- Cloud Security Club
- Posts
- Anywhere Access in AWS: Blessing or Security Nightmare?
Anywhere Access in AWS: Blessing or Security Nightmare?
You’re on a three-day holiday when your boss rings you up, saying a few GuardDuty alerts are firing up. Luckily, you have your laptop with you. You open it up, log in to the console, quickly investigate the situation, and find a contextual false positive (someone was migrating data from one S3 to another).
Have you ever been in such a situation?
It's an advantage to have access from anywhere. You were able to log in quickly and investigate.
Now, think from the other angle.
One of your applications has a debug endpoint that leaks environment variables (including AWS credentials). An attacker discovered this.
The attacker uses the leaked credentials with their automation tools and explores the account to achieve their objectives (crypto mining).
For the attacker as well, it's an advantage to have access from anywhere.
The fundamental fact of the cloud is the control plane is accessible from anywhere in the world.
It’s entirely different in the world of on-prem servers. Let’s say you manage on-prem servers and have an admin console to manage and monitor your servers. A standard security approach to secure the admin console includes cutting down internet access so the console is accessible only from the local network.
If your network admin leaks their credentials on the internet, it might not a huge problem. The attackers must be on the network (whether through physical access or VPN) to authenticate to the admin console using the leaked credentials.
But in the cloud, since it's accessible from anywhere, the consequences of a credential leak are high.
Leaked credentials = Can be exploited from anywhere.
Is a high-permission user compromised? An attacker could:
Spin up EC2 instances
Read sensitive storage content
And much, much more
Some possible solutions
Restrict all access to AWS to a specific IP using SCP
You can add a Service Control Policy (SCP) to restrict access to specific IP ranges that your company owns. The policy does not deny requests made by AWS services.
Reply