Fundamentals

T1525, T1613

AWS Misconfigurations

AWS misconfigurations are cloud setup mistakes that expose data, identities, networks, or workloads to unnecessary risk.

View on Graph

What Is It and Why It Matters

  • AWS misconfigurations are the root cause of most cloud security incidents because the shared responsibility model puts configuration control in the customer’s hands, and the default settings aren’t always the most secure.
  • A single misconfigured IAM policy, S3 bucket ACL, or security group can expose sensitive data to the entire internet within minutes.
  • Cloud environments change rapidly — new services are deployed, permissions evolve, and resources are shared across teams — making continuous configuration monitoring essential.
  • For security analysts, understanding common cloud misconfiguration patterns is critical because traditional network and endpoint detection tools often lack visibility into cloud control planes.

High-Impact Misconfiguration Categories

IAM Policy Misconfigurations

The most common source of cloud privilege escalation. IAM policies control who can do what with which AWS resources — and one overly permissive policy can grant an attacker full admin access.

Common patterns:

MisconfigurationRiskExample Bad Policy
"Action": "*"User/role can perform any action"Effect": "Allow", "Action": "*", "Resource": "*"
"Resource": "*"Access to all resources of the allowed action type"Action": "s3:*", "Resource": "*" — full S3 access
PassRole to untrusted rolesiam:PassRole allows attacker to attach high-privilege roles to an EC2 instance they control"Action": "iam:PassRole", "Resource": "*"
No condition key for MFAAttacker with stolen keys can use them without MFAMissing "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "true"}}
Wildcard in service actionec2:* gives full EC2 control, including terminating instances"Action": "ec2:*" instead of specific actions

Detection: CloudTrail events PutUserPolicy, PutRolePolicy, AttachRolePolicy, AttachUserPolicy are the key events to monitor. A developer attaching the AdministratorAccess managed policy to a service role they work with is a common privilege escalation pattern.

SPL query — detect IAM policy changes that expand permissions:

index=cloudtrail
( eventName=PutUserPolicy OR eventName=PutRolePolicy OR eventName=AttachRolePolicy OR eventName=AttachUserPolicy OR eventName=CreatePolicy )
| search policyDocument = "*"
| rex field=requestParameters "policyDocument.*(Action|Effect|Resource).*(\*|FullAccess)"
| stats values(eventName) as Actions, values(userIdentity.arn) as Actor by sourceIPAddress, _time
| eval alert = "HIGH — IAM policy change with wildcard permissions"

S3 Bucket Misconfigurations

An S3 bucket with public read access exposes its contents to anyone on the internet. This is the most publicized cloud misconfiguration pattern for a reason — it keeps happening.

Common patterns:

MisconfigurationRiskDetection
Bucket ACL allows public read/writeAnyone can list, read, write filesCloudTrail: PutBucketAcl with public URI
Bucket policy allows anonymous accessSame risk, via bucket policy instead of ACLCloudTrail: PutBucketPolicy with "Principal": "*"
S3 Object ACL allows public accessIndividual objects made public despite bucket being privateCloudTrail: PutObjectAcl with public grantee
Missing bucket versioningNo recovery from ransomware or accidental deletionAWS Config rule: s3-bucket-versioning-enabled
Bucket accessible from any VPCNo VPC endpoint restrictionCloudTrail: requests from non-VPC sources

Detection: CloudTrail events PutBucketPolicy, PutBucketAcl, and PutBucketPublicAccessBlock are critical. Monitor these in a dedicated CloudWatch alarm.

SPL query — detect bucket policy change to public:

index=cloudtrail eventName=PutBucketPolicy
| rex field=requestParameters "bucketPolicy.*(?<PrincipalPrincipal>(?i)\*)" 
| search PrincipalPrincipal="*"
| stats values(requestParameters.bucketName) as Bucket by userIdentity.arn, sourceIPAddress, _time
| eval alert = "CRITICAL — S3 bucket policy changed to allow public access"

Security Group Misconfigurations

Security groups are stateful firewalls for EC2 instances. Overly permissive rules expose compute resources to the internet.

Common patterns:

MisconfigurationRiskExample
SSH open to 0.0.0.0/0Anyone can attempt SSH to any instance in the groupport 22, source 0.0.0.0/0
RDP open to 0.0.0.0/0Anyone can attempt RDP to Windows instancesport 3389, source 0.0.0.0/0
All ports open to 0.0.0.0/0Full network exposureport 0-65535, source 0.0.0.0/0
Database port open to 0.0.0.0/0Database directly accessible from internetport 3306/5432/1433, source 0.0.0.0/0
Egress rule allows all trafficData exfiltration not restrictedoutbound 0.0.0.0/0, port all — default, but risky

Detection: CloudTrail events AuthorizeSecurityGroupIngress and AuthorizeSecurityGroupEgress. Alert when source is 0.0.0.0/0 and port is a management port (22, 3389, 22) or database port.

CloudTrail Logging Disabled

If an attacker disables CloudTrail, they can operate in the account without leaving audit records. This is the cloud equivalent of clearing the Windows Event Log.

Detection: CloudTrail events StopLogging, UpdateTrail (set EnableLogFileValidation=false), DeleteTrail. These should trigger immediate critical alerts.

SPL query — detect CloudTrail logging changes:

index=cloudtrail (eventName=StopLogging OR eventName=DeleteTrail OR eventName=UpdateTrail)
| search requestParameters.name IN ("*")
| stats values(requestParameters.name) as TrailName, values(eventName) as Action by userIdentity.arn, sourceIPAddress
| eval alert = "CRITICAL — CloudTrail logging disabled or deleted"

Detection Workflow — Cloud Misconfiguration Triage

Step 1: Identify What Changed

When an alert fires for a misconfiguration, start with:

QuestionData Source
What resource changed?CloudTrail event — look at requestParameters for the specific resource (bucket name, security group ID, policy ARN)
Who made the change?userIdentity.arn — is this a human user, role, or service account?
From where?sourceIPAddress — is this from the corporate VPN, home IP, or a new location?
What was the previous state?AWS Config — check resource configuration history (requires Config recorder to be enabled)
Was this expected?Change management system (ServiceNow, Jira) — was there a change ticket?

Step 2: Correlate with Other CloudTrail Events

A single misconfiguration is often part of a chain. Check for correlated events in the same time window:

  • CreateUser or CreateAccessKey before a policy change — attacker created their own backdoor
  • AssumeRole from an unexpected source — cross-account access abuse
  • RunInstances in a new region — attacker launching compute for crypto mining
  • GetSecretValue from Secrets Manager or SSM Parameter Store — credential access after privilege escalation

Step 3: Assess and Remediate

SeverityCriteriaImmediate Action
CriticalPublic S3 bucket with sensitive data, admin policy attached to console user, CloudTrail deletedRestrict access immediately via SCP. Revert the change. Rotate all credentials.
HighSecurity group with SSH/3389 open to 0.0.0.0/0, IAM policy with wildcard actionsRevoke the permissive rule. Apply least-privilege. Investigate who made the change.
MediumBucket without versioning, CloudTrail without log file validationEnable the feature. No immediate risk of exposure.
LowNon-compliant tag, unused resourceDocument. Add to remediation backlog.

Step 4: Automate Remediation

Prevent future misconfigurations with:

  • Service Control Policies (SCPs) — deny creation of resources without encryption, deny public S3 buckets, deny CloudTrail deletion
  • AWS Config conformance packs — pre-built rule packs for CIS, NIST, PCI compliance
  • EventBridge + Lambda automation — when a public bucket is created, automatically apply a bucket policy to block public access
  • IAM Access Analyzer — continuously identifies resources shared with external principals

Prevention Toolkit

ToolWhat It DoesHow to Enable
IAM Access AnalyzerIdentifies resources shared with external entitiesOne-time setup, runs continuously
AWS ConfigTracks resource configuration changesEnable with recording in all regions
GuardDutyThreat detection — IAM credential compromise, crypto mining, S3 exfiltrationOne-click enable (30-day trial)
Security HubAggregates findings from GuardDuty, Config, Inspector, IAM Access AnalyzerEnable, enable CIS/AWS Foundational Security standards
Service Control PoliciesCentral guardrails for all accounts in an organizationRequires AWS Organizations
AWS Trusted AdvisorChecks for security group exposure (0.0.0.0/0), IAM key rotation, MFA on rootIncluded with Business/Enterprise support

Real World Examples

  • Capital One breach (2019) — A misconfigured web application firewall allowed a server-side request forgery attack that accessed S3 buckets containing over 100 million customer records, resulting in a $190 million settlement.
  • Uber breach by Lapsus$ (2022) — The Lapsus$ group gained access through MFA fatigue and an exposed PowerShell script containing hardcoded admin credentials in a network share, then pivoted to Uber’s AWS environment.
  • Pegasus Airlines S3 leak (2022) — A misconfigured S3 bucket exposed 23 million files including crew passports, flight logs, and sensitive aviation compliance documents.

Sources