Minerva Studio - Fotolia

AWS, customers tackle cloud misconfigurations and data exposures

AWS re:Inforce, the cloud provider's inaugural security conference, addressed the problems of misconfigurations and data exposures with new tools, like Control Tower.

BOSTON -- AWS used its inaugural security conference to address a persistent issue for its users: cloud misconfigurations.

At AWS re:Inforce, the cloud giant and several of its top customers weighed in on misconfigured settings, which have resulted in several high-profile cloud data exposures in recent years. The AWS misconfigurations have affected a broad range of organizations -- from private enterprises, like Verizon, to government agencies, such as the Pentagon.

AWS has made incremental changes to its services and security features to curb such data exposures, including the ability to block public access for all S3 resources within an organization. Bill Shinn, senior principal in the office of the CISO at AWS, said the company has tried to provide "deep and simple visibility" to customers about their configurations and security settings to meet the governance challenges.

"Everything in AWS is secure by default," he said. "There are valid use cases for making S3 buckets public, but making it incredibly obvious when those configurations are happening was important."

In addition to those changes, the cloud provider used AWS re:Inforce as an opportunity to tout new and existing offerings designed to not only identify cloud misconfigurations, but prevent them before they're even made. Shinn said the company "absolutely" made a point to address this issue and communicate the value of newer AWS offerings, such as Control Tower and Security Hub, as well as promote the in-house tools and approaches of several top customers.

Standardizing configurations

One such customer, the World Bank Group, explained during a re:Inforce session how it addressed the problem by developing new strategies for using AWS security tools. Yu Gao, senior IT officer for security, risk and compliance at World Bank Group, told the audience that cloud misconfigurations were rooted in a simple practice within the organization.

"We defined the security control, but the security control sometimes -- or most of the time -- was manually [applied]," Gao said. "And when things are manually done, they're not able to be implemented consistently, and sometimes misconfigurations can happen."

For example, Gao's security team asked the application development team to encrypt an S3 bucket for a project, but there are several ways to do that, which led to confusion.

"When we communicated to our application team, sometimes things got lost in communication," he said.

That miscommunication, he said, led to an AWS misconfiguration that was only discovered "right before the application was ready to launch," which caused major delays.

"Those were common in the past," Gao said, adding that enforcing policies and standardized configurations consistently across the World Bank Group's AWS environment was a challenge.

Now, however, Gao's security team has different approach by using templates in CloudFormation, AWS' offering for provisioning and managing things like application frameworks and security policies. Those templates, he said, are then moved to AWS Service Catalog, where a single template -- and security policy -- is applied across all lines of business, removing the need to manually apply policies.

The Service Catalog's functionality was combined with Control Tower, AWS' newest security offering for centrally managing multi-account environments, which was officially launched on Tuesday at the conference.

Darren House, solutions architect at AWS, said during the session that users can create rules -- or guardrails, according to AWS -- with Control Tower. So, for example, the World Bank Group's security team could see when an application is out of compliance with those standardized configurations.

Finding cloud resources

Another issue related to cloud misconfigurations and data exposures is cloud resources slipping through the cracks. Shannon Lietz, director of red teaming at Intuit, based in Mountain View, Calif., said data exposures are often the result of an organization "missing resources in their environment," which allows those resources to escape the necessary security policies and standardized configurations.  

Liberty Mutual Group developed its own tool, dubbed Radar, to validate and secure resources in its AWS environment. During AWS CISO Stephen Schmidt's keynote at re:Inforce, Brian Riley, Liberty Mutual's senior director of global cyber-risk management, spoke about how Radar uses Amazon CloudWatch to review any changes across the company's entire environment.

For example, Riley said, if a user tried to deploy a new resource like an S3 bucket that isn't consistent with Liberty Mutual's policies for encryption, the CloudWatch event generated by that S3 bucket is routed to a rules engine, which will detect the misconfiguration and automatically apply encryption to the resource.

The result, Riley said, is "a flexible set of guardrails that allow Agile teams to experiment, while enforcing that our [security] standards are met."

Shinn said there's still work to be done on preventing cloud misconfigurations and data exposures.

"We can always do better," he said. "We can turn things on by default, but there are maybe costs associated with that. So, the balance of what to turn on by default versus letting the customer build it is always something we consider."

Still, he said he's confident the new AWS offerings, combined with existing tools and features, will help enterprises govern their cloud resources more effectively going forward.

"Customers coming in now are having a different experience with things like Control Tower, [AWS] Organizations and Security Hub, which really lend to that governance conversation we've been having for a while," Shinn said. "I'm very optimistic about governance being easy, quote-unquote, on AWS."

Dig Deeper on Cloud Patch Management and Cloud Configuration Management