AWS Vulnerability Scanning to Define the Risk on Your System

Known and Unknowns of AWS Security 

AWS clearly defines its security stance in customer contracts, procedures, and licensing documents. In particular, it provides enterprise-grade security teams, integrated tools, and console-level support. In addition, AWS uses multiple layers of network, application, access, and cloud security controls. Each tenant receives monthly and quarterly security review reports. However, despite significant investment in security architecture, AWS is not immune to cyberattacks and breaches.

AWS provides tenants with security services such as penetration testing and vulnerability scanning. Furthermore, it also offers third-party tools through the marketplace that clients can deploy within their environments. However, many organizations lack the skills and resources to manage these tools effectively. As a result, these tools can sometimes become a liability. An incorrect vulnerability scan may even trigger a denial-of-service impact on the organization or neighboring systems within the same IP range.

Should organizations trust integrated AWS security controls and processes?

AWS asks tenants not to publish or share information about potential vulnerabilities in AWS-owned components until AWS investigates and resolves the issue. After that, AWS informs customers if necessary.

Who really owns the data in the cloud?

In AWS, customers control where data is stored, who can access it, and how resources are used. In other words, organizations define where critical information is stored and how it is protected. Although AWS and the customer share responsibility, the organization ultimately defines its own security requirements. Meanwhile, AWS provides safeguards such as data encryption, data-in-transit protection, and tools for global compliance.

Vulnerability scanning, remediation, and penetration testing

A common misconception is that vulnerability scanning is the same as penetration testing. At first glance, they may appear similar. However, they serve very different purposes. Vulnerability scanning—whether manual or automated—checks systems and networks for known weaknesses. In turn, it helps organizations assess risk using scoring systems such as the Common Vulnerability Scoring System (CVSS).

How are vulnerabilities scored?

The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3. X standards. The NVD provides CVSS ‘base scores’, which represent the characteristics of each vulnerability. The NVD does not currently provide environmental scores. Organizations will access the scoring risk level to determine if the system needs a critical, rudimentary, or passive remediation cycle. Companies do not have the business cycles to patch every vulnerable system. Using the CVSS system, companies can prioritize the most critical systems first for the remediation cycles.

Remediation Cycles

Scanning will identify vulnerable systems and devices on the network. Once security teams detect a system with vulnerabilities, they can place the device into a suspended state and remove it from the production environment. Many 3rd party tools could automate this function, including performing a post remediation scan or move the device into a sandbox network for further security vulnerability assessment or a pen test.

Pen testing as a valuable sprint 

Pen test is a human interactive execution that simulates whether a hacker can compromise the vulnerable system before or after the remediation cycle. While pen testing is far more expensive than running automated vulnerability scans, the test will help identify hidden security risks not captured by the vulnerability scan. Not every system in the network needs a pen test after remediation. However, the most critical ones that map to a compliance framework or security audit should go through a pen test work stream. During the post evaluation of a pen test, the client sees a list of security findings, potential compliance issues, and many security weaknesses. 

Define the level of risk on your systems

Conducting regular vulnerability scans helps you determine the overall effectiveness of your security measures. Scanning also reveals whether adaptive controls are failing and whether they are properly protecting the corporate system. Vendors often require clients to patch their products. When operations teams cannot keep up with various patches and updates, vulnerability scans will flag these systems as high- or low-risk. If SECOPS teams are inundated with vulnerabilities, this is a key sign that your systems or software are severely flawed. In such cases, you should reconsider the vendor or replace the solution entirely.

Leveraging 3rd party vulnerability and pen testing teams outside of AWS.

AWS required express permission to run any form of vulnerability assessment on servers within the AWS infrastructure. They updated the rules in 2016 to allow organizations to run vulnerability scans on EC2 instances, network address translation gateways and Elastic Load Balancers, Amazon Relational Database Service, CloudFront, Amazon API Gateway, Lambda and Lambda edge functions, and Elastic Beanstalk. 

The best method for conducting AWS vulnerability scans is to install a virtual instance of a vulnerability scanning appliance directly within AWS. The choice of appliance depends on your enterprise vulnerability scanning needs and the expertise of your security administrators.

Many appliances work with AWS’s shared security model to ensure enterprises do not violate Amazon’s penetration testing and vulnerability scanning rules. Third-party vendors, such as CYBRI, provide such tools.

“The following activities are out of scope for the AWS Vulnerability Reporting Program. Conducting any of the activities below will cause disqualification from the program permanently.

1. Targeting assets of AWS customers or non-AWS sites hosted on our infrastructure
2. Any vulnerability got through the compromise of AWS customer or employee accounts
3. Any Denial of Service (DoS) attack against AWS products or AWS customers
4. Physical attacks against AWS employees, offices, and data centers
5. Social engineering of AWS employees, contractors, vendors, or service providers
6. Knowingly posting, transmitting, uploading, linking to, or sending malware
7. Pursuing vulnerabilities which send unsolicited bulk messages (spam)”

Vulnerability Assessments are not a one-and-done process or work streams. Conducting regular vulnerability scanning will ensure security holes are found and remediated in a timely manner.

Define the level of risk on your systems

Conducting regular vulnerability scans will help you determine the overall effectiveness of your security adaptive controls.

Summary

As a tenant of AWS, employing 3rd pen testing and vulnerability scanning teams is a necessity as a clear check and balance mandate. It is globally known AWS for excellent security architecture, controls, and process. However, not every system or cloud instance is perfect. Leveraging expert 3rd party pen testers will provide more insight beyond the AWS view to help with real-time compliance checks, validate security standards are being followed, while enabling a continuous monitoring of all critical systems.

https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach