{"id":212,"date":"2020-11-09T14:43:12","date_gmt":"2020-11-09T14:43:12","guid":{"rendered":"http:\/\/box5442.temp.domains\/~arpioio\/?p=212"},"modified":"2020-11-09T14:43:12","modified_gmt":"2020-11-09T14:43:12","slug":"3-ways-your-aws-account-could-get-hacked","status":"publish","type":"post","link":"https:\/\/arpio.io\/staging\/8013\/3-ways-your-aws-account-could-get-hacked\/","title":{"rendered":"3 Ways Your AWS Account Could Get Hacked"},"content":{"rendered":"<body><p class=\"\">If you\u2019re going to protect yourself from getting hacked, it helps to understand how you get hacked in the first place.\u00a0 Here are 3 attack vectors for your AWS account, and some best practices to lock them down.<\/p>\n<h4>#1: Leaked AWS Credentials<\/h4>\n<p class=\"\">Obviously, if you share your credentials publicly, bad people can do bad things with them.\u00a0 And you wouldn\u2019t do that, right? But mistakes happen, more often than you might think. This particular attack vector most commonly arises from access keys getting committed to public source code repositories.\u00a0 Typically, the committer thought the repository was private.<\/p>\n<h5>MITIGATION: DON\u2019T STORE SECRETS IN SOURCE CONTROL<\/h5>\n<p class=\"\">Never check access keys, passwords, or other secrets into source control.\u00a0 It doesn\u2019t matter that the repo is private. Manage them in a secret store that can be accessed at runtime (sometimes at deploy time) such as AWS Secrets Manager, Systems Manager Parameter Store, or Hashicorp Vault.<\/p>\n<h5>MITIGATION: OR DON\u2019T STORE SECRETS AT ALL<\/h5>\n<p class=\"\">All of the AWS compute services allow you to specify an IAM Role for their compute instances (EC2 instances, ECS tasks, EKS pods, or Lambda functions) to run as. When you use IAM Roles, the access keys are automatically provided to the process \u2013 you don\u2019t have to handle them at all.<\/p>\n<h4>#2: Compromised Laptop (Or Desktop)<\/h4>\n<p class=\"\">When bad people steal access to your computer, they have access to do all kinds of things.\u00a0 At the very least, they can easily discover any AWS access keys you\u2019ve stored in the AWS credentials file.\u00a0 They may also be able to log key presses, including the password you enter into the AWS console. You don\u2019t want that.<\/p>\n<h5>MITIGATION: MFA<\/h5>\n<p class=\"\">You\u2019ve heard it 1000 times before, but you should be using multi-factor authentication when accessing your production AWS account.\u00a0 This is commonly used to control access to the AWS console, but you should also use it at the command line, and for any programmatic access that originates from your machine.\u00a0 Unfortunately, AWS command line access with MFA enabled <a href=\"https:\/\/aws.amazon.com\/premiumsupport\/knowledge-center\/authenticate-mfa-cli\/\" target=\"_blank\" rel=\"noopener noreferrer\">is pretty cumbersome<\/a>.\u00a0 Take a look at <a href=\"https:\/\/github.com\/99designs\/aws-vault\" target=\"_blank\" rel=\"noopener noreferrer\">aws-vault<\/a> for a nice way to simplify it.<\/p>\n<h4>#3: Compromised Compute Instance<\/h4>\n<p class=\"\">As mentioned above, compute instances (EC2, ECS, EKS, and Lambda) in AWS can optionally run as an IAM Role, which implicitly grants the software on those instances the ability to access other resources in your AWS account.\u00a0 The scope of access depends on the policies applied to the IAM Role.<\/p>\n<p class=\"\">Under the covers, this works by making access keys available within the environment of the compute instance.\u00a0 For Lambda, they\u2019re in <a href=\"https:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/cli-configure-envvars.html\" target=\"_blank\" rel=\"noopener noreferrer\">the standard AWS environment variables<\/a>, while for other types of compute they\u2019re available as metadata that can be queried over HTTP from the box.<\/p>\n<p class=\"\">If an attacker compromises your compute instance.\u00a0 They can get these keys. And if the associated IAM Role is granted permission to do nefarious things, the attacker can do those nefarious things.\u00a0 That\u2019s not a good thing.<\/p>\n<h5>MITIGATION: APPLY YOUR SECURITY PATCHES!<\/h5>\n<p class=\"\">Whether it\u2019s a Lambda script, a docker container in ECS\/EKS, or a full operating system running on an EC2 instance, you need to make sure you\u2019re up to date on your security patches.\u00a0 Not staying current on fixes to well-publicized security vulnerabilities is just asking for trouble.<\/p>\n<h5>MITIGATION: LEAST PRIVILEGE FOR YOUR IAM ROLES.<\/h5>\n<p class=\"\">You\u2019ve undoubtedly heard this 1000 times as well.\u00a0 Don\u2019t grant your IAM Roles more permissions than they absolutely need for the software running on the instance.<\/p>\n<h4><strong>About Arpio<\/strong><\/h4>\n<p class=\"\">Arpio is comprehensive disaster recovery for AWS so that you don\u2019t have to build it yourself.\u00a0 If your AWS account ever gets hacked, and the attacker decides to ransomware or delete your data (including your backups), Arpio makes it easy to recover.<\/p>\n<p class=\"\">Learn more at <a href=\"\/\">www.arpio.io<\/a>.<\/p>\n<\/body>","protected":false},"excerpt":{"rendered":"<p>If you\u2019re going to protect yourself from getting hacked, it helps to understand how you get hacked in the first place.\u00a0 Here are 3 attack vectors for your AWS account,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":213,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","content-type":"","inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-212","post","type-post","status-publish","format-standard","has-post-thumbnail","category-blog"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>3 Ways Your AWS Account Could Get Hacked \u2014 Arpio<\/title>\n<meta name=\"description\" content=\"Keeping your AWS account secure starts with knowing how it could potentially get hacked.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"3 Ways Your AWS Account Could Get Hacked \u2014 Arpio\" \/>\n<meta property=\"og:description\" content=\"Keeping your AWS account secure starts with knowing how it could potentially get hacked.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\" \/>\n<meta property=\"og:site_name\" content=\"Arpio Disaster Recovery Made Easy\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-09T14:43:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/arpio.io\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"750\" \/>\n\t<meta property=\"og:image:height\" content=\"499\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"6805pwpadmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"6805pwpadmin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\"},\"author\":{\"name\":\"6805pwpadmin\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095\"},\"headline\":\"3 Ways Your AWS Account Could Get Hacked\",\"datePublished\":\"2020-11-09T14:43:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\"},\"wordCount\":638,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg\",\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\",\"url\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\",\"name\":\"3 Ways Your AWS Account Could Get Hacked \u2014 Arpio\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg\",\"datePublished\":\"2020-11-09T14:43:12+00:00\",\"author\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095\"},\"description\":\"Keeping your AWS account secure starts with knowing how it could potentially get hacked.\",\"breadcrumb\":{\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg\",\"contentUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg\",\"width\":750,\"height\":499},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/arpio.io\/staging\/8013\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"3 Ways Your AWS Account Could Get Hacked\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/\",\"name\":\"Arpio Disaster Recovery Made Easy\",\"description\":\"AWS Disaster Recovery\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095\",\"name\":\"6805pwpadmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/bbce7316dd4979a6199ddcdaed836e357939826f60c7be919373136535d247b6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/bbce7316dd4979a6199ddcdaed836e357939826f60c7be919373136535d247b6?s=96&d=mm&r=g\",\"caption\":\"6805pwpadmin\"},\"sameAs\":[\"http:\/\/support.pagely.com\"],\"url\":\"https:\/\/arpio.io\/staging\/8013\/author\/6805pwpadmin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"3 Ways Your AWS Account Could Get Hacked \u2014 Arpio","description":"Keeping your AWS account secure starts with knowing how it could potentially get hacked.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/","og_locale":"en_US","og_type":"article","og_title":"3 Ways Your AWS Account Could Get Hacked \u2014 Arpio","og_description":"Keeping your AWS account secure starts with knowing how it could potentially get hacked.","og_url":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/","og_site_name":"Arpio Disaster Recovery Made Easy","article_published_time":"2020-11-09T14:43:12+00:00","og_image":[{"width":750,"height":499,"url":"https:\/\/arpio.io\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg","type":"image\/jpeg"}],"author":"6805pwpadmin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"6805pwpadmin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#article","isPartOf":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/"},"author":{"name":"6805pwpadmin","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095"},"headline":"3 Ways Your AWS Account Could Get Hacked","datePublished":"2020-11-09T14:43:12+00:00","mainEntityOfPage":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/"},"wordCount":638,"commentCount":0,"image":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg","articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/","url":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/","name":"3 Ways Your AWS Account Could Get Hacked \u2014 Arpio","isPartOf":{"@id":"https:\/\/arpio.io\/staging\/8013\/#website"},"primaryImageOfPage":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage"},"image":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg","datePublished":"2020-11-09T14:43:12+00:00","author":{"@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095"},"description":"Keeping your AWS account secure starts with knowing how it could potentially get hacked.","breadcrumb":{"@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#primaryimage","url":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg","contentUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2020\/08\/image-asset-2.jpeg","width":750,"height":499},{"@type":"BreadcrumbList","@id":"https:\/\/arpio.io\/3-ways-your-aws-account-could-get-hacked\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/arpio.io\/staging\/8013\/"},{"@type":"ListItem","position":2,"name":"3 Ways Your AWS Account Could Get Hacked"}]},{"@type":"WebSite","@id":"https:\/\/arpio.io\/staging\/8013\/#website","url":"https:\/\/arpio.io\/staging\/8013\/","name":"Arpio Disaster Recovery Made Easy","description":"AWS Disaster Recovery","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/0a2437a37056190db7e46201a6a65095","name":"6805pwpadmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/bbce7316dd4979a6199ddcdaed836e357939826f60c7be919373136535d247b6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bbce7316dd4979a6199ddcdaed836e357939826f60c7be919373136535d247b6?s=96&d=mm&r=g","caption":"6805pwpadmin"},"sameAs":["http:\/\/support.pagely.com"],"url":"https:\/\/arpio.io\/staging\/8013\/author\/6805pwpadmin\/"}]}},"_links":{"self":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/comments?post=212"}],"version-history":[{"count":0,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/212\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media\/213"}],"wp:attachment":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media?parent=212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/categories?post=212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/tags?post=212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}