abusing credentials can provide attackers with persistent system access.
cloud object storage discovery → enabling access to all objects in a cloud storage instance.
Reviewing attack techniques → aids in identifying security controls for mitigation, whether using → built-in AWS tools or external third-party solutions.
Detecting and mitigating data breaches in cloud services
A data breach involves unauthorized access to an organization's data, risking exposure of personal information and reputational damage.
In cloud computing's shared responsibility model, physical data storage is beyond our control, posing a distinct threat compared to traditional on-premises management.
Data breach likelihood increases in public cloud services where we lack control over physical data storage.
The risk depends on the cloud service model and provider maturity.
IaaS → customers are primarily responsible for implementing and managing security controls, including OS security, firewalls, and user access.
PaaS → introduces a shared responsibility model, with the cloud provider handling OS-related tasks, while customers retain control over application-layer access.
SaaS → no standard for SaaS, allowing those deploying applications on IaaS to declare themselves as SaaS providers.
Depending on the maturity of the SaaS provider → we might enhance security controls
data encryption at rest
implement robust authentication (SAML with multi-factor authentication)
access audit logs through REST APIs
types of data stored in the cloud:
Public data: Information safe for public exposure, like news sites, currency rates, or an organization's address on a Contact Us page → if exposed by anonymous users, it will not hurt our organization
Intellectual property/trade secrets: Sensitive data critical for business success, such as research on a COVID-19 cure or technology for secure authentication without passwords → data that we must keep safe
Personally identifiable information (PII): Data containing identifiable details about individuals, including contact information, credit card details, healthcare data, etc.
Common consequences of data breaches
Breach of confidentiality: Involves exposing sensitive customer data for potential malicious use.
Data integrity: Entails unauthorized access to manipulate financial information, causing noticeable changes in account balances.
Availability: Results from ransomware attacks, encrypting data and making it temporarily or permanently inaccessible.
Best practices for detecting and mitigating data breaches in cloud environments
Networking layer: Set up access controls (ACLs, security groups) for resource access management.
Encryption: Apply encryption for continuous data confidentiality in transit and at rest.
Auditing: Keep records of resource access and actions, including API-related activities → keep track of who accessed (or tried to access).
Threat management: Analyze logs to identify potential service threats.
Recovery strategy: Develop a disaster recovery plan, including technical backups, volume snapshots, and automated recovery procedures using infrastructure as code.
Common AWS services to assist in the detection and mitigation of data breaches
Amazon VPC Controls: Use network ACLs, security groups, and AWS Network Firewall for network access rules.
AWS IAM: Configure authentication and access to applications, resources, and data through IAM.
AWS KMS:Encrypt data with AWS KMS to prevent data breaches.
AWS Secrets Manager: Keep access keys, passwords, and credentials secure from breaches using AWS Secrets Manager.
AWS Cloud Trail: Monitor API activities for potential data breaches.
Amazon Cloud Watch: Log and alert on suspicious activities exceeding set thresholds.
Amazon Guard Duty:Detect data breaches with Guard Duty.
AWS VPC Flow Logs: Review network activity for potential breaches.
AWS Config: Detect changes in environment and cloud resource configurations.
Amazon Detective: Identify the root cause of a data breach.
AWS Backup: Recover your environment after a data breach using AWS Backup.
AWS IAM Authentication: Configure access and authentication via AWS IAM; utilize IAM Access Analyzer for identifying unused accounts.
Amazon Guard Duty:Detect misconfigurations, like EC2 attempting access to command-and-control networks and publicly accessible S3 buckets.
AWS Config:Detect configuration changes against compliance policies and resources using AWS Config.
AWS Security Hub:Track events from various AWS services and identify misconfigurations against policy standards.
Amazon Inspector:Detect misconfigurations, such as deviations from CIS hardening benchmarks and missing security patches.
AWS Audit Manager: Identify misconfigurations against compliance standards.
AWS Trusted Advisor:Review common security misconfigurations.
Common AWS services to assist in the detection and mitigation of insufficient IAM and key management
AWS IAM Password Policies: Configure authentication, access, and enforce password policies with AWS IAM.
AWS IAM Access Analyzer:Detect inactive user accounts.
AWS Directory Service: Configure authentication, access, and enforce password policies for legacy servers and applications.
Multi-Factor Authentication (MFA):Enforce MFA for enhanced security.
AWS KMS:Generate, store, and rotate encryption keys.
AWS Secrets Manager: Generate, store, and rotate secrets, including credentials and access keys.
AWS Cloud Trail:Detect API activities, such as failed login attempts.
AWS Key Management Service (KMS) encrypts and decrypts secrets, while AWS Secrets Manager securely manages and stores sensitive information for applications and services. KMS enhances security by encrypting secrets stored in Secrets Manager.
Detecting and mitigating account hijacking in cloud services
Account Hijacking → Unauthorized access occurs when an account, be it human or system-related, is compromised. An unauthorized user gains access to resources and data using the compromised account's privileges.
Account Hijacking Consequences:
Unauthorized access to resources.
Data exposure and leakage.
Data deletion.
System compromise.
Identity theft.
Ransomware or malicious code infection.
Account lock-out.
Denial of services.
Denial of wallet → potential high cloud spending due to resource misuse - like Bitcoin mining
Website defacement.
Some common methods of account hijacking are as follows:
Phishing attacks targeting a system administrator's account, providing unauthorized access to databases containing customer data.
Access keys for a privileged account stored in a publicly accessible S3 bucket, enabling hackers to deploy costly virtual machines for bitcoin mining.
Weak administrator passwords leading to unauthorized access and permission changes, allowing public access to backups containing sensitive customer financial details.
Best practices for detecting and mitigating account hijacking
Enforce strong passwords through measures like minimum length, password age, history, complexity, account lockout, and more.
Mandate the use of Multi-Factor Authentication (MFA) for enhanced account security.
Implement the principle of least privilege, granting permissions only as necessary for resource access.
Adhere to the concept of segregation of duties to prevent a single user from having excessive privileges, reducing the risk of sensitive actions being compromised.
Common AWS services to assist in the detection and mitigation of account hijacking
Leverage AWS IAM to manage authentication, access, and enforce password policies for applications, resources, and data.
Utilize AWS IAM Access Analyzer to identify users with inactive accounts.
Employ AWS Directory Service to control authentication and access for legacy servers and applications using Kerberos, while enforcing password policies.
Implement Multi-Factor Authentication (MFA) to enhance security by preventing unauthorized access using compromised user credentials.
Detecting and mitigating insider threats in cloud services
Insider threat → involves authorized employees, either intentionally or accidentally, performing actions that are unauthorized.
common consequences of insider threats are as follows :
loss of data, data leakage, system downtime, loss of company reputation, and monetary loss due to lawsuits.
Common AWS services to assist in the detection and mitigation of insider threats
Use Amazon Guard Duty for anomaly detection.
Implement AWS Cloud Trail to monitor unauthorized API activities.
Utilize AWS KMS for data encryption and key access control.
Securely store and manage secrets with AWS Secrets Manager.
Promptly replace compromised credentials, secrets, and encryption keys when an account compromise is detected.
Detecting and mitigating insecure APIs in cloud services
Modern developments rely on Application Programming Interfaces (APIs) for communication between system components.
APIs are primarily based on web services, utilizing either Simple Object Access Protocol (SOAP) or REST APIs.
Some common consequences of insecure APIs are as follows:
Data breaches, Data leakage, Damage to data integrity, Denial of service
examples of attacks exploiting insecure APIs:
Malicious code injection into a backend database through an API with inadequate input validation.
SQL injection attack via an exposed API, leading to customer data exfiltration from a retail site.
API-based penetration of a cloud service due to lacking access control mechanisms.
Unauthorized execution of remote commands against an internal system using a discovered API key from an open-source repository.
Common AWS services to assist in the detection and mitigation of insecure APIs
Utilize Amazon API Gateway → for inbound access to APIs in your cloud environment.
Employ AWS WAF → to detect and protect against application-layer attacks.
Leverage AWS Shield → to detect and defend against Distributed Denial of Service (DDoS) attacks.
Use AWS IAM to authorize access to APIs.
Employ Amazon Cloud Watch → to identify spikes in API requests.
Utilize AWS Cloud Trail to → monitor and identify users conducting API activity through the API gateway.
Implement Amazon Guard Duty → to detect potential hacking activities involving your APIs.
Utilize AWS Secrets Manager → to generate, store, and regularly rotate API keys for enhanced security.
Detecting and mitigating the abuse of cloud services
Abuse of cloud services involves leveraging the scale and multi-tenancy architecture for malicious activities.
Consequences of such abuse include:
Loss of service availability due to Distributed Denial of Service (DDoS) attacks.
Monetary loss resulting from the exploitation of cloud resources for bitcoin mining without the customer's knowledge.
Some common examples of the abuse of cloud services are as follows:
DDoS attacks with multiple cloud servers.
Bitcoin mining using expensive cloud servers.
Email spam and phishing via the cloud.
Brute force attacks on passwords in the cloud.
Common AWS services to assist in the detection and mitigation of the abuse of cloud services
Set up billing alerts with Amazon Cloud Watch.
Control authentication and access with AWS IAM.
Detect configuration changes using AWS Config.
Employ AWS WAF for application-layer attack protection.
Use AWS Shield to defend against DDoS attacks.
Monitor API activities with AWS Cloud Trail.
Detect anomalous behavior with Amazon Guard Duty.
Configure network access rules with Amazon VPC controls and AWS Network Firewall.
Automatically deploy security patches with AWS Systems Manager Patch Manager.
