Three Things You Can Do Today to Reduce Your AWS Attack Surface

AllCloud Blog:
Cloud Insights and Innovation

What is my Attack Surface?

In the never-ending arms race between attackers and Cyber Security specialists, exciting new tools and strategies are being developed all the time. However, without getting the basics right, no amount of shiny new gadgets and costly resources will ever be enough to grant you the security your organization is dependent on. The first elemental step in securing your organization against attackers is making sure that you’ve minimized your attack surface.

The term “attack surface” refers to the sum of the different points, or attack vectors, through which an unauthorized user can try to alter data, or extract data from an environment. Keeping your attack surface as small as possible is the first, most basic, and probably most important security measure you can implement, and luckily, it also is the least complex. 

Here are three simple steps you can implement today to increase your AWS security by several orders of magnitude. 

Less Humans, Less Problems

Although we have nothing personal against them, humans and their tendency to fallibility are the number one means by which attackers gain unauthorised access to secured systems. Most hackers are, in fact, social hackers

No matter how disciplined we are, we all have left our mobile devices unattended, written down passwords we shouldn’t have written down or simply have said something sensitive in front of the wrong audience. On a long enough timeline the probability of us or of one of our team members making a mistake approaches near certainty, a fact well known by hackers world-wide. 

The remedy for this root security hazard is simple: reduce the number of team members with access to your system to the bare minimum and manage their access privileges carefully. AWS provides simple yet powerful tools to manage access privileges tightly, but even before implementing them, simply make sure that only personnel that absolutely need access have it.

Less Accounts, Even Fewer Problems        

Every account on your system is a seperate door with a unique set of keys. The more of them you have, the higher the chances that one of them will be compromised. 

Not only humans have accounts, but also some of your applications may need them to talk to each other and to use cloud resources, such as databases. However, much of this activity can be avoided by correctly configuring AWS services. Make sure that you’re using static accounts only if absolutely necessary, and if you do, make sure to rotate access keys as often as possible. 

SSO: One Account to Rule them All  

Another way to reduce the number of entry points to your system is relying on a Single Sign-On, or SSO service. 

Single Sign-On Services allow you to reduce the number of active accounts on your system to one, which is then guarded by the SSO provider by means of Multi-factor authentication and single-use rolling codes. By utilizing this method, the infrastructure AWS account will not need individual access key/console access based users at all. Instead there are group permissions created in AWS in the form of roles which give groups of users from your SSO the specific permissions they need.   

Instead of every team member having their own private door to your fortress with its unique key that can easily be lost or copied, you remain with only one central entrance which is properly guarded and monitored. 

Implementing these simple steps will grant you a solid foundation on which a Defense-in-Depth approach according to highest Cyber Security standards can be implemented. We at AllCloud are of course at your service to analyze your specific security needs, and to design the most secure and cost-effective set of measures to keep your organization safe and effective. 

In an upcoming post we’ll dive deeper into NIST CyberSecurity guidelines and AllCloud’s approach to Defense-in-Depth, so stay tuned!


Dan Winnick

DevOps Engineer

Read more posts by Dan Winnick