April 2, 2025
5 Impactful AWS Vulnerabilities You're Responsible For
If you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer’s responsibility. Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems,

Mar 31, 2025The Hacker NewsIntrusion Detection / Vulnerability

If you’re using AWS, it’s easy to assume your cloud security is handled – but that’s a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer’s responsibility.

Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it’s up to the customer to handle the locks, install the alarm systems, and ensure valuables aren’t left exposed.

In this blog, we’ll clarify what AWS doesn’t secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help.

Understanding the AWS Shared Responsibility Model

AWS operates on a Shared Responsibility Model. In simple terms:

  • AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) – the “walls and roof.”
  • The customer is responsible for securing their data, applications, and configurations within AWS – the “locks and alarms.”

Understanding this distinction is essential for maintaining a secure AWS environment.

5 Real-World AWS Vulnerabilities You Need to Address

Let’s look at some real-world vulnerabilities that fall under the customer’s responsibility and what can be done to mitigate them.

Server-Side Request Forgery (SSRF)

Applications hosted in AWS are still vulnerable to attacks like SSRF, where attackers trick a server into making requests on their behalf. These attacks can result in unauthorized data access and further exploitation.

To defend against SSRF:

  • Regularly scan and fix vulnerabilities in applications.
  • Enable AWS IMDSv2, which provides an additional security layer against SSRF attacks. AWS provides this safeguard, but configuration is the customer’s responsibility.

Access Control Weaknesses

AWS Identify and Access Management (IAM) allows customers to manage who can access what resources – but it’s only as strong as its implementation. Customers are responsible for ensuring users and systems only have access to the resources they truly need.

Common missteps include:

  • Overly permissive roles and access
  • Missing security controls
  • Accidentally public S3 buckets

Data Exposures

AWS customers are responsible for the security of the data they store in the cloud – and for how their applications access that data.

For example, if your application connects to an AWS Relational Database Service (RDS), the customer must ensure that the application doesn’t expose sensitive data to attackers. A simple vulnerability like an Insecure Direct Object Reference (IDOR) is all it would take for an attacker with a user account to access data belonging to all other users.

Patch Management

It almost goes without saying, but AWS does not patch servers! Customers who deploy EC2 instances are fully responsible for keeping the operating system (OS) and software up to date.

Take Redis deployed on Ubuntu 24.04 as an example – the customer is responsible for patching vulnerabilities in both the software (Redis) and the OS (Ubuntu). AWS only manages underlying hardware vulnerabilities, like firmware issues.

AWS services like Lambda reduce some patching responsibilities, but you’re still responsible for using supported runtimes and keeping things up to date.

Firewalls and Attack Surface

AWS gives customers control over their attack surface, but isn’t responsible for what they choose to expose.

For instance, if a GitLab server is deployed on AWS, the customer is responsible for layering it behind a VPN, using a firewall, or placing it inside a Virtual Private Cloud (VPC) while ensuring their team has a secure way to access it. Otherwise, a zero-day vulnerability could leave your data compromised, and AWS won’t be at fault.

The Key Takeaway

These examples make one thing clear: cloud security doesn’t come out of the box. While AWS secures the underlying infrastructure, everything built on top of it is the customer’s responsibility. Overlooking that fact can expose an organization to serious risk – but with the right tools, staying secure is entirely within reach.

Level Up Your Cloud Security With Intruder

Intruder helps you stay ahead of all these vulnerabilities and more, by combining agentless cloud security scanning, vulnerability scanning, and attack surface management in one powerful, easy-to-use platform.

Why it’s a game changer:

  • Find what others miss: Intruder combines external vulnerability scanning with information from AWS accounts to find risks that other solutions might miss.
  • No false alarms: CSPM tools can overhype severity. Intruder prioritizes real risks so you can focus on what truly matters.
  • Crystal clear fixes: Issues are explained in plain English with step-by-step remediation guidance.
  • Continuous protection: Stay ahead with continuous monitoring and alerts when new risks emerge.
  • Predictable pricing: Unlike other cloud security tools that can rack up unpredictable costs, there’s no surprise charges with Intruder.

Get set up in minutes and receive instant insights into your cloud security – start your 14 day free trial today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing

Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

You may have missed

USDC stablecoin issuer Circle files for IPO as public markets open to crypto USDC stablecoin issuer Circle files for IPO as public markets open to crypto

USDC stablecoin issuer Circle files for IPO as public markets open to crypto

Hims & Hers shares rise as company adds new weight-loss medications to platform Hims & Hers shares rise as company adds new weight-loss medications to platform

Hims & Hers shares rise as company adds new weight-loss medications to platform

Meta’s head of AI research announces departure Meta's head of AI research announces departure

Meta’s head of AI research announces departure

T Corona Borealis May Erupt Soon: Rare Nova Could Be Visible to Naked Eye T Corona Borealis May Erupt Soon: Rare Nova Could Be Visible to Naked Eye

T Corona Borealis May Erupt Soon: Rare Nova Could Be Visible to Naked Eye

Scientists Spot a Key Difference in Matter and Antimatter Decay Scientists Spot a Key Difference in Matter and Antimatter Decay

Scientists Spot a Key Difference in Matter and Antimatter Decay

China Loses 26 Percent of Its Glaciers Due to Global Warming, Claims New Study China Loses 26 Percent of Its Glaciers Due to Global Warming, Claims New Study

China Loses 26 Percent of Its Glaciers Due to Global Warming, Claims New Study