* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Top 3 AWS Critical Cloud ...

# Top 3 AWS Critical Cloud Misconfigurations and How to Remediate

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F09%2Fcloud-aws-critical-cloud-misconfigurations%2F)  
[](https://twitter.com/share?text=Top+3+AWS+Critical+Cloud+Misconfigurations+and+How+to+Remediate&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F09%2Fcloud-aws-critical-cloud-misconfigurations%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F09%2Fcloud-aws-critical-cloud-misconfigurations%2F&title=Top+3+AWS+Critical+Cloud+Misconfigurations+and+How+to+Remediate&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2019/09/cloud-aws-critical-cloud-misconfigurations/&ts=markdown)  
\[\](mailto:?subject=Top 3 AWS Critical Cloud Misconfigurations and How to Remediate)  
Link copied  
By [Nathaniel Quist](https://www.paloaltonetworks.com/blog/author/nathaniel-q-quist-sr-threat-researcher-public-cloud-security/?ts=markdown "Posts by Nathaniel Quist")  
Sep 20, 2019  
5 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

By Nathaniel "Q" Quist, Sr. Threat Researcher, Public Cloud Security

It's no secret that cloud adoption yields tremendous business benefit --- increased agility, reduced cost, flexibility, ease-of-use, the list goes on. The problem is, companies have adopted cloud faster than they've been able to adopt security processes and practices to support it. Developer teams are enthusiastically spinning up cloud workloads and standing up new AWS infrastructure, while security teams may feel they are left to mop up.

Some of the major, headline-grabbing cloud breaches we saw over this past year reflect basic security configuration mistakes: allowing traffic to Port 22 from the public internet, leaving the remote desktop protocol (RDP) exposed. We wouldn't perform these actions within on-prem infrastructure, so why are we seeing this in cloud? A bird's eye view of what's going on would look much like a repeat of what we saw in the 90s: developers excitedly leveraging the newest technologies and acting with little to no thought about the security implications of their latest project.

![An image of a broken window highlights the risks of leaving the top three AWS critical cloud misconfigurations unremediated.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/09/Broken-Window-230x153.jpg)Novice configuration mistakes transform the cloud into a Wild West for hackers, full of gold mines of opportunity for them. This helps explain the rapid emergence of [cybercrime groups, like Rocke, that specialize in targeting the public cloud](https://unit42.paloaltonetworks.com/rockein-the-netflow/). The good news is, hackers are looking for easy money, so if you make it difficult for them by using proper configurations, they will look elsewhere.

My team and I have spent the past few years collecting data from hundreds of cloud environments in order to learn about the biggest threats to the public cloud. We found that within the last year, 65% of attacks were due to misconfiguration. Our research has identified the top three critical misconfigurations that are most common in organizations' AWS environments. For each of these, following a set of simple recommendations will help organizations better secure their clouds and avoid becoming the next easy targets for attackers.

* **Security Group Allows Internet Traffic**

A security group acts as a virtual firewall that controls the traffic from and to one or more instances. Security groups should have restrictive access control lists (ACLs) to allow only incoming traffic from specific IPs and to specific ports where the application is listening for connections. While the major three cloud service providers (CSPs) block all ingress traffic by default, they allow all egress traffic by default. It is highly recommended that security teams review all security groups on a regular basis to ensure they are properly configured and unwanted changes have not been applied. One of the checks that should be made is to make sure that your current security group policies only allow traffic to and from appropriate addresses, based upon the nature of your organization's requirements.

**Recommendations**

If you find a security group allows all ingress traffic, to prevent this inbound action:

1. Log in to the AWS console and navigate to the 'VPC' service.
2. Click on the 'Security Group' link located on the left side of the screen.
3. Click on the 'Inbound Rules' tab and remove any row with a source value containing '0.0.0.0/0' or '::/0'.

If your organization, or a particular subnet, does not need to communicate with every country or system worldwide:

1. Log in to the AWS console and navigate to the 'VPC' service.
2. Click on the 'Security Group' specific to the alert.
3. Click on 'Outbound Rules' and add a row with the correct protocol (e.g., TCP, UDP, ICMP) and IP address/net range, which should only receive the appropriate network connections.

* **AWS Security Groups Allow Internet Traffic to SSH Port (22)**

AWS security groups that allow inbound traffic on SSH port (22) from the public internet significantly increase the risk to an organization's security landscape. Research has found that vulnerabilities contained within out-of-date SSH services are some of the most heavily targeted vulnerabilities for malicious actors. Unit 42 research has shown that 56% of organizations have at least one cloud-based SSH service exposed to the internet. Leaving this port open may allow a bad actor to compromise the SSH service itself, or brute force the service, and potentially gain access to your organization's cloud environment.

**Recommendation**

If the security group needs to restrict SSH traffic:

1. Log in to the AWS Console and navigate to the 'VPC' service.
2. Select the 'Security Group' link and click on the 'Inbound Rule' tab.
3. Remove any rule that has a 'Port Range' value which includes port 22.

* **AWS Security Groups Allow Internet Traffic from the Internet to RDP Port 3389**

Security groups should not allow RDP port 3389 traffic from or to the public internet. Doing so may allow a bad actor to compromise the RDP application through the use of an exploit, or to brute force the application and potentially gain access to your organization's cloud environment.

**Recommendation**

If the Security Groups are found to allow RDP port 3389 traffic:

1. Log in to the AWS Console and navigate to the 'VPC' service.
2. Select the 'Security Group' reported in the alert, and click on the 'Inbound Rule' tab.
3. Remove any rule that has a 'Port Range' containing port 3389.

**Removing easy targets**

The bottom line: These are three policy violations you should aim to *never* see in your environment. To ensure success, you will want to [automate guardrails](https://www.paloaltonetworks.com/cloud-security/prisma-public-cloud) so that developers can continue to run freely in the cloud without compromising your organization's security.

To learn more about our threat intelligence research on the public cloud, read the full [Unit 42 Cloud Research Report.](https://start.paloaltonetworks.com/unit-42-cloud-with-a-chance-of-entropy.html)

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Palo Alto Networks to Integrate VM-Series and Prisma Cloud With AWS Outposts](https://origin-researchcenter.paloaltonetworks.com/blog/2019/12/palo-alto-networks-to-integrate-vm-series-and-prisma-cloud-with-aws-outposts/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 8 AWS Security Best Practices to Mitigate Risk](https://origin-researchcenter.paloaltonetworks.com/blog/2019/02/8-aws-security-best-practices-mitigate-risk/)

### [News of the Week](https://www.paloaltonetworks.com/blog/category/news-of-the-week/?ts=markdown)

[#### News of the Week: December 1, 2018](https://origin-researchcenter.paloaltonetworks.com/blog/2018/12/news-week-december-1-2018/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Achieving Comprehensive Cloud Security: The Power of Consolidation](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-security-consolidation/)

### [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [IAM](https://www.paloaltonetworks.com/blog/cloud-security/category/iam/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Why Are Net-Effective Permissions Critical for Cloud IAM?](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/net-effective-permissions-iam/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Security: Intention vs. Practice](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-native-security-intention-practice/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language