. The number is growing every day and the value increases significantly. Almost all startups and companies now consider Amazon AWS to host their IT infrastructure.

To make an appropriate decision to use Amazon AWS cloud or not the companies need to fully understand the risks introduced by using this technology. The risks landscape is very different from traditional IT infrastructure, when all the critical system and applications are located behind the corporate firewall in internal network. Now the infrastructure located in the Cloud and requires different protection.

Below are the common risks introduced by the adopting Amazon AWS Cloud:

  1. Unauthorised access to the Cloud Management Console.

    Description: The administrator or Amazon AWS Account owner has full control over the cloud resources. He or she can delete all the servers just by clicking the button. If the administrator is not fully understand the technical background, he or she can open the firewall rules to allow all the traffic going in and out of Amazon AWS account. The hackers can potentially brute force / guess/ steal the password and connect to the console. If a hacker gets control over the account, the availability and integrity of the systems can be affected.

    Risk: High
    Likelihood: High (by default the account is protected by only password)
    Impact: High (all the servers can be affected)

    Mitigation controls: Amazon AWS can provide additional protection for an Amazon AWS account: two factor authentication. The administrator can use their mobile phone with Google Authenticator installed to increase the security of the account. Two factor authentication is not enabled by default and requires additional configuration.

  2. Poor access management process.

    Description: The Amazon AWS Management console is available from anywhere in the world. Obviously it provide a great flexibility for the users, but also presents a huge risk. If a company doesn’t have strong access management process, the terminated employee will probably still have access to the console. He or she will be able to connect from home, internet café or even competitor. Many companies have Identity and Access Management (IAM) system implemented for their internal systems, but Amazon AWS console not always integrated with it.

    Risk: High
    Likelihood: Almost certain (if a company has a large number of users)
    Impact: High (terminated users may cause significant damage)

    Mitigation controls: The companies need to review the users on the regular basis. It may be difficult the one company has multiple Amazon AWS accounts as Amazon doesn’t provide centralised console at this stage. Another option is to integrate Amazon AWS with IAM system or Active Directory, but it requires significant investment.

  3. Weak firewall rules.

    Description: By default, when you create an Amazon EC2 instance the Amazon will propose the default firewall rules (Amazon calls them the “security groups”) to access the instance. For Linus based instances it will be port 22 (secure shell) and probably ports 80 and 443 for the web server. For Windows instances they will be port 3389 (Remote Desktop) and ports 80 and 443 for the web application. By default, all internet will have access to this ports (source is The hackers will probably try to brute force the password for SSH or RDP or use known exploit to get in.

    Risk: Medium
    Likelihood: Almost certain (not many people change the default rule set)
    Impact: Medium (the SSH access by default is configured to use private/public key and Windows password is relatively strong)

    Mitigation controls: The administrators or security professionals need to constantly audit the firewall rules to make sure the remote access is configured for particular source IP addresses. The IP restriction will reduce the risk of compromise significantly.

The above risks are just an example of what the companies should look at when adopting Amazon AWS cloud. The internal security department or systems administrators should perform the comprehensive security assessment of the environment before putting critical application into the cloud. If a company doesn’t have necessary skills to do it “in-house”, Cloud Guardian will help. Cloud Guardian staff will perform the risks assessment of your environment, propose the best mitigation controls and integrate them with our monitoring system to make sure your environment is safe. Moreover, we’ll help you to secure all your Amazon AWS accounts from single interface. Contact us for more details.

Enjoy AWS Security like Never Before

If you want to secure your Amazon AWS accounts, Cloud Guarding is where your search ends. As a unique tool performing Amazon AWS risks assessment, Cloud guardian not only monitors changes across multiple Amazon AWS accounts but also manages multiple Amazon AWS accounts.
This way Cloud Guardian allows users to have absolute control over who is granted or denied access to their Amazon AWS accounts. Cloud Guardian also facilitates the security groups by ensuring that they are configured properly and ensures that all instances of a cloud are well protected.