AWS Security Misconfigs

In this section

More in this series

Top 5 AWS security misconfigurations and how to fix them

Abra Confdabra: Insecure resource misconfigurationsSub doMine: Dangling DNSMisCred: Leaked credentialsCon-Identity: Identification and authentication failurewhoIAM: Lack of IAM controls

See Snyk Cloud in action

Book a live demo

Top 5 AWS security misconfigurations and how to fix them

Meet the AWS cloud security villains

0 mins read

Adopting Amazon Web Services (AWS) — the dominant cloud service provider — can help organizations innovate faster and accelerate their digital transformation. But there are common security pitfalls when moving to AWS. Fortunately, there are steps your team can take to avoid them.

In this series, we'll explore these five risks — as personified by supervillains — and look at some ways to keep them at bay.

wordpress-sync/feature-series-aws-security-poster

Download the Cloud Security Advocates Unite PDF

Meet the villains on YouTube

Insecure resource misconfigurations

wordpress-sync/series-aws-security-abra-confdabra-small

Abra Confdabra

With the migration of applications and storage to the cloud for cost savings, as well as digital transformation for enterprises across the globe, resources that were behind the closed doors of a hardware firewall are now at the mercy of cloud infrastructure misconfigurations. An AWS S3 bucket that's left open to the internet is one of the most common examples of cloud resource misconfigurations — and a common reason for a lot of publicity around data breaches.

Don't leave your data exposed to the Magician, as they use sleight of hand to steal sensitive data out from right under your nose...

Learn to secure your resource configurations

Dangling DNS

wordpress-sync/series-aws-security-sub-domine-small

Sub doMine

Public websites that are managed and hosted on a  public cloud provider (like AWS) can be prone to dangling DNS if the files and servers hosting the website can be replaced by an attacker’s server — resulting in a subdomain takeover. And unless an organization is keeping a close eye on each of its DNS entries, risks can exist in environments for a long time before they get discovered — with the potential for long-term impact.

Learn to keep your DNS from dangling

Leaked credentials

wordpress-sync/series-aws-security-miscred-small

MisCred

Identity is the new perimeter in the public cloud — and exposed or compromised credentials linked to these identities have been found to be the most common reason for most data breaches. Outside of data breaches, ransomware is the next biggest impact of leaked credentials. Fortunately, there are simple steps that teams can take to make sure credentials stay safe and secret.

Learn to prevent credential leaks

Identification and authentication failure

wordpress-sync/series-aws-security-con-identity-small

Con-Identity

Identification and authentication failures occur when a user’s identity, authentication, or session management is not implemented appropriately, leaving the cloud-hosted application unprotected against this attack. Attackers can exploit these unprotected cloud-hosted applications to get access to usernames, passwords, and session tokens and assume identities temporarily or permanently. Don't be fooled by Con-Identity and other con artists that try to sneak past security.

Learn to prevent identity and auth failures

Lack of IAM controls

wordpress-sync/series-aws-security-whoiam-small

whoIAM

If any of the identities that can authenticate to AWS lose their credentials due to a public data breach or by being accidentally shared with an attacker, this can be quite bad for the organization. This gets worse when the compromised identity has permissions that allow them to do a lot more than what their current role in the organization should allow. Luckily, there are simple steps that teams can take to keep this villain at bay.

Learn to control your IAM

Next in the series

Abra Confdabra: Insecure resource misconfigurations

When insecure resource configurations or vulnerable cloud workload resources are left accessible over the internet, attackers can compromise and exploit them for malicious activity.

Keep reading
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon