Fundamentals
T1525, T1613AWS Misconfigurations
AWS misconfigurations are cloud setup mistakes that expose data, identities, networks, or workloads to unnecessary risk.
View on Graph
What Is It and Why It Matters
- AWS misconfigurations are the root cause of most cloud security incidents because the shared responsibility model puts configuration control in the customer’s hands, and the default settings aren’t always the most secure.
- A single misconfigured IAM policy, S3 bucket ACL, or security group can expose sensitive data to the entire internet within minutes.
- Cloud environments change rapidly — new services are deployed, permissions evolve, and resources are shared across teams — making continuous configuration monitoring essential.
- For security analysts, understanding common cloud misconfiguration patterns is critical because traditional network and endpoint detection tools often lack visibility into cloud control planes.
High-Impact Misconfiguration Categories
IAM Policy Misconfigurations
The most common source of cloud privilege escalation. IAM policies control who can do what with which AWS resources — and one overly permissive policy can grant an attacker full admin access.
Common patterns:
| Misconfiguration | Risk | Example Bad Policy |
|---|---|---|
"Action": "*" | User/role can perform any action | "Effect": "Allow", "Action": "*", "Resource": "*" |
"Resource": "*" | Access to all resources of the allowed action type | "Action": "s3:*", "Resource": "*" — full S3 access |
| PassRole to untrusted roles | iam:PassRole allows attacker to attach high-privilege roles to an EC2 instance they control | "Action": "iam:PassRole", "Resource": "*" |
| No condition key for MFA | Attacker with stolen keys can use them without MFA | Missing "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "true"}} |
| Wildcard in service action | ec2:* gives full EC2 control, including terminating instances | "Action": "ec2:*" instead of specific actions |
Detection: CloudTrail events PutUserPolicy, PutRolePolicy, AttachRolePolicy, AttachUserPolicy are the key events to monitor. A developer attaching the AdministratorAccess managed policy to a service role they work with is a common privilege escalation pattern.
SPL query — detect IAM policy changes that expand permissions:
index=cloudtrail
( eventName=PutUserPolicy OR eventName=PutRolePolicy OR eventName=AttachRolePolicy OR eventName=AttachUserPolicy OR eventName=CreatePolicy )
| search policyDocument = "*"
| rex field=requestParameters "policyDocument.*(Action|Effect|Resource).*(\*|FullAccess)"
| stats values(eventName) as Actions, values(userIdentity.arn) as Actor by sourceIPAddress, _time
| eval alert = "HIGH — IAM policy change with wildcard permissions"
S3 Bucket Misconfigurations
An S3 bucket with public read access exposes its contents to anyone on the internet. This is the most publicized cloud misconfiguration pattern for a reason — it keeps happening.
Common patterns:
| Misconfiguration | Risk | Detection |
|---|---|---|
| Bucket ACL allows public read/write | Anyone can list, read, write files | CloudTrail: PutBucketAcl with public URI |
| Bucket policy allows anonymous access | Same risk, via bucket policy instead of ACL | CloudTrail: PutBucketPolicy with "Principal": "*" |
| S3 Object ACL allows public access | Individual objects made public despite bucket being private | CloudTrail: PutObjectAcl with public grantee |
| Missing bucket versioning | No recovery from ransomware or accidental deletion | AWS Config rule: s3-bucket-versioning-enabled |
| Bucket accessible from any VPC | No VPC endpoint restriction | CloudTrail: requests from non-VPC sources |
Detection: CloudTrail events PutBucketPolicy, PutBucketAcl, and PutBucketPublicAccessBlock are critical. Monitor these in a dedicated CloudWatch alarm.
SPL query — detect bucket policy change to public:
index=cloudtrail eventName=PutBucketPolicy
| rex field=requestParameters "bucketPolicy.*(?<PrincipalPrincipal>(?i)\*)"
| search PrincipalPrincipal="*"
| stats values(requestParameters.bucketName) as Bucket by userIdentity.arn, sourceIPAddress, _time
| eval alert = "CRITICAL — S3 bucket policy changed to allow public access"
Security Group Misconfigurations
Security groups are stateful firewalls for EC2 instances. Overly permissive rules expose compute resources to the internet.
Common patterns:
| Misconfiguration | Risk | Example |
|---|---|---|
| SSH open to 0.0.0.0/0 | Anyone can attempt SSH to any instance in the group | port 22, source 0.0.0.0/0 |
| RDP open to 0.0.0.0/0 | Anyone can attempt RDP to Windows instances | port 3389, source 0.0.0.0/0 |
| All ports open to 0.0.0.0/0 | Full network exposure | port 0-65535, source 0.0.0.0/0 |
| Database port open to 0.0.0.0/0 | Database directly accessible from internet | port 3306/5432/1433, source 0.0.0.0/0 |
| Egress rule allows all traffic | Data exfiltration not restricted | outbound 0.0.0.0/0, port all — default, but risky |
Detection: CloudTrail events AuthorizeSecurityGroupIngress and AuthorizeSecurityGroupEgress. Alert when source is 0.0.0.0/0 and port is a management port (22, 3389, 22) or database port.
CloudTrail Logging Disabled
If an attacker disables CloudTrail, they can operate in the account without leaving audit records. This is the cloud equivalent of clearing the Windows Event Log.
Detection: CloudTrail events StopLogging, UpdateTrail (set EnableLogFileValidation=false), DeleteTrail. These should trigger immediate critical alerts.
SPL query — detect CloudTrail logging changes:
index=cloudtrail (eventName=StopLogging OR eventName=DeleteTrail OR eventName=UpdateTrail)
| search requestParameters.name IN ("*")
| stats values(requestParameters.name) as TrailName, values(eventName) as Action by userIdentity.arn, sourceIPAddress
| eval alert = "CRITICAL — CloudTrail logging disabled or deleted"
Detection Workflow — Cloud Misconfiguration Triage
Step 1: Identify What Changed
When an alert fires for a misconfiguration, start with:
| Question | Data Source |
|---|---|
| What resource changed? | CloudTrail event — look at requestParameters for the specific resource (bucket name, security group ID, policy ARN) |
| Who made the change? | userIdentity.arn — is this a human user, role, or service account? |
| From where? | sourceIPAddress — is this from the corporate VPN, home IP, or a new location? |
| What was the previous state? | AWS Config — check resource configuration history (requires Config recorder to be enabled) |
| Was this expected? | Change management system (ServiceNow, Jira) — was there a change ticket? |
Step 2: Correlate with Other CloudTrail Events
A single misconfiguration is often part of a chain. Check for correlated events in the same time window:
CreateUserorCreateAccessKeybefore a policy change — attacker created their own backdoorAssumeRolefrom an unexpected source — cross-account access abuseRunInstancesin a new region — attacker launching compute for crypto miningGetSecretValuefrom Secrets Manager or SSM Parameter Store — credential access after privilege escalation
Step 3: Assess and Remediate
| Severity | Criteria | Immediate Action |
|---|---|---|
| Critical | Public S3 bucket with sensitive data, admin policy attached to console user, CloudTrail deleted | Restrict access immediately via SCP. Revert the change. Rotate all credentials. |
| High | Security group with SSH/3389 open to 0.0.0.0/0, IAM policy with wildcard actions | Revoke the permissive rule. Apply least-privilege. Investigate who made the change. |
| Medium | Bucket without versioning, CloudTrail without log file validation | Enable the feature. No immediate risk of exposure. |
| Low | Non-compliant tag, unused resource | Document. Add to remediation backlog. |
Step 4: Automate Remediation
Prevent future misconfigurations with:
- Service Control Policies (SCPs) — deny creation of resources without encryption, deny public S3 buckets, deny CloudTrail deletion
- AWS Config conformance packs — pre-built rule packs for CIS, NIST, PCI compliance
- EventBridge + Lambda automation — when a public bucket is created, automatically apply a bucket policy to block public access
- IAM Access Analyzer — continuously identifies resources shared with external principals
Prevention Toolkit
| Tool | What It Does | How to Enable |
|---|---|---|
| IAM Access Analyzer | Identifies resources shared with external entities | One-time setup, runs continuously |
| AWS Config | Tracks resource configuration changes | Enable with recording in all regions |
| GuardDuty | Threat detection — IAM credential compromise, crypto mining, S3 exfiltration | One-click enable (30-day trial) |
| Security Hub | Aggregates findings from GuardDuty, Config, Inspector, IAM Access Analyzer | Enable, enable CIS/AWS Foundational Security standards |
| Service Control Policies | Central guardrails for all accounts in an organization | Requires AWS Organizations |
| AWS Trusted Advisor | Checks for security group exposure (0.0.0.0/0), IAM key rotation, MFA on root | Included with Business/Enterprise support |
Real World Examples
- Capital One breach (2019) — A misconfigured web application firewall allowed a server-side request forgery attack that accessed S3 buckets containing over 100 million customer records, resulting in a $190 million settlement.
- Uber breach by Lapsus$ (2022) — The Lapsus$ group gained access through MFA fatigue and an exposed PowerShell script containing hardcoded admin credentials in a network share, then pivoted to Uber’s AWS environment.
- Pegasus Airlines S3 leak (2022) — A misconfigured S3 bucket exposed 23 million files including crew passports, flight logs, and sensitive aviation compliance documents.
Related
- Active Directory Basics — covers the active directory basics concepts
- Cloud Security Fundamentals — detection and response for T1525 techniques
- Common Ports and Protocols — covers the common ports and protocols concepts
