Product Update: Detecting AWS Cloud Security Risks With Blumira

The migration to cloud infrastructure brings many benefits — resource scaling, greater operational efficiency, speed in deployment and cost reduction in hardware maintenance and investment. As a result, 71% of organizations are pursuing a multi-cloud or hybrid strategy today, according to a 2021 Cloud Security report from Cybersecurity Insiders and Fortinet. Yet, the survey also found that the lack of visibility, control and staff resources or expertise are some of the top barriers to faster cloud adoption.

AWS is one of the most popular cloud platforms for organizations of all sizes. But like any cloud platform, there are common security risks that can be overlooked by organizations looking to migrate to the cloud. This can result in compromised or leaked data and compliance violations. We’ve identified key AWS cloud security risks that you need to watch for, as they could be indicators of malicious activity and part of the chain of attack that could result in a data breach. 

Learn more about each cloud security risk and how Blumira’s detection and response platform automates identifying and remediating early indicators of an attack to save you manual time and effort in triage and investigation. The rules below were written by Blumira’s incident detection engineers and automatically rolled out into our platform, available to every customer with an AWS integration set up (see below for our documentation guide).

Unauthorized Root Logins

AWS root accounts allow for full access to all of your resources for AWS services, including billing information. Permissions for this account cannot be reduced. As a best security practice, Amazon cautions against using your AWS account root user access key and to guard it as you would any other sensitive information, like a credit card number.

How Blumira Helps: Blumira detects and notifies you when a root login event has occurred from a specific source IP address and any subsequent account activity. We help guide you through next steps, including identifying if it’s unauthorized activity, as it may indicate an AWS account compromise.

Disabled Security Tools

To evade possible detection of tools and activities, attackers may disable existing AWS security tools by killing security software or event logging processes, deleting Registry keys to keep tools from starting at run time, or other methods to interfere with security tool scanning or reporting. One security tool is Amazon GuardDuty, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts, workloads, and data stored in Amazon S3.

How Blumira Helps: Blumira notifies you when it detects an event has occurred against GuardDuty and provides the user and source IP address. This could indicate that GuardDuty security monitoring has been maliciously disabled within your AWS account. Our playbook then walks you through next steps in the remediation workflow, including identifying if this activity is valid and authorized.

Critical Misconfigurations

There are many different types of cloud misconfigurations that can be easily overlooked and result in a widened or open attack surface. When your S3 (Simple Storage Service) bucket permissions aren’t restrictive enough or sensitive ports on your EC2 (Elastic Compute Cloud) instance aren’t blocked by certain security measures, it can result in leaving the front door open to attackers. Misconfigurations can happen unintentionally when different members of your IT team make seemingly small changes to your instances, permissions or policies that can have cascading effects on security.

How Blumira Helps: Blumira alerts you to misconfigurations such as when an EMR-related (Amazon Elastic MapReduce, a tool for big data processing and analysis) sensitive port on your EC2 instance is not blocked by a security group or access control list. 

Our platform also identifies when an on-host firewall or known scanners from the internet are actively probing the port, which attackers can then use for remote code execution. In our remediation playbook, we guide you through next steps for EC2 instance and VPC Flow Logs/CloudTrail traffic inspection to verify if this activity is legitimate or malicious.

Privilege Escalation

To move around laterally in your environment, attackers may attempt to change permissions on your AWS accounts or security groups to exfiltrate data and expose vulnerable services. An EC2 security group acts like the virtual firewall for your EC2 instances, controlling incoming and outgoing traffic. Attackers use certain tactics to steal credentials from your AWS environment and escalate privileges, which is why it’s important to know what specific tactics to watch out for and respond to quickly.

How Blumira Helps: Blumira detects whenever existing AWS EC2 security groups have been modified by certain users and guides you through response to verify whether the activity is valid and authorized. The platform also identifies other indicators of privilege escalation, such as DNS rebinding attacks that attempt to obtain metadata from an EC2 instance, including any IAM (Identity and Access Management) credentials that could be used for lateral movement. 

Blumira’s playbook helps you remediate, including quarantining the EC2 instance if it’s found to be malicious, revoking its session and conducting further investigation. If you have trouble determining if the activity is malicious, we recommend reaching out to Blumira’s security team for further assistance.

Credential Theft

To gain unauthorized access to AWS accounts, attackers may attempt to steal credentials that can be used to log in, perform lateral movement and access your restricted information. Attackers may also attempt to steal leaked credentials found in source repositories or logs to gain access to AWS cloud storage objects that have access permission controls, according to MITRE.

How Blumira Helps: Blumira’s platform detects indicators of critical IAM credential exfiltration via Amazon GuardDuty, a tactic used by attackers to pivot from a compromised AWS instance into a customer’s AWS account. Our playbook guides you through next steps for inspecting the EC2 host identified in the alert and the VPC Flow Log and CloudTrail log traffic to verify if the activity is legitimate or malicious.

How You Can Get These Detections

To ensure your organization has coverage for these security detections, integrate Blumira with your AWS environment by configuring logs to flow into Blumira’s platform, which you can learn more about in our AWS: Getting Started Guide. 

Additional Resources

• AWS Cloud Security Monitoring
• Cloud Security From Blumira

New to Blumira? Fully set up your AWS integration in minutes to hours with Blumira’s free trial. Our experienced and responsive security team is available to help provide security guidance, onboarding, incident response and more to help ensure your security success.