Configuration Reviews: Ensuring Security in the Cloud

Written by Charlie Clark

What is a configuration review?

As businesses increasingly move their critical business processes into cloud services, ensuring the security of those services is ever more important. It can be easy to brush off the responsibility of the services’ security onto the provider, but this isn’t the best idea. While the provider is responsible for the security of the platform, the platform is highly configurable by design and, as with most network devices, many default configurations are insecure.

As with traditional infrastructure, it is commonplace for system administrators to sacrifice security for convenience. Additionally, this technology is still relatively immature and, therefore, the security of it is less understood than traditional infrastructure; this highlights why reviewing the configuration of these services is important. It should also be noted that with the cloud, certain services must be exposed to the internet (for example, authentication to the cloud account that controls access and privileges) which would usually only be accessible from the internal corporate network.

ZeroDayLab provides configuration reviews for all three of the major cloud services (Amazon’s AWS, Microsoft’s Azure, and Google’s G Suite). These configuration reviews provide the customer with a level of assurance that their account(s) are configured securely and in line with industry best practice. This is ideal as it ensures any data hosted with these providers is secure - not only from outsider compromise but also from insider threats originating from the provider.

Configuration reviews and penetration tests

Configuration reviews can be coupled with infrastructure penetration tests; combining these two security assessments enhances the result of each. With access to the cloud account the consultant can retrieve all the information related to the account and use that to target the infrastructure; this is very useful as penetration tests must be performed in a limited timeframe. With permission to attack the infrastructure, certain attack paths and methods can be fully tested. Being able to attack the infrastructure also allows for the assessment of the services being hosted on the virtual instances, the result of which can affect the risk of related findings, for example traffic filtering and segregation (which are generally discovered during a configuration review).

During a previous configuration review and combined infrastructure assessment, ZeroDayLab discovered overly permissive network access control lists in place, allowing anyone on the internet access to a docker registry service, being hosted within one of the virtual instances to deploy containers. After further testing, this docker instance was found to be configured insecurely and could be used by any unauthenticated attacker to upload malicious images. These could have then been used to deploy containers within the victim company’s cloud infrastructure, leading to a complete compromise of the infrastructure, with the possibility of pivoting to internal corporate systems, resulting in the theft of sensitive customer data.

The scenario described above is a specific example of how an insecurely configured cloud service can cause serious damage to services and put customer data at risk, while demonstrating the importance of combining a configuration review with a security assessment of the infrastructure.