A threat vector refers to the techniques or means through which a hacker gains entry to a network, application, or operating system. Within the context of AWS, there exist numerous threat vectors that may originate externally, beyond the confines of AWS's own infrastructure.
These external threats are implemented either directly or indirectly through compromised servers/computers or user accounts, which then mimic legitimate interactions with AWS usually over public internet.
Below is a compilation of prevalent threats external to AWS:
Distributed Denial of Service (DDoS)
A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
On AWS, this can be executed by attackers using a network of compromised systems to send an overwhelming amount of traffic to an AWS-hosted application or service, thereby overloading it and causing service disruption.
How to protect against DDoS in AWS:
AWS Shield
Utilize AWS Shield, especially Shield Advanced, for proactive mitigation measures.
Application Load Balancer (ALB)
Configure ALB inf front of EC2, integrating with AWS Shield for rapid mitigation.
Use ALB features like connection draining and rate limiting to manage traffic during attacks.
AWS WAF Integration
Enable AWS WAF on ALB for filtering and set rules to identify unusual patterns.
CloudFront and AWS WAF
Use Amazon CloudFront with AWS WAF for distributed traffic management and custom rule creation to block bad traffic.
Auto Scaling
Enable Auto Scaling for EC2 instances to handle traffic surges.
Amazon Route 53
Employ Route 53 for scalable, high-availability DNS management.
Monitoring
Keep track of ALB and AWS WAF logs/metrics for timely detection and response.
Alerts
Set up alerts with Amazon CloudWatch and AWS CloudTrail for abnormal traffic patterns.
Security Best Practices
Maintain application updates, enforce access controls, and adhere to AWS security guidelines.
Emergency Plan
Have an incident response plan in place. In case of a large-scale attack, AWS support can assist, especially if you are subscribed to AWS Shield Advanced.
Phishing attacks
A phishing attack typically involves deceptive practices aimed at tricking AWS users into divulging sensitive information, such as their AWS account credentials (username and password), access keys, or other confidential data.
These attacks can take various forms ncluding email phishing (and its more personalized variant, spear phishing), as well as SMS phishing and voice phishing.
How to protect against phishing attacks in AWS:
Use Multi-Factor Authentication (MFA)
Implement MFA for all AWS accounts. This adds an extra layer of security, making it harder for attackers to gain unauthorized access even if they have compromised credentials.
Use AWS Identity and Access Management (IAM)
Configure IAM policies to limit user permissions to only what is necessary for their role, reducing the impact of credential compromise.
Regularly Rotate Credentials
Change AWS access keys and passwords regularly and follow strong password policies.
Secure Email Gateways
Use AWS WAF to filter and block malicious traffic at the network level before it reaches your email gateways. You can create rules to allowlist known good sources and denylist known bad ones .
Use Amazon Route 53 Resolver DNS Firewall to filter outbound DNS queries from your email servers and block requests to known malicious domains.
Amazon GuardDuty
This threat detection service continuously monitors for malicious or unauthorized behavior that could indicate a phishing attack in progress.
AWS CloudTrail
Enables governance, compliance, operational auditing, and risk auditing of your AWS account, helping to detect unusual activity that may result from a successful phishing attack
AWS Secrets Manager:
Helps manage, retrieve, and rotate database credentials, API keys, and other secrets, reducing the risk of credential exposure in a phishing attack.
SQL Injection and Cross-Site Scripting (XSS)
SQL Injection and Cross-Site Scripting (XSS) attacks against AWS-hosted applications target vulnerabilities in the application layer
SQL Injection
This occurs when an attacker exploits vulnerable input fields in web applications to insert or "inject" SQL commands.
These commands are then executed by the server's database, potentially allowing attackers to access, modify, delete, or manipulate database information.
For AWS-hosted applications, this might involve databases managed through services like Amazon RDS (Relational Database Service) or Amazon DynamoDB (PartiQL)
Cross-Site Scripting (XSS)
XSS attacks involve injecting malicious scripts into web pages viewed by other users.
An attacker might exploit a vulnerability in a web application hosted on AWS to insert malicious JavaScript code into the output returned to users.
When other users view the compromised page, the malicious script executes in their browsers, potentially stealing cookies, session tokens, or redirecting the user to malicious websites.
How to protect against SQL Injection and Cross-Site Scripting (XSS) in AWS:
AWS WAF
Employ AWS WAF to filter harmful traffic, using the Managed Rule Group specifically for SQL injection and XSS. Initially set rules to monitor mode to check for false positives, then analyze AWS WAF logs and CloudWatch metrics for any legitimate traffic being blocked.
Security Monitoring Tools
Leverage tools like Amazon GuardDuty, AWS Shield, and AWS Security Hub for comprehensive monitoring and protection.
Application Code Security
Implement request validation, input sanitization, and output encoding in your code. Always cleanse user-provided data before using it in queries or displaying on web pages.
API Gateway and Lambda Authorizers
Use these for added request validation, blocking malicious payloads early.
Input Validation and Prepared Statements
Use ORMs - Object-Relational Mapping that can easily enforce stricts input validation and use prepared statements with parameterized queries in SQL.
Content Security Policy
Implement CSP in web applications to control resource loading.
References
Threat Detection with AWS Cloud
SEC01-BP07 Identify threats and prioritize mitigations using a threat model - Security Pillar
How can I defend against DDoS attacks with Shield Standard?
How to protect EC2 against intermittent DDos attack
How do I configure AWS WAF to protect my resources from common attacks?