8 min.

Threat vectors external to AWS

Overview of threat vectors external to AWS infrastructure but impacting AWS resources, services and user applications.

A threat vector refers to the techniques or means through which a hacker gains entry to a network, application, or operating system. Within the context of AWS, there exist numerous threat vectors that may originate externally, beyond the confines of AWS's own infrastructure. 

These external threats are implemented either directly or indirectly through compromised servers/computers or user accounts, which then mimic legitimate interactions with AWS usually over public internet.


Below is a compilation of prevalent threats external to AWS:



Distributed Denial of Service (DDoS)


A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic


On AWS, this can be executed by attackers using a network of compromised systems to send an overwhelming amount of traffic to an AWS-hosted application or service, thereby overloading it and causing service disruption.



How to protect against DDoS in AWS:


AWS Shield


Utilize AWS Shield, especially Shield Advanced, for proactive mitigation measures.



Application Load Balancer (ALB)


Configure ALB inf front of EC2, integrating with AWS Shield for rapid mitigation.

Use ALB features like connection draining and rate limiting to manage traffic during attacks.



AWS WAF Integration


Enable AWS WAF on ALB for filtering and set rules to identify unusual patterns.



CloudFront and AWS WAF


Use Amazon CloudFront with AWS WAF for distributed traffic management and custom rule creation to block bad traffic.



Auto Scaling


Enable Auto Scaling for EC2 instances to handle traffic surges.



Amazon Route 53


Employ Route 53 for scalable, high-availability DNS management.





Keep track of ALB and AWS WAF logs/metrics for timely detection and response.





Set up alerts with Amazon CloudWatch and AWS CloudTrail for abnormal traffic patterns.



Security Best Practices


Maintain application updates, enforce access controls, and adhere to AWS security guidelines.



Emergency Plan


Have an incident response plan in place. In case of a large-scale attack, AWS support can assist, especially if you are subscribed to AWS Shield Advanced.



Phishing attacks


A phishing attack  typically involves deceptive practices aimed at tricking AWS users into divulging sensitive information, such as their AWS account credentials (username and password), access keys, or other confidential data. 


These attacks can take various forms ncluding email phishing (and its more personalized variant, spear phishing), as well as SMS phishing and voice phishing.



How to protect against phishing attacks in AWS:


Use Multi-Factor Authentication (MFA)


Implement MFA for all AWS accounts. This adds an extra layer of security, making it harder for attackers to gain unauthorized access even if they have compromised credentials.



Use AWS Identity and Access Management (IAM)


Configure IAM policies to limit user permissions to only what is necessary for their role, reducing the impact of credential compromise.



Regularly Rotate Credentials


Change AWS access keys and passwords regularly and follow strong password policies.



Secure Email Gateways


Use AWS WAF to filter and block malicious traffic at the network level before it reaches your email gateways. You can create rules to allowlist known good sources and denylist known bad ones .


Use Amazon Route 53 Resolver DNS Firewall to filter outbound DNS queries from your email servers and block requests to known malicious domains.



Amazon GuardDuty


This threat detection service continuously monitors for malicious or unauthorized behavior that could indicate a phishing attack in progress.



AWS CloudTrail


Enables governance, compliance, operational auditing, and risk auditing of your AWS account, helping to detect unusual activity that may result from a successful phishing attack



AWS Secrets Manager:


Helps manage, retrieve, and rotate database credentials, API keys, and other secrets, reducing the risk of credential exposure in a phishing attack.



SQL Injection and Cross-Site Scripting (XSS)


SQL Injection and Cross-Site Scripting (XSS) attacks against AWS-hosted applications target vulnerabilities in the application layer


SQL Injection


This occurs when an attacker exploits vulnerable input fields in web applications to insert or "inject" SQL commands.


These commands are then executed by the server's database, potentially allowing attackers to access, modify, delete, or manipulate database information.


For AWS-hosted applications, this might involve databases managed through services like Amazon RDS (Relational Database Service) or Amazon DynamoDB (PartiQL)


Cross-Site Scripting (XSS)


XSS attacks involve injecting malicious scripts into web pages viewed by other users.

An attacker might exploit a vulnerability in a web application hosted on AWS to insert malicious JavaScript code into the output returned to users.


When other users view the compromised page, the malicious script executes in their browsers, potentially stealing cookies, session tokens, or redirecting the user to malicious websites.



How to protect against SQL Injection and Cross-Site Scripting (XSS) in AWS:




Employ AWS WAF to filter harmful traffic, using the Managed Rule Group specifically for SQL injection and XSS. Initially set rules to monitor mode to check for false positives, then analyze AWS WAF logs and CloudWatch metrics for any legitimate traffic being blocked.



Security Monitoring Tools


Leverage tools like Amazon GuardDuty, AWS Shield, and AWS Security Hub for comprehensive monitoring and protection.



Application Code Security


Implement request validation, input sanitization, and output encoding in your code. Always cleanse user-provided data before using it in queries or displaying on web pages.



API Gateway and Lambda Authorizers


Use these for added request validation, blocking malicious payloads early.



Input Validation and Prepared Statements 


Use ORMs - Object-Relational Mapping that can easily enforce stricts input validation and use prepared statements with parameterized queries in SQL.



Content Security Policy


Implement CSP in web applications to control resource loading.





Threat Detection with AWS Cloud

SEC01-BP07 Identify threats and prioritize mitigations using a threat model - Security Pillar

SEC01-BP07 Identify threats and prioritize mitigations using a threat model - AWS Well-Architected Framework

How can I defend against DDoS attacks with Shield Standard?

How to protect EC2 against intermittent DDos attack

How do I configure AWS WAF to protect my resources from common attacks?