Detecting and

Securing your
Data on AWS
EBOOK

1 Security on AWS
 EBOOK

Table of Contents

3 Executive Summary
4 The rise of cloud-native breaches
4 Practitioner-leadership disconnect
4 IaaS: The new “Shadow IT”
5 Key Use Cases
7 Detect and correct security misconfigurations
11 Detect and secure workloads and containers
13 Protect the data in the apps
14 User behavior analytics and activity monitoring
17 Security Best Practices on AWS
18 Custom applications security best practices
19 Recommendations
20 About McAfee

2 Security on AWS
 EBOOK

Security on AWS

Executive Summary
Infrastructure-as-a-Service (IaaS) is used by organizations of all sizes as the new default IT
environment to build and host internal and customer-facing applications. In the rush toward
IaaS adoption, many organizations overlook the cloud shared-responsibility model and
assume that security is taken care of completely by the cloud provider. At the end of the day,
the security of what cloud customers put in the cloud—most importantly sensitive data—is
their responsibility.

IaaS PaaS SaaS

Data Classification and Accountability

Client and Endpoint Protection

Customers Are Still
Responsible for Security Identity and Access Management

Application Level Controls

Network Control

Customer Responsibility Host Infrastructure

Service Provider Responsibility Physical Security

Cloud Shared Responsibility Model

Connect With Us

Figure 1. Cloud shared-responsibility model.

3 Security on AWS
 EBOOK

The rise of cloud-native breaches disconnect. According to the McAfee CARR Report,
Numerous breaches have occurred in IaaS environments, 90% percent of companies experienced some security
but they don’t look like your typical infiltrate-with- issue in IaaS, misconfiguration or otherwise. Over 50%
malware type of scheme. In most cases, the cloud-native manager-level IT personnel—those closest to the IaaS
breach (CNB) is an opportunistic attack on data left environment—thought they’d never experienced an issue
open by errors in how the customer’s cloud environment compared to what their CISO, CTO, and CIO leadership
was configured. Adversaries can exploit customer claimed.
misconfigurations to escalate their privileges and access It is possible that the speed of cloud adoption is putting
data using native functions of the cloud, instead of most practitioners behind. Infrastructure changes rapidly
malware. in the cloud, open the door for mistakes as code is
According to the McAfee® Cloud Adoption and Risk released in continuous integration/continuous delivery
Report (CARR), based on a study across hundreds of (CI/CD) practices. Security leaders should consider
enterprises across multiple industries and analysis of enabling their staff with the tools they need to keep up
billions of events, we found that misconfigurations have with security issues, especially the ability to audit their
left millions of customer records, intellectual property, IaaS deployments for misconfiguration before they enter
and the like open to theft. Unfortunately, for the state of a production environment.
cloud computing at this moment, according to the report, IaaS: The new “Shadow IT”
we found that about 99% of customer misconfigurations
Keeping track of security incidents in IaaS is increasingly
go unnoticed by companies using IaaS. The enterprise
difficult when you operate in hybrid cloud environments.
companies we spoke to told us that they were aware of,
There’s an interesting awareness trend here as well,
on average, 37 misconfiguration incidents per month.
similar to the “Shadow IT” we’ve seen for years with
Yet our real-world data shows that companies experience
Software-as-a-Service (SaaS) applications being brought
closer to 3,500 such incidents.
into the enterprise. According to the McAfee CARR
Practitioner-leadership disconnect Report, we found that 92% of enterprises use multiple
Awareness of customer misconfigurations is clearly an IaaS providers, up 18% year over year. Security incidents
issue, and only a small percentage of enterprises can audit are almost guaranteed to go under the radar if companies
configurations in IaaS with the existing security tools don’t know where all their infrastructure lives.
they have. This clearly highlights a practitioner-leadership

4 Security on AWS
 EBOOK

Key Use Cases

Detect and correct security misconfigurations: Audit
the customer configuration of AWS services to identify
settings that are misconfigured or noncompliant and
recommend corrective measures along with automated 3 Protect the data in the apps

remediation capabilities.
Detect and secure
2
Detect and secure workloads and containers: Discover workloads and containers
workloads in the hybrid cloud and protect them with
Detect and correct security Infrastructure
McAfee® Cloud Workload Protection using lightweight 1
misconfigurations
agents. Discover containers and images, audit them using
predefined policy templates, and run vulnerability scans.

Protect the data in the apps: Enforce data loss

prevention (DLP) policies for sensitive data stored in a
Figure 2. Protecting the AWS infrastructure.
customer’s AWS storage services such as Amazon Simple
Storage Service (Amazon S3). Scan the content for
malware and immediately take remediation action. McAfee® MVISION Cloud provides a solution to address
User behavior analytics and activity monitoring: above use cases in a single cloud-native platform and
Detects insider threats, as well as threats from presents an overview of your entire infrastructure.
compromised accounts and privileged access misuse.
Capture a complete audit trail of all user activities
enriched with threat intelligence to facilitate
post-incident forensic investigations.

5 Security on AWS
 EBOOK

Figure 3. IaaS dashboard results.

6 Security on AWS
 EBOOK

Detect and correct security misconfigurations MVISION Cloud provides three modes to audit
As mentioned earlier, according to Gartner, 99% of the configurations:
misconfigurations in enterprise IaaS environments are 1. Near Real-Time (NRT)
going unnoticed, leaving the doors open for the “Land”
2. Continuous Evaluation (CE)
stage of a cloud-native breach (CNB).
3. On-Demand Scan (ODS)
Known Versus Actual IaaS Misconfiguration
Incidents per Month NRT and CE provide alerting in near real time of changes
occurring while ODS scans once/day. Automated
37 3,500
remediation and alerting happen immediately when the
Known Actual policies are evaluated.
Misconfigurations Misconfigurations
Per Month Per Month
MVISION Cloud provides a large set of predefined
templates across multiple compliance standards such as
Center for Internet Security (CSI) Level 1 and 2, Payment
Card Industry Data Security Standard (PCI DSS), The
Health Insurance Portability and Accountability Act
(HIPAA), National Institute of Standards and Technology
(NIST) 800-53, and others. Customers can also choose to
Figure 4. IaaS misconfiguration incidents per month.
create custom policies for a large set of services using the
intuitive and self-describing builder based on their specific
Audit and monitor the security configurations of your requirements. The MVISION Cloud platform allows
AWS services to detect and correct misconfigurations to detecting of misconfigurations for a host of services,
reduce risk and comply with internal and external policies. such as Amazon Elastic Compute Cloud (Amazon EC2)
compute instances, storage and database, Identity Access
Management (IAM), logging and monitoring, network
security groups, virtual private clouds (VPCs), and more.

7 Security on AWS
 EBOOK

Figure 5. Resource inventory with compliance and risk scores.

8 Security on AWS
 EBOOK

The velocity of cloud deployments means that MVISION Cloud provides Shift-Left capabilities,
misconfigurations are introduced, removed, or resolved on which can be leveraged to evaluate misconfigurations
a constant basis as new infrastructure is rolled out. Much much earlier in the development and deployment
of this is automated by DevOps teams in the practice of cycle. Infrastructure-as-Code (IaC) evaluation of
CI/CD, which, unfortunately, automates misconfigurations CloudFormation and Terraform template formats are
along with all the rest. supported, with monitoring/offline mode as well as in
inline mode deployments can be interrupted if
Average Time to Correct IaaS Misconfigurations templates report misconfiguration(s).

Within minutes 18%

Within hours 60%

Within days 20%

Within months 2%

Source: McAfee CARR Report

Figure 6. Average time to correct misconfigurations. (Source: McAfee

CARR Report)

Nearly a quarter of enterprises take longer than a

day to correct misconfigurations in IaaS. This leaves
plenty of time for an adversary to scan for open ports
or other vulnerable resources to land their attack.
Ideally, misconfigurations should be addressed prior to
deployment, shifting the task of auditing configurations Figure 7. Security configuration audit in MVISION Cloud.
left in the deployment lifecycle.

A Resource Graph with aggregated flow log data

demonstrates connection between different resources,
including the connections with external malicious IPs.

9 Security on AWS
 EBOOK

Figure 8. Resource graph in MVISION Cloud.

10 Security on AWS
 EBOOK

Detect and secure workloads and containers provide endpoint security and protection against threats
Discover workloads and protect them using McAfee ® like malware, ransomware, and targeted attacks. This
Cloud Workload Protection lightweight agents. It works provides the ability to view and manage agents on
with MVISION Cloud and McAfee® MVISION ePO™ to compute instances in the same MVISION Cloud console.

Figure 9. Compute instances in MVISION Cloud.

11 Security on AWS
 EBOOK

Discover container images, and audit them using containers at build time and periodically to ensure that
predefined policy templates and run vulnerability scans. known risks are exposed.

For container security:

■ Perform nano-segmentation for inter-container
communication:
■ Evaluate misconfigurations for container infrastructure − Zero Trust: Always verify, never trust. Discover and
and orchestration systems, such as Kubernetes, to
monitor the behavior of network communications
ensure that the environment’s configuration is not
between containers.
a source of risk and that the configuration of the
environment does not drift over time, exposing
− Leverage known good configurations as a way to
unintentional risk. secure workloads, as opposed to keeping up with
known bad ones.
■ Run vulnerability assessments for container
components to evaluate the code embedded in

Figure 10. Security configuration audit in MVISION Cloud.

12 Security on AWS
 EBOOK

Protect the data in the apps

Prevent unauthorized regulated data or malware from
being stored in AWS storage services. DLP and malware
scanning can be applied in three different ways:

1. As a response to a configuration audit incident: For

highly vulnerable categories, DLP and/or malware scan
can be a configured as a response action to the policy
for trigger.
2. Near real-time (NRT): Applies to changes in the data
set and evaluates the policies in near real time.
3. On-demand scan: Applies to pre-existing data and
executes on a scheduled interval.

Leverage the McAfee® content analytics engine to

discover sensitive data stored in AWS based on:
■ Keywords and phrases indicative of sensitive or Figure 11. Policy incidents in MVISION Cloud.

regulated information
■ Predefined alphanumeric patterns with validation
(example: credit card numbers)
■ Regular expressions to detect custom alpha-numeric
patterns (example: part numbers)
■ File metadata such as file name, size, and file type
■ Keyword dictionaries of industry-specific terms
(example: stock symbols)

Use these remediations to help address the incidents as

soon as they are reported
■ Notify an administrator
■ Quarantine the file

13 Security on AWS
 EBOOK

User behavior analytics and activity monitoring ■ All activities performed by users accessing via TOR or
McAfee uses data science and machine learning to anonymizing proxy
automatically build models of typical user behavior and ■ All activities generated by a specific source IP address or
identifies behavior that may be indicative of a threat. geographic location
■ Insider threats: Detect anomalous behavior across
multiple dimensions, including types of user action and
frequency across time
■ Compromised accounts: Analyze access attempts to
identify impossible cross-region access, brute- force
attacks, and activity from suspicious locations indicative
of a compromised account
■ Privileged user threats: Identify inappropriate user
permissions, dormant accounts, and unwarranted
escalation of user privileges and provisioning

Gain visibility into usage across managed AWS accounts

and accelerate post-incident forensic investigations
by capturing a comprehensive audit trail of all activity.
Organizations can monitor:
■ Usage of managed AWS accounts, including who
is accessing which services, the types of activities
performed, their role, device type, geographic location,
and IP address
■ Successful/failed login attempts
■ User account creation/deletion, as well as updates to
accounts by administrators

Drill down further into activity streams to investigate

■ A specific activity and all its associated users
Figure 12. AWS activities.
■ All activities generated by a single user

14 Security on AWS
 EBOOK

Let’s explore the nature of a CNB. These breaches do not 3. Exfiltrate data while staying under the radar.
follow the traditional malware-infiltration and defense ◆ Copy data from the storage account to anonymous
strategy we are accustomed to within network borders nodes on the internet.
and on managed devices. We define a CNB as “a series of
◆ Create a storage gateway to gain access to the data
actions by an adversarial actor in which they ‘Land’ their
from a remote location.
attack by exploiting errors or vulnerabilities in a cloud
deployment without using malware, ‘Expand’ their access
◆ Copy data from the storage accounts to a remote
through weakly configured or protected interfaces to location outside the VPC.
locate valuable data, and ‘Exfiltrate’ that data to their own
storage location.”

Consider the following examples at each stage: 2. Access remote

Node-1
nodes or databases DB-1
1. Land by gaining a foothold into the IaaS/Platform-as-
Node-2
a-Service (PaaS) environment.
◆ Leverage compromised/weak credentials to gain 1-a Compromised credentials
DB-2
access as a legitimate user.
◆ Exploit a vulnerability, such as server-side request 1-b Vulnerability
Node
forgery (SSRF), in deployed software. Node-3

◆ Capitalize on misconfigurations of ingress/egress

1-c Misconfiguration 2. Access remote
security groups. nodes or databases Node-n
2. Expand by finding ways to move beyond the landing
node. DB-n
Data
3. Copy data to a remote location
◆ Leverage privileges associated with a compromised
node to access remote nodes. IaaS/PaaS environment

◆ Probe for and exploit weakly protected applications

or databases. Figure 13. Cloud-native breach (CNB) attack chain.
◆ Capitalize on weak network controls.

15 Security on AWS
 EBOOK

As customers configure and use the services depending needed to prevent threats from moving to the next
on their requirements, it is possible that the threat phase, preventing further compromise of their cloud
landscape is proliferated across misconfigurations, environment. Using the MITRE ATT&CK framework, SOC
confidential data, anomalies, and more. It is challenging teams can see the “kill chain” of an attack and break
to correlate these multiple types of incidents from this chain by taking the appropriate remediation steps
investigation and remediation per se. Data exfiltration outlined in MVISION Cloud console.
and resource hijacking are prominent motives behind
cloud attacks that engage in taking over infrastructure,
crypto-mining, malicious hosting. All are prominent with
IaaS. It is challenging to collate all the different sources of
information, such as configuration audit, DLP, malware,
workload security, activity logs, flow logs, and other data
in a cohesive pattern and actionable framework.

MVISION Cloud collects millions of feeds from multiple

sources and brings them into one scalable platform
with a single console that leverages the MITRE ATT&CK®
framework to bubble up only those that are relevant
and critical. The MITRE ATT&CK framework also provides
a standardized taxonomy that brings cloud access
security broker (CASB) incidents into the modern
security operations center (SOC), breaks incident silos,
and provides visualization of threat/attack modus
operandi. Thus, threats are detected in close to real time
by combining indicators and incidents from across the
different facets of CASB and blending SaaS, PaaS, and
IaaS. Figure 14. The attack “kill chain” viewed in the MVISION Cloud console.

The MVISION platform also provides SOC personnel

with the ability to view all threats, including potential
or threats in progress that have only gone through
few stages. SOC analysts can take the proactive steps

16 Security on AWS
 EBOOK

Security Best Practices on AWS ■ Encryption

At AWS, security is the top priority and is backed by a ■ Logging
deep set of cloud security tools, with more than 200 ■ Monitoring
security, compliance, and governance services and key ■ Key Management
features.
■ Application Security
AWS is constantly building a powerful set of security
controls for its customers to use across all AWS services. The Top 10 Most Commonly Customer Misconfigured
With AWS Config and Amazon CloudWatch, for example, Settings in AWS:
customers can monitor and track both the health and
1. EBS should be encrypted.
security of their AWS resources. The identity and access
2. EC2 instances should not have unrestricted outbound
management (IAM) service gives AWS customers granular
access.
control over managing users and enforcing access control
policies. Customers using AWS need to be aware of the 3. EC2 security group should have specific ports
shared responsibility model and configure AWS security configured.
controls appropriately to tighten their security posture. 4. IAM instance roles should be used to provision access
to AWS resources.
Per Gartner, nearly all successful attacks on cloud
services are the result of customer misconfiguration, 5. Non-HTTP/HTTPS ports should not have unrestricted
mismanagement, and mistakes. Through 2023, at least access.
99% of cloud security failures will be the customer’s fault. 6. EC2 instances should not have unrestricted inbound
access on uncommon ports.
MVISION Cloud recommends security best practices
based on the top 10 settings commonly misconfigured by 7. Security groups should never remain unused.
customers in AWS: 8. EC2 instances should not have unrestricted ICMP
access.
Configuration audit policies in MVISION Cloud can be
categorized as: 9. EC2 security group should have inbound access
configured to specific IP addresses.
■ Unrestricted Access
10. EC2 instance should belong to a VPC.
■ Identity and Access Management
■ Network Security

17 Security on AWS
 EBOOK

Custom applications security best practices the development process. DevOps should invite the
Security is a shared responsibility by everyone in an IT security team to bring their own application testing
organization and not only the security team. Developers tools and methodologies when pushing production
may prioritize speed above all. However, IT security needs code, without slowing down the process. Security
to be included in the software development process. should team up with the QA team to define test cases
Whether you follow a waterfall or agile methodology, and qualifying parameters that should be met before
there is a place for IT security in the architecture planning, code can be promoted.
auditing, and testing of applications. Experience has 4. Developing a secure application is not enough. IT
demonstrated that application security is improved when security should also ensure that users are accessing
the IT security team is involved from the beginning, the application in a secure manner. With that in mind,
instead of bringing in the security team after an there are a few steps the security team can take to
application has been developed. ensure appropriate use of these applications and grant
the fewest privileges possible for application users.
What follows are recommendations for creating a
successful DevOps workflow that integrates security. 5. Unrestricted or overly permissive user accounts
increase the risk and damage potential of an external
1. Inventory and categorize all existing custom or internal threat. Internally, a user with too many
applications by the types of data stored, their permissions might inadvertently cause data loss.
compliance requirements, and the possible threats Externally, a hacker who compromises an account with
they face. too many permissions can easily wreak havoc. For this
2. The first step in securing custom application reason, application administrators should limit a user’s
development and usage is to inventory all existing permissions to a level where they can only do what’s
applications and the data uploaded to them. IT necessary to accomplish their job duties.
security and audit teams should have visibility not only 6. Enforce a single set of DLP policies across custom
into the number of these applications running on AWS, applications and all other cloud services.
but also on whether sensitive data is being uploaded.
Visibility into sensitive data enables the security team
to identify which internal and external regulations
apply to an app and its data and what kind of security
controls must be in place to protect it.
3. IT security should be involved in testing throughout

18 Security on AWS
 EBOOK

The first step in enforcing DLP policies is inventorying least during the deployment—to minimize the number
existing DLP policies for all cloud services, on-premises of misconfigurations that make it into production. Look
applications, and endpoints and identifying the policies for security tools that integrate with AWS CodeDeploy,
that would apply to custom applications. Enterprises also Jenkins, Amazon Elastic Kubernetes Services, and
need to understand how a custom application is being others to automate the audit and correction process.
used, including the number of files containing sensitive 2. Evaluate your IaaS security practice using a
data, the number of files being shared, and anomalous framework like “Land-Expand-Exfiltrate”: This helps
usage events indicative of threats. Some of the types of you check controls against the entire attack chain,
sensitive data that should be protected are: increasing your likelihood of stopping a breach.
■ Credit card numbers 3. Invest in cloud-native security tools and training for
■ Social Security numbers security teams: Cloud tools and training help security
teams understand cloud infrastructure at the same
■ Account numbers
level as their DevOps counterparts. Security tools, like
■ Account credentials CASBs, cloud security posture management (CSPM),
■ Intellectual property and cloud workload protection platforms (CWPP)
are built to work within DevOps and CI/CD processes
Recommendations but are not replications of on-premises data center
We’ve entered a new reality for enterprise infrastructure, security. They require new knowledge that goes hand
and we should expect it to change more rapidly than ever in hand with cloud transformation. Companies that
before. The capacity of infrastructure teams to upgrade, actively secure their cloud infrastructure with cloud-
innovate, and deploy new technology is no longer a native security tools increase their use of the cloud and
constraint. AWS is constantly upgrading, innovating, the benefits they gain from it. According to the McAfee
making it easier and faster to deploy infrastructure than CARR Report, companies using a CASB with IaaS, for
ever before—and we need to make use of these tools example, deployed 71% more applications. Not only
and services. As we’ve outlined in this document, our are these companies doing a better job of keeping
first and most critical step is to establish holistic methods up with the speed of IaaS, they are accelerating it.
for maintaining visibility into how teams are using these That means they can grow their business faster—by
services and then move to applying best practices addressing security with tools built for the cloud.
for risk mitigation and governance. Here are a set of
recommendations to help you:

1. Build IaaS configuration auditing into your CI/CD

process: Do it early—preferably at code check-in or at

19 Security on AWS
About McAfee
McAfee is the device-to-cloud cybersecurity company.
Inspired by the power of working together, McAfee
creates business and consumer solutions that make our
world a safer place. By building solutions that work with
other companies’ products, McAfee helps businesses
orchestrate cyber environments that are truly
integrated, where protection, detection, and correction
of threats happen simultaneously and collaboratively.
By protecting consumers across all their devices, McAfee
secures their digital lifestyle at home and away. By
working with other security players, McAfee is leading
the effort to unite against cybercriminals for the benefit
of all.

www.mcafee.com
6220 America Center Drive
San Jose, CA 95002
888.847.8766
www.mcafee.com

McAfee, the McAfee logo, and McAfee ePO are trademarks or

registered trademarks of McAfee, LLC or its subsidiaries in the US
and other countries. Other marks and brands may be claimed as the
property of others. Copyright © 2020 McAfee, LLC. 4615_0920

SEPTEMBER 2020

20 Security on AWS