Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

AWS Security

AWS Security

Section titled “AWS Security”

5 automated security scanners

AWS Network Security

Section titled “AWS Network Security”

Purpose: The AWS Network Security Scanner is designed to analyze and assess the security posture of Amazon Web Services (AWS) networks by identifying misconfigurations in security groups, overly permissive network ACLs, publicly exposed resources, VPC configuration weaknesses, and potential issues with network segmentation that could lead to unauthorized access or data exfiltration.

What It Detects:

  • Public IP Enumeration: This includes the enumeration of EC2 instances with public IPs, detection of Elastic IPs associated with the account, identification of publicly accessible Elastic Load Balancers (ELBs), and exposure of RDS instances.
  • Security Group Analysis: This involves detecting inbound rules allowing access from 0.0.0.0/0, checking for unrestricted SSH (port 22) and RDP (port 3389) access, validation of database port exposures, and the flagging of overly permissive egress rules.
  • Network ACL Validation: This includes checks for permissive Network ACL (NACL) rules, detection of missing deny rules, validation of ephemeral port restrictions, identification of NACL misconfigurations, and the flagging of default NACL usage.
  • VPC Configuration: This entails enumerating all VPCs in the account/region, checking the status of VPC flow logs, identifying internet gateway attachments, validating DNS hostnames settings, and determining if default VPCs are being used.
  • Resource Exposure: This includes testing S3 buckets for public access, checking RDS snapshot permissions, detecting public EBS snapshots, validating API Gateway endpoints, and identifying Lambda function URLs.

Inputs Required:

  • aws_account_id (string): AWS 12-digit account ID
  • aws_region (string): AWS region (e.g., us-east-1)

Business Impact: Misconfigurations in AWS networks can create significant security vulnerabilities, potentially allowing unauthorized individuals to access sensitive data or systems, leading to severe consequences such as data breaches and financial loss. This highlights the importance of maintaining a secure network infrastructure on AWS platforms.

Risk Levels:

  • Critical: Conditions that result in widespread exposure of public IPs, unrestricted SSH/RDP access, missing VPC flow logs, public subnets hosting sensitive workloads, or overly permissive peering connections are considered critical risks.
  • High: High-risk conditions involve significant exposure through security groups and NACLs, such as the allowance of inbound traffic from all IP addresses without restriction, which can lead to brute force attacks and unauthorized access.
  • Medium: Medium-risk conditions include misconfigurations that may not directly expose sensitive data but could be exploited in conjunction with other vulnerabilities or misconfigurations, potentially enabling lateral movement within the network.
  • Low: Low-risk findings are those that do not pose a significant threat to network security and primarily represent informational issues requiring attention for continuous improvement.
  • Info: Informational findings include minor deviations from best practices that do not directly impact security but can be improved for operational efficiency or compliance with AWS guidelines.

Example Findings:

  • A security group allowing inbound traffic from 0.0.0.0/0 on port 22, enabling unrestricted SSH access.
  • An RDS instance accessible via a public IP address, posing a risk of unauthorized data exposure.
  • A VPC with no flow logs enabled, making it difficult to detect and respond to malicious activities in real-time.

AWS Service Specific Security

Section titled “AWS Service Specific Security”

Purpose: The AWS Service-Specific Security Scanner is designed to identify and assess potential security vulnerabilities in AWS service configurations. It focuses on detecting misconfigurations such as public Lambda function exposures, API Gateway without authentication, RDS instances accessible from the internet, ECS/EKS task definitions with plaintext secrets, and public container registries that leak images.

What It Detects:

  • Lambda Function Exposure: Public Lambda function URLs are detected along with unauthenticated invocations. The accessibility of these functions is also tested. Additionally, the scanner identifies exposed environment variables and resource-based policies.
  • API Gateway Security: The scanner enumerates public API endpoints, tests for missing authentication mechanisms, checks rate limiting configurations, validates CORS settings, and detects exposed API keys.
  • Container Service Security: It checks ECR repository permissions, detects public container images, tests ECS task definition exposure, validates EKS cluster endpoints, and identifies public container registries.
  • Database Exposure: The scanner tests RDS instance public accessibility, checks for the presence of public snapshots, validates security group rules, detects open database ports, and tests connection endpoints to databases.
  • Serverless Application Exposure: It examines SAM/CDK deployment artifacts, detects exposed application configurations, tests CloudFormation template access, validates deployment bucket permissions, and identifies leaked service credentials.

Inputs Required:

  • aws_account_id (string): AWS 12-digit account ID
  • aws_region (string): AWS region (e.g., us-east-1)

Business Impact: Misconfigurations in AWS services can lead to unauthorized access and service compromise, potentially resulting in data breaches or other security incidents. This scanner helps organizations proactively identify and mitigate these risks by providing detailed reports on potential vulnerabilities.

Risk Levels:

  • Critical: Public Lambda function URLs that are accessible without authentication pose a critical risk as they enable unauthenticated invocations.
  • High: Multiple public API endpoints or significant exposure of environment variables can be considered high-risk scenarios, especially if the APIs lack proper authentication mechanisms.
  • Medium: The presence of public container images in repositories and exposed database ports are medium-risk indicators that should be addressed to enhance security posture.
  • Low: Informational findings such as leaked service credentials or minor misconfigurations might not directly impact security but still need attention for overall operational efficiency and compliance.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

AWS IAM Security

Section titled “AWS IAM Security”

Purpose: The AWS IAM Security Scanner is designed to analyze and assess the security posture of AWS Identity and Access Management (IAM) configurations. It aims to identify potential risks such as public exposure of credentials, overly permissive policies, privilege escalation paths, misconfigurations that could lead to unauthorized access or account compromise, and more.

What It Detects:

  • Public Credential Exposure: The scanner searches for leaked AWS keys on GitHub/Pastebin, checks public S3 buckets for credential files, detects hardcoded credentials in public repositories, monitors certificate transparency logs, and flags exposed access key patterns.
  • IAM Policy Analysis: It identifies overly permissive policies (Action: ”*”), pinpoints privilege escalation paths, checks for missing resource restrictions, validates condition key usage, and flags admin policies on service accounts.
  • MFA Enforcement: The scanner verifies the status of Multi-Factor Authentication (MFA) enforcement for both the root account and privileged users, detects API-only users without MFA, validates the types of MFA devices used, and flags accounts with mechanisms to bypass MFA.
  • Credential Hygiene: It identifies unused access keys older than 90 days, detects inactive IAM users, checks password rotation policies, and flags service accounts that have console access. Additionally, it ensures compliance with key rotation schedules.
  • Cross-Account Trust: The scanner enumerates cross-account role trusts, detects overly permissive trust policies, checks for external account access, validates conditions under which roles can be assumed, and identifies suspicious trust relationships.

Inputs Required:

  • aws_account_id (string): AWS 12-digit account ID (e.g., 403745272070)

Business Impact: IAM misconfigurations pose significant risks to security, as they can enable unauthorized access and escalate privileges within an organization’s AWS environment. This may lead to data breaches, financial loss, operational disruptions, and damage to reputation.

Risk Levels:

  • Critical: Overly permissive policies that allow for lateral movement across accounts or the ability to bypass least privilege can result in critical risks.
  • High: Missing MFA on privileged accounts or unmanaged service accounts without proper restrictions can lead to high risk scenarios, especially if these accounts have access to sensitive information.
  • Medium: Unused credentials and inactive IAM users may not directly pose a high risk but contribute to an increased attack surface and should be addressed for better security hygiene.
  • Low: Informational findings regarding credential hygiene or compliance with certain AWS configurations can be considered low risk unless they are part of larger misconfigurations that could lead to higher risks.

Example Findings: The scanner might flag a policy allowing full administrative actions on all services as critical, identify an IAM user without MFA as high risk, and detect unused access keys older than 90 days as medium risk.

AWS Logging Monitoring

Section titled “AWS Logging Monitoring”

Purpose: The AWS Logging & Monitoring Scanner is designed to evaluate and analyze the logging and monitoring configurations within an Amazon Web Services (AWS) environment. It aims to identify potential gaps in CloudTrail logs, VPC flow logs, CloudWatch metrics, S3 access logs, and configuration recordings that could expose sensitive information or facilitate unauthorized activities.

What It Detects:

  • CloudTrail Configuration:

    • Checks for the existence of CloudTrail trails.
    • Identifies disabled or non-multi-region CloudTrail trails.
    • Verifies log file validation and S3 bucket encryption settings.

  • VPC Flow Logs:

    • Enumerates VPCs without any flow logs enabled.
    • Checks the destinations for flow logs and validates their format settings.
    • Detects disabled or improperly configured flow logging.
    • Verifies log retention periods to ensure they are adequate.

  • CloudWatch Logs:

    • Ensures that appropriate log groups have been created.
    • Validates the retention settings for these logs.
    • Identifies missing metric filters and checks for encryption at rest.
    • Verifies log exports to other AWS services or external destinations.

  • S3 Access Logging:

    • Tests whether S3 buckets are configured with access logging.
    • Checks the server access logging settings to ensure they capture all necessary requests.
    • Validates the target buckets for logged data and detects any missing request logging.
    • Verifies the delivery of log files according to specified configurations.

  • Configuration Recording:

    • Checks the status of AWS Config to determine if it is recording configurations properly.
    • Ensures that configuration snapshots are taken at regular intervals.
    • Detects any disabled or improperly configured recording mechanisms.
    • Verifies the delivery channels and history of configuration changes.

Inputs Required:

  • aws_account_id (string): AWS 12-digit account ID.
  • aws_region (string): AWS region (e.g., us-east-1).

Business Impact: Inadequate logging and monitoring can significantly hinder the ability to detect, investigate, and respond to security incidents effectively. Disabled or improperly configured logs can provide a blind spot for attackers, allowing them to operate undetected and potentially escalate privileges or exfiltrate data. Compliance violations may also go unnoticed if log retention periods are too short or if critical configurations are not properly monitored.

Risk Levels:

  • Critical: This risk level applies when there is evidence of a critical vulnerability such as disabled CloudTrail trails, missing VPC flow logs, inadequate log retention settings, unmonitored API calls, or significant gaps in audit trails that could hide malicious activity.
  • High: Applies to situations where multiple exposures are detected, but the overall risk is not as severe as with a critical exposure. This might include cases of disabled CloudWatch metrics, missing S3 access logs, or improperly configured log destinations.
  • Medium: Indicates medium severity when there are fewer than five exposures but more than two, suggesting a potential area for improvement in logging and monitoring practices.
  • Low: Used for findings that do not pose an immediate threat but still represent suboptimal security configurations. This could include minor issues with log retention or the absence of certain types of logs like S3 access logs.
  • Info: Reserved for informational findings that are useful for understanding the current state of logging and monitoring without necessarily indicating a high risk.

Example Findings:

  • “Critical: CloudTrail trail is disabled.”
  • “High: VPC flow log configuration does not meet security standards.”
  • “Medium: Log retention period for CloudWatch logs is too short.”
  • “Low: S3 bucket logging is missing for certain important actions.”

This scanner helps in assessing the current state of AWS environment’s logging and monitoring practices, providing insights into potential vulnerabilities that could be exploited by malicious actors.

AWS Data Protection

Section titled “AWS Data Protection”

Purpose: The AWS Data Protection Scanner is designed to evaluate and report on the security posture of Amazon Web Services (AWS) data protection controls. It aims to identify vulnerabilities such as unencrypted S3 buckets, publicly accessible storage, inadequate encryption settings, missing backup policies, and potential risks that could lead to data breaches or compliance violations.

What It Detects:

  • S3 Bucket Security: Enumerates publicly accessible buckets, checks bucket ACL permissions, detects missing encryption settings, validates versioning status, and tests for public read/write access.
  • Encryption Status: Checks default encryption settings, detects unencrypted S3 objects, validates KMS key usage, identifies whether the buckets use SSE-S3 or SSE-KMS, and flags buckets without encryption.
  • Access Control: Tests bucket policy permissions, checks for public access blocks, detects overly permissive ACLs, validates CORS configurations, and identifies anonymous access.
  • Data Lifecycle: Checks versioning configuration, validates lifecycle policies, detects missing MFA delete, verifies replication settings, and checks object lock status.
  • Public Exposure: Tests bucket URL accessibility, checks for directory listing, detects exposed backup files, validates static website hosting, and identifies leaked credentials in objects.

Inputs Required:

  • s3_bucket (string): The name of the S3 bucket being analyzed.
  • aws_region (string): The AWS region where the S3 bucket is located.

Business Impact: Identifying unencrypted data and public exposure in AWS environments can significantly impact an organization’s security posture, as it could lead to unauthorized access, data breaches, and potential compliance violations.

Risk Levels:

  • Critical: This risk level applies when there are multiple critical findings such as public read/write access, directory listing enabled, or more than three exposed objects detected.
  • High: Applies when significant risks like public accessibility, encryption issues, or overly permissive ACLs are present.
  • Medium: Indicates moderate risks where the bucket is accessible but lacks proper encryption settings or versioning.
  • Low: Informs about low risk scenarios where no critical issues are found, and the bucket is not publicly accessible.
  • Info: Used for informational findings that do not directly impact security but may require attention for better management of AWS resources.

Example Findings:

  • “Bucket allows public directory listing, which exposes sensitive data.”
  • “Unencrypted S3 object detected in a critical application environment.”
  • “Publicly accessible bucket poses significant risk to data integrity and confidentiality.”