Overlooking medium and low-severity cloud security misconfigurations can have consequences.
In cloud computing, protecting your data, applications, and infrastructure from threats is a continuous effort, and one of the most common pitfalls is misconfiguration. While many organizations focus on addressing high-severity security misconfigurations, they often underestimate the risks associated with medium and low-severity issues. This oversight can prove costly, as we will illustrate with a few examples.
In Part 1 of our ‘Severity Matters’ post series, we delve into how attackers exploit so-called ‘low-risk’ misconfigurations to gain access to your environment through vulnerabilities in the AWS Glue Data Catalog.
Unencrypted AWS Glue Data Catalog
Overview
AWS Glue consolidates major data integration capabilities into a single service. When you create jobs, crawlers, and development endpoints in AWS Glue, you can provide encryption settings by attaching a security configuration. The AWS Glue Data Catalog is your persistent technical metadata store in the AWS Cloud – it silos data, allowing disparate systems within your environment to store and find metadata.
The AWS Glue Data Catalog stores metadata about your data sources, ETL jobs, and other information related to your data. This metadata can include sensitive information like data source credentials, schema definitions, and data lineage. Encrypting this metadata helps protect it from unauthorized access and data breaches.
More info on AWS Glue is available via AWS docs.
Certain vendors in Cloud Security Posture Management (CSPM) or Cloud Native Application Protection Platform (CNAPP) classify encryption for AWS Glue’s Data Catalog as a low or medium-severity misconfiguration. These assessments downplay the criticality of encrypting the Glue Data Catalog at rest, compared to other security issues. However, the significance of this encryption relies heavily on the context of the data stored within it.
While some vendors may categorize it as less severe, it’s crucial to recognize that sensitive metadata and information within the Glue service could pose substantial risks if left unencrypted, potentially leading to compliance violations, data breaches, and legal ramifications, particularly with regulated data like personally identifiable information (PII) or financial records. Safeguarding this data through encryption remains an essential security measure to prevent unauthorized access and protect against potential breaches, warranting careful consideration and implementation based on an organization’s specific data security needs.
Below we will describe how attackers can take advantage of unencrypted AWS Glue Data Catalog metadata – proving that, in some cases, ignoring the criticality can actually hurt.
Sample Attack Path
Step 1: Reconnaissance
Attackers conduct reconnaissance to identify the AWS Glue Data Catalog’s entry points and potential vulnerabilities. They may discover this through automated scans, accidental findings, or by specifically targeting the service.
Step 2: Access to the Data Catalog
The attacker attempts to access the AWS Glue Data Catalog. This could involve using valid AWS credentials, finding a misconfigured access policy, or exploiting vulnerabilities in the service.
Step 3: Unauthorized Metadata Access
The attacker gains unauthorized access to the unencrypted metadata. This may include sensitive information like data source credentials, schema definitions, and data lineage.
Step 4: Data Exfiltration
The attacker can exfiltrate the sensitive metadata from the Data Catalog. This information can be valuable for understanding data sources, ETL processes, and data flows within the organization.
Step 5: Expanding Attack Surface
With access to metadata, a potential attacker can uncover vulnerabilities or deficiencies in the ETL (Extract, Transform, Load) process and pinpoint sensitive data repositories within the organization. This information can then be harnessed to engage in activities like data tampering and privilege escalation.
How to stay secure
Medium and low severity misconfigurations can easily get lost in the noise of thousands of CNAPP or CSPM alerts. But as we’ve seen, a misconfigured access policy for AWS Glue can expose you to exfiltration of sensitive metadata, enabling malicious actors to precisely target your crown jewels.
Make sure that you set up encryption in AWS Glue, review your access policies for potential misconfigurations, and regularly monitor access to your AWS Glue data catalog.
Learn more about how Tamnoon leverages machine learning and human cloud expertise to triage and prioritize alerts – so you’re focusing on what matters most.
