17 Recurring AWS Security Risks and How to Audit Them

17 AWS security issues I spot in almost every infrastructure audit

Cloud auditor Mariusz Gębala identifies root accounts lacking MFA and databases exposed to the public internet as persistent industry-wide failures. Despite high-profile breaches at companies like Capital One, many teams continue to ignore basic IAM and S3 safety rails.

Why This Matters

While ideal cloud models emphasize Zero Trust and automated compliance, the technical reality is often a buildup of mystery infrastructure such as stopped EC2 instances and unattached Elastic IPs costing $3.65 per month each. These hygiene gaps represent not just financial waste but a significant increase in the attack surface that manual quarterly audits fail to keep pace with.

Key Insights

• IAM hygiene failure: Access keys are frequently found to be over 900 days old despite CIS recommendations to rotate every 90 days.
• S3 Public Access Block: Enabling all four toggles prevents accidental exposure even if public ACLs are added, a critical defense against common data leaks.
• EBS Encryption: AWS now encrypts new S3 objects by default as of 2023, but EBS volumes often remain unencrypted unless regional default encryption is manually enabled.
• VPC Flow Logs: Custom VPCs without flow logs lack the necessary visibility to diagnose source, destination, and port traffic during security incidents.
• RDS Exposure: Publicly accessible RDS instances are frequently discovered with security groups allowing all traffic (protocol -1) from 0.0.0.0/0.

Working Examples

Enables all four S3 Public Access Block toggles for a specific bucket.

aws s3api put-public-access-block \
--bucket my-bucket \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Checks for any owned AMIs that are accidentally set to public.

aws ec2 describe-images --owners self \
--query "Images[?Public==\`true\`].[ImageId,Name]"

Enables EBS encryption by default for a specific region.

aws ec2 enable-ebs-encryption-by-default --region eu-central-1

Removes public accessibility from an RDS instance with immediate effect.

aws rds modify-db-instance \
--db-instance-identifier my-database \
--no-publicly-accessible \
--apply-immediately

Installation and execution of the open-source cloud-audit CLI tool.

pip install cloud-audit
cloud-audit scan

Practical Applications

• Use Case: Migrating workloads from the default VPC to custom private subnets with NAT to avoid the quick-start public defaults that lead to exposure.
• Pitfall: Leaving unused access keys in an Active state for over 30 days, creating unnecessary risk for credentials that could be deactivated or deleted.
• Use Case: Implementing Multi-AZ deployments for production RDS instances to ensure automatic failover and reduce recovery time from hours to minutes.
• Pitfall: Relying on passwords alone for root accounts or using shared spreadsheets for credential storage instead of hardware MFA keys.

References:

• https://dev.to/haitmg/17-aws-security-issues-i-spot-in-almost-every-infrastructure-audit-13k7