Amazon Web Services (AWS) provides a robust set of controls on its own infrastructure, but it's important to be...
aware that the security of the individual servers is the responsibility of the client -- not Amazon -- as part of the shared responsibility model.
This model is a distinction that is not always understood. To summarize, it would not be viable for Amazon to provide vulnerability management, as it would require the cloud provider to have access to administrator- or root-level credentials for each server, which would be a data privacy nightmare.
Equally important to note is that although the Amazon-owned infrastructure is regularly tested for vulnerabilities, this does not imply security on the individual IP addresses that your enterprise controls. IP addresses within AWS should be treated in the same way as any private or public IP addresses, and corporate vulnerability management policies should be extended to include servers hosted within AWS.
In this tip, I will discuss what enterprises must do to fulfill their end of the shared responsibility model regarding AWS vulnerability scanning.
AWS vulnerability management
The best method for vulnerability management in AWS is to install a virtual instance of a vulnerability scanning appliance -- such as those available from Qualys Inc. or Tenable Network Security's Nessus -- directly into AWS. While AWS usually requires express permission to run any form of vulnerability assessment on servers within the AWS infrastructure, installing a virtual appliance in your enterprise's instance can bypass this requirement -- depending on the type of subscription purchased. The appliance can be scheduled to run scans at any frequency. If provided with valid administrator credentials (for Windows) or root (on Unix systems), the virtual scanner can provide patching levels for both operating system and third-party software, as well as vulnerabilities in system configuration.
Virtual vulnerability scanning appliances are generally able to scan private and public IP addresses within EC2 and Amazon VPC, private IP addresses connected to Amazon via an IPSec VPN, and public IP addresses on the Internet. The appliance can be purchased from the Amazon marketplace and delivered via an Amazon Machine Image (AMI). Once a subscription is purchased, the AMI instance can be launched from within the AWS EC2 console (accessible through the AWS management console). The virtual scanning appliance subscription usually requires an existing subscription to the relevant vulnerability scanning SaaS. In some cases, the AMI is included as part of the standard subscription to the SaaS; in others it is an added extra.
The costs of running the vulnerability scanning virtual appliance are split into two parts. First, there is the cost of the bring-your-own-license for the AMI. Second, AWS requires a fee for running the appliance. This fee covers the compute capacity (this is the largest cost), which is based on the instance type, the amount of storage used and the amount of data that is transferred in and out.
After the vulnerability scan
Running the AWS vulnerability scans is only the first step. Organizations need to also ensure they have the relevant technical expertise to interpret the results of the scans; although vulnerability scanners are useful tools, they are prone to false positives and lack the ability to rate the severity of vulnerabilities within the context of the organization. As long as this is understood, vulnerability scanning should form an integral part of deploying servers within AWS.
Tune in to learn more
Listen to John Overbaugh discuss cloud service models and security issues you enterprise needs to know about.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.
Learn more about performing an AWS vulnerability test.
Can traditional security fit in an AWS setting? Get the answer here.