A large majority of cloud deployments feature misconfigured storage services, new research has claimed.
Upon analyzing a batch of cloud deployments from a range of different businesses, researchers from Accurics, found that a worrying 93% had misconfigured storage services. The majority also contained at least one network security exposure that had been left open during deployment.
The Accurics team suggests that new trends in poor security management are leading to these exposures as “one in two deployments had unprotected credentials stored in container configuration files”. More worryingly, 41% of the organizations evaluated had left a hardcoded high privilege key in a config file. A breach involving such a key would expose all associated resources.
A high-profile attack on communications services provider Twilio recently demonstrated the potential danger of cloud storage misconfigurations like those reported by Accuris. In mid-July, an opportunistic attacker accessed a Twilio S3 bucket with public write permissions. The attacker was then able to upload a malicious batch of code that may have been live on Twilio’s CDN for up to 24 hours.
Cloud storage risks
Besides leaving hardcoded keys in configuration files, the Accurics study identified two other commonplace errors made when deploying cloud storage. The first is the use of unnecessarily permissive IAM (Identity and Access Management) policies that could enable an attacker to take control of a sensitive cloud resource.
The other frequent mistake involved network exposures generated by risky routing rules. Resources that were designated as private were, in fact, commonly exposed due to connections between the private subnets that contained them and public subnets. In fact, in each one of the deployments considered by the study, at least one networking route existed that could be used to access a private subnet from the open internet.
Accurics noted the “inconvenient truth” that cloud deployments tend to drift away from a secure state over time. This means that cloud infrastructure security must be a focus throughout the lifetime of any deployment. It’s vital that issues are mitigated prior to cloud provisioning, and deployments should be continually monitored for risk once in use.