News Stay informed about the latest enterprise technology news and product updates.

Cloud security tools thwart attacks on AWS infrastructure

Before Amazon Inspector, AWS Config Rules and even VPC, third-party cloud security tools stood guard over AWS -- and for a number of reasons, IT pros will continue to rely on them.

Third-party cloud security tools that preceded AWS infrastructure features such as the VPC have guarded against...

SSL vulnerabilities and worked behind the scenes at Web security firms in recent years. And despite their cost, AWS shops will continue to use them to supplement AWS security.

Amazon Web Services (AWS) customers chose tools such as's Evident Security Platform and Dome9 Security Ltd.'s SecOps to secure workloads on the public cloud infrastructure prior to Amazon's introduction of tools that include Amazon Inspector and AWS Config Rules. In the case of Dome9 customer Nexgate, the companied relied on such tools before Virtual Private Clouds (VPCs) were enabled by default.

VPCs have existed since 2009, but didn't add features like multiple IP addresses, multiple network interfaces, dedicated instances and statically routed VPN connections until later. And it wasn't until early 2013 that newly created instances were in VPCs by default.

Nexgate, a firm specializing in social media security and compliance, needs to offer its customers a secure AWS infrastructure, and the VPC shortcomings were a problem. Dome9 SecOps' "closed by default" stance on AWS networking intrigued Sunnyvale, Calif.-based Nexgate.

"What Dome9 allows us to do is set [instances] up so [their ports] are simply closed by default," said Rich Sutton, co-founder and CTO for Nexgate, which was acquired by security vendor Proofpoint last year. "There's no access at all. It's an attack surface that we eliminate."

When instances need to be accessed, individuals who are authorized to do so can use Dome9 to open a port for a small period of time, do the work they need to do, typically through Secure Shell, and then close the port back down when they are done.

"As we put systems into new regions we tend to try to fit them into VPCs, but there are still very good reasons even when you're using a VPC to take that closed-by-default stance," Sutton said.

Attackers look for services they can connect to once they gain access to a system, he said. That could be a Web interface or an administrative interface. Often, administrative applications aren't necessarily implemented with the same standards and security controls a shop might have on the front-end of an application that is exposed to the Internet, Sutton said.

"It's a great safety net to know that none of those applications are even open to the Internet -- they're not detectable or connectable by attackers because of Dome9," Sutton said.

This could be done inside of AWS as well, but it would be a manual process, he said. "Dome9 just curtails all that," Sutton said.

Dome9's product is priced at $599 per month for 50 servers. uncovers SSL vulnerabilities for AWS shop

More recently, another company that operates in the social media world, Jobvite, Inc., a talent acquisition firm in San Francisco, remediated against the HeartBleed and POODLE security vulnerabilities in its AWS infrastructure using's configuration scanning tool.

Jobvite, which links firms with job candidates via social media and also makes software to handle job interview scheduling and review, migrated its entire production infrastructure to AWS as of July of last year. The company had some instances running in the Elastic Ccompute Cloud (EC2) beforehand. Today it has more than 500 EC2 instances under management.

Jobvite's senior director of SaaS operations Theodore Kim encountered at AWS re:Invent 2013,the year the company launched. By the spring of 2014, when the Heartbleed SSL vulnerability was found in some instances of Amazon's Elastic Load Balancing (ELB), picked up on the vulnerability in Jobvite's infrastructure less than 24 hours after AWS delivered a patch and recommended SSL certificates be rotated.

"We then had the affected SSL certs re-keyed and re-installed on our ELBs," Kim said.

Then, in October of 2014,'s product found that many of Jobvite's ELBs were also vulnerable to the POODLE attack, which Amazon first acknowledged on its website the same day picked it up in Jobvite's environment.

"We removed SSLv3 protocol support from the ciphers to remediate," Kim said, a step also recommended by

Fast forward two years from the conference where Kim first encountered, and AWS rolled out its own security configuration scanning tools in Amazon Inspector and AWS Config Rules. Kim said he'll probably stick with the tool he knows in, though it comes with a significant price tag of $1,000 per month for the Enterprise plan, which Jobvite uses. Pricing has not yet been set for Amazon Inspector, which is in preview, but Config Rules costs $2 per active rule per month.

The Heartbleed and POODLE vulnerabilities were the most critical ones found by, but Kim said the tool also frequently informs Jobvite's change management system.

So, in the scenario of introducing a new host, can flag whether it's running a default Access Control List (ACL)

" immediately finds this and says, "This is running a default ACL. You shouldn't do this," Kim said. "That is something that can be missed, especially when you're running hundreds of systems."

Beth Pariseau is senior news writer for SearchAWS. Write to her at or follow @PariseauTT on Twitter.  

Next Steps

AWS has services to assess a cloud environment

Dig Deeper on AWS security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you prefer native AWS cloud security tools or third-party offerings?
Hey Beth,

Thanks for the coverage from all of us supporting AWS's platform in the security world.

Two clarifications from our side:
- Our plans start at $200/mo, not $1,000/mo which is comparable considering that if you loaded our 130+ security controls into "rules" you would spend more for Config Rules (and have less AWS service support). Plus, you miss all the awesome additional features we've built in like native integrations to Splunk, PagerDuty, Slack, Hipchat, Jira, etc. You also miss the curated security guidance from a team of professionals, whereas paltform-level security features depend on the end users to have all the security knowledge and expertise. That's part of the challenge for anyone adopting these platform-level controls -- sure, now you have this badass sword... but if you cut your own leg off because you can't wield it properly, it has done you zero good.
- AWS continues to innovate with partners, not against. Inspector is highly complimentary to what most of us do -- an agent-based API-connected security presence that none of us have to develop is a great win for the industry. Config Rules satisfies a market of startups who have no budget to spend on security and only need one or two simple checks run. These fill gaps that even the solution providers can't or won't fill, which helps everyone.

Great piece, and great spotlight on the various levels of market expertise and capability available for cloud consumers.

Tim Prendergast
Is the implication here that only opening ports to the Internet for short periods of time makes a VPC secure? Really?

As long as all the inbound ports are closed the VPC is off the Internet and is secure. However, in an enterprise data center context, opening any port to the Internet for any amount of time is a serious security risk and would require the building a complete security perimeter (firewalls, proxies, IDS, AV, WAF, etc.)

Given a VPC in Amazon is the virtual equivalent to a data center, opening ports to the outside world should require no less if a strong security posture, and compliance to standards (PCI/DSS, HIPAA, etc.), is a concern.

This AWS blog talks about a approach to security that avoids the issue of opening ports to the Internet:

Full disclosure, I work for company discussed, but the opinions in the blog are Amazon’s.
@Rob: No, there is no implication intended that ports are open to the Internet with Dome9. I went back to Rich Sutton about this, and he said the ports they open are only to the source IP of the Ops person opening the port, not the entire Internet. It doesn’t eliminate the need for having other security measures in place, of course, but I don't think that this story made any claim otherwise.