Cloud security misconfigurations, seemingly small, could enable outsiders to access sensitive data or roles, leading to financial losses for enterprises. Recent high-profile misconfiguration data breaches in the news, include SocialArks, a Chinese startup, exposed the data of 214 million social media users due to a misconfigured ElasticSearch database.
Essentially, misconfigurations introduce vulnerabilities that can enable unauthorized identities to access and manipulate confidential data within an organization. There are many possible causes of misconfiguration, and sometimes, malicious parties need not crack existing security to compromise a database or data container.
Easy Infiltration with Security Misconfiguration
Outsiders can penetrate an enterprise’s cloud by obtaining a list of predictable role names, with reconnaissance and enumeration procedures. Cloud roles may occur in variations (e.g., prodApp-nat, prodApp-app2-nat) of previously breached information. As such, malicious parties may attempt role name permutations until they arrive at a match.
Upon successfully obtaining a misconfigured role, unauthorized users can enumerate permissions and hone in on their targeted resources. Subsequently, malicious users may acquire precious metadata within the cloud and decrypt them with the capabilities of their misconfigured role. A compromised database enables outsiders to launch a series of attacks on the enterprise by implanting insidious backdoor codes for convenient and frequent access while staying undetected.
Outsiders can also chain their permissions. For example, if you have the same owner on several objects in several databases, and you have some stored procedure that accesses these objects, you don’t need to grant access permission to every object that the procedure needs to access. If the procedure and the objects have the same owner, you can grant permission on the procedure and the database will allow the procedure to access all other objects that share the same owner.
Scouting for Misconfiguration
Malicious actors will conduct a lay of the land for misconfiguration hot spots before preying upon an enterprise’s cloud. While hackers aim at vulnerable IP addresses when attacking exposed databases, they narrow down on cloud account identities in misconfiguration targets.
Attackers then scan each validated account identity by running its list of roles against a pre-generated list created with Github. Malicious parties aggregate the top 500 frequently used IAM role names from the results, which they apply in their cloud infiltration process. Hackers will begin assessing the roles within an account to determine misconfiguration, and if spotted, they will proceed to request access tokens that enable them to infiltrate sensitive data.
Expediting the Process
While malicious actors may choose to enumerate every digit of a cloud account ID, the tedious process makes it easy for cloud systems to detect and block the anomaly. Alternatively, by crawling GitHub, malicious parties can zoom in on potential identities and role matches with improved efficiency.
The widespread use of IaC (infrastructure as code) templates (such as Terraform) makes it easy for users to analyze the confidential components within cloud infrastructure. Additionally, role vulnerabilities can quickly spread across multiple cloud platforms through misconfigured IaC templates, multiplying the severity of a data breach.
Rising Risks of Security Misconfiguration
The increasing numbers of data from GitHub combined with other sources, provides modern malicious parties with a host of resources, including EC2, S3 buckets, and many RDS snapshots and KMS keys, severely compromising cloud security. These resources may easily leak from misconfigured IAM roles through excess permission policies with unmoderated control.
Common examples of misconfiguration include DBAccess roles with access to database services, such as Amazon DynamoDB and Amazon Redshift, and LambdaExecution roles that enable hackers to execute a large volume of function calls.
Malicious parties will plot detailed steps in stealing cloud accounts with the exposure of fractured pieces of data computations. Confidential data resources exposed to public access pave the way for large-scale cloud exploitation and cyberattacks on an enterprise. A compromised cloud account may carry multifold risks and potential losses compared to an infiltrated cloud host, through unrestricted access to a significant number of cloud resources.
While admin permissions should strictly belong to admin roles within the cloud, there have been known cases of DevOp roles with near-system admin permissions. Additionally, it is essential to regularly monitor and block permissions with comprehensive guardrail policies to mitigate the risks of error and help enterprises meet POLP (principle of least privilege) standards.
Cloud providers usually detect and alert users to instances of basic misconfigurations and keep most IAM roles secure by default. However, some users may continue to ignore threat alerts and override trust policies, which introduces insecure configurations. Enterprises continue to face constant data security threats despite multiple warnings and insightful events. An automated security solution can help mitigate the risks of misconfiguration by keeping all users informed with specific system reports for swift and decisive action.