The Basics of Configuration Compliance
April 17, 2019
The public cloud has enabled customers to move fast and adapt to changing needs by allowing them to quickly spin up infrastructure programmatically or with just a few clicks. This has allowed companies to grow quickly, and for technological advancements to be implemented rapidly. However, as simple as it is to stand up infrastructure it’s just as simple to misconfigure it. Even the most trivial misconfigurations can lead to very costly breaches because they can leave holes in an organization’s environment. Access via these holes can be disastrous in the hands of an attacker.
According to Gartner, “Through 2022, at least 95% of cloud security failures will be the fault of the customer.” In order to ensure your cloud infrastructure is secure, it is important to make sure that the configurations of your cloud resources are compliant.
Applying the following best practices at the different layers of your cloud “stack” will give you a security-minded framework. These are based on use cases that are frequently targeted by attackers:
Identity & Access Management (IAM):
It is important to make sure the Identity and Access Management of your cloud account is configured properly to prevent the possibility of unintentional access. These practices will help to increase the protection based on access:
- Principle of Least Privilege: Ensure that users and resources are only provided the access they require. It is very easy to give everyone and everything full access so that things just “work”, however, if this access is compromised, a bad actor has the ability to do whatever they please within your account, including deleting every single resource!
- Old Accounts: Ensure that you are deleting IAM accounts that are not used after a certain period of time, or if an employee leaves your company. Accounts that are hanging around can be assumed by bad actors or by former employees to exfiltrate data amongst other things.
- MFA: If credentials are compromised Multi-Factor Authentication makes it much more difficult for bad actors to log into your cloud account, as they will need access to your virtual MFA device or hardware device. This is an added layer of security that should be enabled for all users.
Networking in the cloud is simple due to Software Defined Networking technology. However, it is important to ensure that only the network access that is required by resources is in place.
- Security Groups/Firewalls – Ensure that rules are in place so that your instances can only be accessed from specified IPs/Ports
- Public/Private Subnets – If your instances do not need to be public-facing, it is best practice to keep them in private subnets.
- Routes – Ensure that routes between your resources in your cloud environment are restricted to only the access that is needed.
Storage, Databases, and Other Repositories:
In the cloud, many of these resources have configuration policies attached that can be misconfigured to allow anyone in the world to access them. One of the most common reasons for breaches is the misconfiguration of policies attached to managed data stores in the cloud. Cloud service providers abstract much of the underlying infrastructure for these services for you so that you can focus on utilizing these capabilities without the operations and maintenance overhead. However, it is extremely important to secure these data sources.
- Public Access: Unless your data source is required to be available to the public for a website or certain content, it is not ever recommended to keep it publically available as anyone with internet access is able to access your data.
- Use ACLs: Access Control Lists can help you better secure your data so that particular resources are able to only access their own objects or pieces of data. This is important, as you may want to
- Encryption: Encrypt your data whenever possible, so that if a datastore is accessed by a bad actor they will need to decrypt the data within it with the appropriate key.