Navigating AWS Security: Understanding Risks and Implementing Best Practices

J.R. Hernandez
Security Services Manager


In the dynamic landscape of cloud computing, Amazon Web Services (AWS) stands as a leading platform, offering a vast array of services to businesses worldwide. However, as with any technology, ensuring security within AWS is of paramount importance. This article aims to delve into the intricacies of AWS security, highlighting potential risks and providing insights into best practices for mitigating these risks.

AWS Organizations and CloudTrail

AWS Organizations is a service that allows you to manage multiple AWS accounts centrally. By default, AWS Organizations denies all actions across the organization, necessitating explicit permissions for any actions to be performed. This default setting is a crucial aspect of AWS's security-first approach, ensuring that unauthorized actions are prevented unless explicitly allowed.

AWS CloudTrail, a service that provides event history of your AWS account activity, is not enabled by default in all regions. This means that without manual configuration, not all activities within your AWS environment are logged, potentially leaving blind spots in your security monitoring.

Connection tracking in AWS is another area that warrants attention. While it is designed to monitor the state of network connections traversing your infrastructure, it can be exploited to allow inbound connections even if they are not explicitly allowed in the security group rules. This potential exploit underscores the importance of vigilant monitoring and robust security configurations.

In the realm of access control, IAM key identifiers such as the AWS account ID, IAM user ID, and IAM role ID play a pivotal role. These identifiers are used to grant or deny access to AWS resources, making their management critical to maintaining a secure AWS environment.

The Instance Metadata Service (IMDS) is a service from AWS that provides Amazon EC2 instances with data about themselves. While useful, IMDS can be exploited to gain unauthorized access to data. However, this risk can be mitigated by using IMDSv2, which requires a valid session token, adding an extra layer of security.

Lastly, stolen AWS IAM credentials pose a significant threat as they can be used to gain unauthorized access to an AWS account. However, there are methods to avoid detection and maintain operational security, such as using multi-factor authentication and regularly rotating IAM credentials.

Utilizing sts:GetAccessKeyInfo API

The sts:GetAccessKeyInfo API is a service provided by AWS that can be used to get the account ID associated with AWS access keys. This API is particularly useful when you have an access key but are unsure which account it belongs to.

To obtain the account ID from AWS access keys, you can make a call to the sts:GetAccessKeyInfo API. The account ID is included in the response from this API call, allowing you to identify the owner of the AWS access keys.

It's important to note that the sts:GetAccessKeyInfo API call will only be logged to the account calling the action. This means that if an attacker uses this API to get your account ID, the API call will not be logged in your AWS CloudTrail logs, making it harder to detect such activities.

The account ID is a crucial piece of information in AWS as it uniquely identifies an AWS account. By obtaining the account ID from an AWS access key, you can identify the owner of the access key, providing valuable information for auditing and security purposes.

Risks and Mitigation Strategies for Public EBS Snapshots

Amazon Elastic Block Store (EBS) provides block-level storage volumes for use with Amazon EC2 instances. However, EBS snapshots, which are backups of your EBS volumes, can be made public, leading to potential data exposure. When an EBS snapshot is made public, anyone on AWS can create a volume based on your snapshot, potentially accessing sensitive data.

To identify public EBS snapshots, you can use the AWS API or AWS CLI. The AWS CLI command aws ec2 describe-snapshots --restorable-by-user-ids all can be used to pull a list of public EBS snapshots. This command returns all snapshots that can be restored by any AWS account.

Tools like Prowler, an open-source security tool, can also be used to find exposed EBS snapshots in your account. Prowler provides a comprehensive security assessment report, including information about public EBS snapshots.

When an EBS snapshot is made public, AWS CloudTrail generates an ec2:ModifySnapshotAttribute event. Monitoring CloudTrail logs for such events can help you identify and respond to instances where EBS snapshots are made public.

Securing S3 Buckets and CloudFront Distributions

Amazon S3 buckets, if orphaned or misconfigured, can pose significant security risks. An attacker can claim an orphaned S3 bucket and use it to serve malicious content. This can lead to data breaches, tarnish your brand reputation, and potentially lead to legal repercussions.

The attacker can then update the CloudFront distribution or DNS record to point to the malicious S3 bucket, further escalating the potential damage. Therefore, it's crucial to ensure that S3 buckets are not orphaned and are properly configured.

Monitoring for unusual changes to CloudFront distributions or DNS records can help detect potential security incidents early. Regular auditing of AWS resources is also essential to ensure they are not orphaned and are configured according to best practices.

Misconfigured AWS Resources and GuardDuty

Misconfigured AWS resources, such as Elastic Container Registry (ECR) resource policies, can be exploited by attackers to push or pull Docker images, modify instance attributes, or serve malicious content from orphaned S3 buckets. These actions can lead to data breaches, unauthorized changes, and potential system compromises.

Attackers can escalate privileges by modifying instance attributes, exploiting user data, or modifying Route53 records. They can also bypass AWS GuardDuty detections by modifying the user agent string, using a VPN or proxy, modifying the GuardDuty configuration, or using VPC Endpoints.

GuardDuty is a crucial security service in AWS that can detect unusual activity, such as the use of IAM credentials outside of EC2, unusual user agent strings, or unusual IP addresses. However, its effectiveness relies on proper configuration and continuous monitoring.

To ensure a secure AWS environment, it's important to properly configure AWS resources, monitor for unusual activity in the CloudTrail logs, and ensure that GuardDuty is properly configured to detect unusual activity. Regular security audits and proactive security measures can go a long way in maintaining a secure AWS environment.

AWS CloudShell, SSM Agent, and Lambda Functions

AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources. It can be used to create console sessions and extract IAM credentials, providing a convenient way to manage AWS resources.

However, the Systems Manager (SSM) Agent, which allows EC2 instances to communicate with Systems Manager services, can pose risks if not properly secured. If an attacker gains access to an EC2 instance or its IAM credentials, they can spoof the agent and intercept EC2 Messages and SSM Sessions, potentially gaining unauthorized access to sensitive data.

In the context of AWS Lambda, a serverless compute service, establishing persistence after gaining remote code execution can be a significant security concern. This can be achieved by backdooring the Python and Ruby runtimes, which involves modifying the runtime with some logic to backdoor it and hosting it in a location accessible for the Lambda function to pull down.

To detect such activities, setting up a listener to receive leaked events can be beneficial. This can be done via post requests to an Nginx server, providing a simple yet effective way to monitor for potential security incidents.

Role Chain Juggling, S3 ACL Access Control, and User Data Scripts

Role chain juggling is a technique that can be used to extend access to an AWS account by assuming multiple IAM roles in a chain. This technique can be exploited by attackers to maintain persistent access to an AWS account, highlighting the importance of monitoring and managing IAM roles effectively.

Shell commands can be run on EC2 instances via ssm:SendCommand or ssm:StartSession. By default, these commands are not logged to CloudTrail, creating potential blind spots in your security monitoring.

S3 Access Control Lists (ACLs) can be used to maintain access to S3 resources by allowing other AWS accounts to read or write objects, buckets, and bucket ACLs. However, the Bucket Public Access Block feature can prevent S3 bucket ACLs from being configured to allow public access, but it does not block the sharing of an S3 object to a specific account.

User data scripts, which are run when an EC2 instance is first started or after a reboot, can be used to maintain access to an EC2 instance and its IAM role. These scripts can be exploited by attackers to maintain persistent access to an EC2 instance, underscoring the importance of securing user data scripts.


In conclusion, while AWS provides a robust and versatile platform for cloud computing, it also presents a complex landscape where security must be diligently maintained. From understanding the default settings of AWS Organizations and CloudTrail to managing IAM credentials, EBS snapshots, and S3 buckets, every aspect of AWS requires careful attention.

The potential risks associated with misconfigured resources, the misuse of services like CloudShell and SSM Agent, and the exploitation of Lambda functions highlight the need for continuous monitoring, regular audits, and proactive security measures. By understanding these risks and implementing the mitigation strategies outlined in this article, organizations can leverage the benefits of AWS while minimizing potential security vulnerabilities.

As with all aspects of cybersecurity, vigilance and regular review are key to maintaining a secure environment. AWS provides a wealth of tools and services to aid in this endeavor, but it is ultimately the responsibility of the user to ensure their AWS environment remains secure.

Ready to find more vulnerabilities than your last pentest?

Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.