See Snyk Cloud in action
Abra Confdabra: Insecure resource misconfigurations
The Abra Confdabra origin story
When insecure or vulnerable cloud workload resources are left accessible over the internet — allowing attackers to compromise and exploit them for malicious activity — they give rise to Abra Confdabra, the insecure resource misconfiguration villain!
A resource in AWS is an entity you can work with. Examples of resources are an Amazon EC2 instance, an AWS CloudFormation stack, an Amazon S3 bucket, etc.
A cloud workload is an application or digital product hosted in the cloud that's built using a mix of cloud-provided services. An example of a cloud-provided services is infrastructure as a service (IaaS). Each cloud workload can be a mobile app, website, or an enterprise critical application.
As a simple example, if a customer uses AWS EC2 to host their application and their security group (firewall rule) for this application allows anyone to access it from the internet, their application could be exploited by threat actors to gain access to the application.
Common causes
Abra Confdabra is often found when stateful methods like infrastructure as code (IaC) is not used to define resources. Resources that are created manually and managed manually are more likely to be misconfigured, leaving them exposed to potential attackers.
Using IaC to deploy resource, but not restricting the ability to change or modify configuration of resources in AWS environments, can also give rise to Abra Confdabra.
Problems caused by insecure resource misconfigurations
Abra Confdabra can cause some real trouble. For example, a compromised server or deleted resource could easily lead to ransomware. A compromised server or resource can also lead to unintentional exposure of sensitive data resulting in data breaches.
3 places in AWS where Abra Confdabra likes to hide
Cloud workloads require networking services, like AWS Virtual Private Cloud(VPC), to run and connect to other services. The VPC can have subnets that are private for hosting databases that should not be accessible from the internet, but linking a route to the internet gateway can lead to these services being exposed to the internet.
If an AWS Elastic Kubernetes Service (EKS) API endpoint is linked to a permissive IAM role that allows anyone with the same IAM role admin permissions to multiple resources in that AWS Account, this can lead to insecure resource misconfigurations in AWS.
Most organizations are required to be compliant to industry standards while most AWS services used are compliant with most industry standards like PCI DSS etc, using an non-compliant service for hosting cloud workloads can lead to breach in compliance status of the organization.
Abra Confdabra can also appear in these usual suspects:
A bastion host, or any application, running on AWS EC2 with security groups that allow unrestricted access from the internet
A private AWS S3 bucket with sensitive data is accessible for anyone to access from the internet
Deploying resources in a geographical region outside of compliance and legal regions.
3 ways to stop Abra Confdabra
You can combat Abra Confdabra by only allowing only known sources, AWS security groups, or only known IPs/CIDR (Internet Protocol/ Classless Inter-Domain Routing) ranges to be used in security groups to connect to AWS resources. By defining security parameters for your resources in AWS, you can prevent misconfigurations. See also: Security in AWS Resource Groups
IaC can be a powerful tool to define a stateful configuration of the resources that would be built to ensure intentional creation of resources as per business requirements. A stateful configuration allows you to track things like resource location, resource configuration preferences, ensuring all recent activity are replicated across all resources managed by the IaC. Stateful methods, like using IaC, tracks the resources being created and manages changes ensuring that the resources don’t drift away from the business requirements of the application ensuring no accidental exposure of resources to attackers.
A combination of AWS services like Amazon EventBridge and AWS Lambda to detect and pro-actively remediate any resource misconfiguration can help you defeat Abra Confdabra. AWS EventBridge shares real-time event data from your application, services, and resources to any services subscribed to the EventBridge and can help you respond to state changes in your AWS resource e.g.it can notify you if an object creation or deletion occurs in your Amazon S3 bucket. AWS Lambda allows you to run code virtually for applications and services. You can create rules to match AWS EventBridge notifications and route them to your AWS Lambda function to take action to prevent resource misconfigurations. See also: Using AWS Lambda with Amazon EventBridge
Prochain de la série
Sub doMine: Dangling DNS
Public websites that are managed and hosted on a public cloud provider (like AWS) can be prone to dangling DNS if the files and servers hosting the website can be replaced by an attacker's server — resulting in a subdomain takeover.
Poursuivre la lecture