Leaving wide open connections: Creating services like RDS, and Jumphost instances on AWS is essential, but allowing global access by setting the security group to 0.0.0.0/0 poses security risks. Granting such broad permissions allows anyone worldwide to access your database, compromising its security.
Hardcoding access keys: Hardcoding access keys directly in code increases security risks and exposes credentials to potential compromise or unauthorized access.
Risky SSH Access Management: Sharing PEM files for SSH access poses significant security risks by potentially exposing private keys to unauthorized individuals. This practice complicates access management, as it becomes challenging to track and control who has access to the keys. Additionally, if a PEM file is compromised or leaked, it could lead to unauthorized access to
critical systems and data.
Solution: Implement SSH key whitelisting on the bastion host to enhance security and streamline access control, ensuring only authorized users can connect via SSH using their designated keys.
Secure Secrets Management: Storing secrets, such as passwords or API keys, in plain text introduces significant security risks, as it exposes sensitive information to potential breaches and unauthorized access. Without encryption or secure storage mechanisms, attackers could easily retrieve and exploit these secrets, compromising the confidentiality and integrity of sensitive data.critical systems and data.
Solution: Utilize a secret manager tool to securely store and manage sensitive data, encrypting secrets at rest and providing access controls to ensure only authorized users or services can retrieve them.
Creation Isolated Users – Creation of Users and assigning permission directly it’s not the best practice, sometimes the user can grant permission which is required for time but if the admin forgot to remove permission it might cause the issue afterwards.
Solution: Create a User Group specific to projects and requirements and add the users in a particular group when the admin wants to revoke the permission they can directly add or remove permission from the group and are able to remove the users to revoke all the permission granted to them.
Securely Deploying Static Website: Deploying the static website on S3 and making it public to everyone will give everyone to access the objects of that bucket this is a bad practice to deploy the web using S3.
Solution: Deploy the static website with CloudFront integration with S3. This will provide a secure connection with a policy to access the objects of S3 through CloudFront.
Not Encrypting Sensitive Data – Storing sensitive data without encryption introduces significant security risks, as it leaves the data vulnerable to unauthorized access or data breaches. Without encryption, attackers could potentially intercept or steal the data, compromising the confidentiality and integrity of sensitive information. Compliance requirements, such as GDPR or HIPAA, often mandates encryption for protecting sensitive data,
and failing to encrypt it could lead to regulatory violations and legal
consequences.
Insufficient Protection Against Web-based Attacks: Organizations often face the challenge of protecting their web applications against various cyber threats such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks. Without adequate security measures in place, web applications become vulnerable to exploitation, leading to data breaches, service disruptions, and reputational damage.
Solution: AWS offers two key services to address this issue: AWS WAF (Web Application Firewall) and AWS Shield. AWS WAF provides a customizable firewall that helps protect web applications from common web-based attacks by filtering and monitoring HTTP traffic. It allows organizations to create rulesets to block or allow traffic based on various criteria, such as IP addresses, HTTP headers, or URI strings. Additionally, AWS Shield provides DDoS protection for web applications by automatically detecting and mitigating large-scale DDoS attacks, ensuring the availability and reliability of web services. By implementing both, organizations can strengthen their defenses against web-based threats, mitigate the risk of attacks, and safeguard their web applications and data from potential security breaches and disruptions.
Implement Regular Image Scanning: Failing to scan container images for vulnerabilities before deployment can result in the deployment of compromised or insecure images, exposing your applications to potential security threats.
Solution: Utilize the built-in image scanning feature provided by Amazon ECR. AWS ECR Image Scanning automatically scans Docker images for software vulnerabilities using Common Vulnerabilities and Exposures (CVEs) databases. It identifies security vulnerabilities in the operating system packages and dependencies of your container images.