27 Things AWS Can Do to Reduce Cloud Security Misconfigurations

Last week, I presented a talk at fwd:cloudsec titled “It’s Time to Rethink the Shared Security Responsibility Model.” I argued that the balance of responsibility for securing cloud infrastructure environments has shifted too far in the direction of cloud security and development teams who are overwhelmed with configuration options. This imbalance, I posited, is a driving cause of many of the breaches we see in cloud environments today.

One theme that emerged is that cloud providers can do more to reduce the complexity of their environments and make small changes to their default settings across the services they offer. Integration of security callouts, action items, tooltips, etc. can go a long way to reducing developer mistakes. To help illustrate this point further, I’ve dug through the AWS console and put together a list of changes that I believe could have the most impact, while not requiring significant* investment from AWS.

*Please note that I do not have visibility behind the scenes into AWS’s environment, of course, so these are merely meant as suggestions to evoke thought around this topic.

1. Extend the default CloudTrail that is enabled for all new accounts to 365 days of retention. The built-in default of 90 days is not sufficient for proper long-term post-exploitation…