April 23, 2025
5 Impactful AWS Vulnerabilities You're Responsible For
If you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer’s responsibility. Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems,

Mar 31, 2025The Hacker NewsIntrusion Detection / Vulnerability

If you’re using AWS, it’s easy to assume your cloud security is handled – but that’s a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer’s responsibility.

Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it’s up to the customer to handle the locks, install the alarm systems, and ensure valuables aren’t left exposed.

In this blog, we’ll clarify what AWS doesn’t secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help.

Understanding the AWS Shared Responsibility Model

AWS operates on a Shared Responsibility Model. In simple terms:

  • AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) – the “walls and roof.”
  • The customer is responsible for securing their data, applications, and configurations within AWS – the “locks and alarms.”

Understanding this distinction is essential for maintaining a secure AWS environment.

5 Real-World AWS Vulnerabilities You Need to Address

Let’s look at some real-world vulnerabilities that fall under the customer’s responsibility and what can be done to mitigate them.

Server-Side Request Forgery (SSRF)

Applications hosted in AWS are still vulnerable to attacks like SSRF, where attackers trick a server into making requests on their behalf. These attacks can result in unauthorized data access and further exploitation.

To defend against SSRF:

  • Regularly scan and fix vulnerabilities in applications.
  • Enable AWS IMDSv2, which provides an additional security layer against SSRF attacks. AWS provides this safeguard, but configuration is the customer’s responsibility.

Access Control Weaknesses

AWS Identify and Access Management (IAM) allows customers to manage who can access what resources – but it’s only as strong as its implementation. Customers are responsible for ensuring users and systems only have access to the resources they truly need.

Common missteps include:

  • Overly permissive roles and access
  • Missing security controls
  • Accidentally public S3 buckets

Data Exposures

AWS customers are responsible for the security of the data they store in the cloud – and for how their applications access that data.

For example, if your application connects to an AWS Relational Database Service (RDS), the customer must ensure that the application doesn’t expose sensitive data to attackers. A simple vulnerability like an Insecure Direct Object Reference (IDOR) is all it would take for an attacker with a user account to access data belonging to all other users.

Patch Management

It almost goes without saying, but AWS does not patch servers! Customers who deploy EC2 instances are fully responsible for keeping the operating system (OS) and software up to date.

Take Redis deployed on Ubuntu 24.04 as an example – the customer is responsible for patching vulnerabilities in both the software (Redis) and the OS (Ubuntu). AWS only manages underlying hardware vulnerabilities, like firmware issues.

AWS services like Lambda reduce some patching responsibilities, but you’re still responsible for using supported runtimes and keeping things up to date.

Firewalls and Attack Surface

AWS gives customers control over their attack surface, but isn’t responsible for what they choose to expose.

For instance, if a GitLab server is deployed on AWS, the customer is responsible for layering it behind a VPN, using a firewall, or placing it inside a Virtual Private Cloud (VPC) while ensuring their team has a secure way to access it. Otherwise, a zero-day vulnerability could leave your data compromised, and AWS won’t be at fault.

The Key Takeaway

These examples make one thing clear: cloud security doesn’t come out of the box. While AWS secures the underlying infrastructure, everything built on top of it is the customer’s responsibility. Overlooking that fact can expose an organization to serious risk – but with the right tools, staying secure is entirely within reach.

Level Up Your Cloud Security With Intruder

Intruder helps you stay ahead of all these vulnerabilities and more, by combining agentless cloud security scanning, vulnerability scanning, and attack surface management in one powerful, easy-to-use platform.

Why it’s a game changer:

  • Find what others miss: Intruder combines external vulnerability scanning with information from AWS accounts to find risks that other solutions might miss.
  • No false alarms: CSPM tools can overhype severity. Intruder prioritizes real risks so you can focus on what truly matters.
  • Crystal clear fixes: Issues are explained in plain English with step-by-step remediation guidance.
  • Continuous protection: Stay ahead with continuous monitoring and alerts when new risks emerge.
  • Predictable pricing: Unlike other cloud security tools that can rack up unpredictable costs, there’s no surprise charges with Intruder.

Get set up in minutes and receive instant insights into your cloud security – start your 14 day free trial today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

5 Major Concerns With Employees Using The Browser 5 Major Concerns With Employees Using The Browser

5 Major Concerns With Employees Using The Browser

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

You may have missed

Here’s what Elon Musk said about tariffs and their potential effect on Tesla Here's what Elon Musk said about tariffs and their potential effect on Tesla

Here’s what Elon Musk said about tariffs and their potential effect on Tesla

Tesla CEO Musk says time he spends on DOGE will drop ‘significantly’ next month Tesla CEO Musk says time he spends on DOGE will drop 'significantly' next month

Tesla CEO Musk says time he spends on DOGE will drop ‘significantly’ next month

Meta could take a $7 billion hit this year because of Trump’s tough China tariffs Meta could take a billion hit this year because of Trump's tough China tariffs

Meta could take a $7 billion hit this year because of Trump’s tough China tariffs

Tesla short sellers have made $11.5 billion from this year’s selloff Tesla short sellers have made .5 billion from this year's selloff

Tesla short sellers have made $11.5 billion from this year’s selloff

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

Instagram launches Edits app for video, rivaling TikTok Instagram launches Edits app for video, rivaling TikTok

Instagram launches Edits app for video, rivaling TikTok