Cloud Conformity Auto Remediation is an automation tool that resolves in real-time various security issues detected within your Amazon Web Services account.

As more organizations migrate into the AWS cloud for its myriad of strong benefits, the move is not without its challenges when it comes to the security of this new infrastructure. As we’ve seen from the likes of Uber and Verizon’s major breaches, it’s crucial that security issues are swiftly addressed to avoid exploitation by malicious actors.

This said, it’s simply impossible to manually identify and resolve all security issues within an AWS cloud environment.

The Challenge

“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk”

Jay Heiser, VP and Cloud Security Lead at Gartner, Inc.

Contrary to what many might think, the main responsibility for protecting data in the cloud lies with the cloud customer. AWS makes use of the “Shared Responsibility Model”, where security management is shared between AWS and its customer. This shared model clearly defines the responsibilities of AWS:

Amazon Web Services is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking and facilities that run AWS Cloud services.

AWS customers are therefore responsible for protecting data stored within AWS and any custom applications deployed. The “Shared Responsibility Model” also implies configurations that the customer must perform as part of their security responsibilities. For example, services such as EC2, VPC and S3 are categorised as Infrastructure as a Service (IaaS) and require the customer to perform necessary security configurations (i.e. implement appropriate access control policies) and management tasks (e.g. enable AWS CloudTrail and AWS Config).

The Risks

There are many cases where customers have failed to appropriately manage their part in the AWS Shared Responsibility Model. One recurring theme reported by cybersecurity organisations is misconfigured Amazon S3 buckets leaving terabytes of corporate data exposed to the public internet. Some examples:

Major Financial Publishing Firm

In May 2017, UpGuard cybersecurity firm reported on a cloud-based data repository — in this case, an AWS S3 bucket — owned by an American publishing and financial information firm. The S3 bucket was configured to allow semi-public access and exposed the financial details of millions of the company’s customers. The investigation showed the exposed bucket was configured via S3 Access Control Lists (ACLs) to allow all AWS authenticated users (authorized or not), to download the data via the repository’s URL.

Multinational Telecom Conglomerate

One month later, UpGuard found that another misconfigured S3 data repository was exposing the account data of over 6 million of their customers. The bucket was left unprotected by their 3rd-party vendor, NICE Systems, who configured it to allow public access; its content, the sensitive personal details of customers, was fully downloadable.

Worldwide Delivery Services Company

In February 2018, a misconfigured Amazon S3 bucket affiliated with this company was reported to have exposed personal information of over 100,000 users. According to Kromtech Security Center, the exposed scanned documents including passports, driver’s licenses and security IDs had been leaked from the S3 bucket. This exposure represents a potent example of the risks of 3rd-party vendors handling sensitive data.

The Solution

To help address these security challenges and assess the compliance posture of your AWS environment, Cloud Conformity has introduced Auto-Remediation.

Auto-remediation falls under the umbrella of security automation: the automatic handling of cybersecurity-related tasks, such as scanning for vulnerabilities and implementing proactive security measures, without human intervention.

Using the AWS CloudWatch — CloudTrail integration, Cloud Conformity Auto-Remediation can detect in real-time a number of security incidents including

  • modifying security groups associated with EC2 or RDS instances to allow unrestricted access (0.0.0.0/0) on TCP port 22 (SSH) or port 3306 (MySQL),
  • reconfiguring S3 buckets ACLs to allow WRITE (i.e. UPLOAD/DELETE) access to everyone,
  • exposing Redshift clusters by enabling their Publicly Accessible feature,
  • switching off Termination Protection feature for CloudFormation stacks

Once these incidents are found, Auto-Remediation handles the necessary security fixes in an automated way, without user assistance.

Let’s imagine for a moment that an S3 bucket within your AWS account holding personal customer data becomes publicly exposed. This is probably the most time-sensitive issue you could experience, and waiting for notification and then manual fixes could result in catastrophic damage through unauthorized access. Through Auto-Remediation, Cloud Conformity automates the remediation process end-to-end so the security breach can be closed immediately and without your intervention.

Note: AWS S3 Access Control Lists (ACLs) enable you to specify permissions that grant access to S3 buckets and objects. When S3 receives a request for an object, it verifies whether the requester has the necessary access permissions in the associated ACL. For example, you could set up an ACL for an S3 object so that only the users in your AWS account can access it, or you could make it public so that it can be accessed by anyone.

How It Works

Cloud Conformity handles the entire process, including detection, in real time using the following workflow: failure -> alert (via predefined communication channels) -> Auto-Remediation.

5 steps in the auto-remediation workflow

1. An S3 bucket becomes publicly accessible via S3 Access Control Lists (ACLs).

2. Cloud Conformity identifies the security risk in real-time and notifies the user instantly via Slack.

3. Cloud Conformity publishes a message to the specified SNS topic.

4. The SNS topic triggers the “Orchestrator” Lambda function which calls the required auto-remediate functions — in this case, the “BucketPublicReadAcpAccess” function.

5. The S3 “BucketPublicReadAcpAccess” auto-remediate function automatically updates the misconfigured S3 bucket ACL and closes the security gap.

The tool can be easily configured to include or exclude security rules depending on your needs, as well as your preferred communication channels. The supported channels are SNS, SMS, Email, Slack, PageDuty, JIRA, ServiceNow, and Zendesk.

With Auto-Remediation, Cloud Conformity is taking a big step towards security automation by negating human error and the operational inefficiencies that can hinder the resolution process.

Find out more on Github