ARGOS has deep insights into our customers’ cloud environments across the three major public clouds providers. There are a handful of common recurring themes when it comes to cloud misconfigurations.
The traditional cloud security products commonly referred to as Cloud Security Posture Management (CSPM), will report the same issues that people have known about for a very long time and these are mostly well understood and usually under control. The value in reporting those misconfigurations as ‘critical’ is questionable.
Let’s take a look at our Top Of The Pops of misconfigurations, across Azure, AWS and GCP.
Most Common Misconfigurations
On third place:
Azure Storage Accounts / AWS S3 Buckets not enforcing HTTPS
Accessing / copying data over non-encrypted channels is definitely not recommended and a clear path to having data leaked into places it should not leak in to. This one is particularly surprising as Microsoft for example sets this property now by default. AWS does not enforce HTTPS by default and GCP does not allow insecure access to Cloud Storage.
We mentioned some of the ways this misconfiguration can happen here: https://www.argos-security.io/post/data-is-important-but-not-everything
On second place:
Azure App Services not enforcing HTTPS
Similar to the previous one, a service that allows clear text communication and does not enforce communication via a secure HTTPS port.
Azure App Services are often used to host web applications that accept user credentials, data uploads / downloads and other processes that really should be encrypted in transit.
On first place:
Azure Network Security Groups (NSG) / AWS Security Groups (SG) / GCP Firewalls allowing management ports access from the internet
This one is probably not a surprise. By far this was the most common misconfiguration. What does this mean? This means that a cloud based “firewall” is configured to allow traffic like Remote Desktop Protocol (RDP) or SSH inbound from the internet. A very common path for attackers into cloud hosted Virtual Machines. More commonly used by System Administrators to gain legitimate access to environments though.
Reality Check
Viewing the misconfigurations through the eyes of ARGOS however, reality looks somewhat different. Above ranking is what organisations would get by using traditional CSPM products that do not take into account environment context. A contextual CSPM like ARGOS however knows more.
First place is suddenly snatched up by
Azure Storage Accounts / AWS S3 Buckets not enforcing HTTPS
Second place is still home to
Azure App Services / AWS Lambda Functions should not be publicly accessible (*many of which we have found also have clear text secrets configured on them)
Third place now goes to
Azure Network Security Groups / AWS Security Groups / GCP Firewalls allowing management ports access from the internet
What is different?
ARGOS applies environmental context to detections and makes statements about the “exploitability” of a misconfiguration by taking additional service, network and related resource configuration into account.
The first two are Platform as a Service (PaaS) services that are for the most part by default public and require extra configuration to be secured. ARGOS finds many organisations do not go the extra steps to have services like these deployed behind other network services like AWS API Gateway (WAF) or Azure Application Gateway (WAF) to enhance the security posture of those services.
Securing these or similar services is often seen as a “later” step or “for the advanced use cases”.
ARGOS deems many of these detections to be exploitable by nature.
Relatively seen the number of really “exposed management ports” is small. Although there are many misconfigured NSGs/SGs/Firewalls, overall this issue is well understood by many network teams nowadays that have put other measures in place to ensure a misconfiguration like this does not become an exploitable event.
ARGOS knows this based on the environment context and shows its customers the real world they are in.
Free Trial
ARGOS offers a 30 day free trial, no commitments, no credit card required and most customers get to see the real state of their cloud environment in under 20 minutes.
Sign up here for free: https://app.argos-security.io