nobeastsofierce - Fotolia

Cloud security tools thwart attacks on AWS infrastructure

Before Amazon Inspector, AWS Config Rules and even VPC, third-party cloud security tools stood guard over AWS -- and for a number of reasons, IT pros will continue to rely on them.

Third-party cloud security tools that preceded AWS infrastructure features such as the VPC have guarded against...

SSL vulnerabilities and worked behind the scenes at Web security firms in recent years. And despite their cost, AWS shops will continue to use them to supplement AWS security.

Amazon Web Services (AWS) customers chose tools such as's Evident Security Platform and Dome9 Security Ltd.'s SecOps to secure workloads on the public cloud infrastructure prior to Amazon's introduction of tools that include Amazon Inspector and AWS Config Rules. In the case of Dome9 customer Nexgate, the companied relied on such tools before Virtual Private Clouds (VPCs) were enabled by default.

VPCs have existed since 2009, but didn't add features like multiple IP addresses, multiple network interfaces, dedicated instances and statically routed VPN connections until later. And it wasn't until early 2013 that newly created instances were in VPCs by default.

Nexgate, a firm specializing in social media security and compliance, needs to offer its customers a secure AWS infrastructure, and the VPC shortcomings were a problem. Dome9 SecOps' "closed by default" stance on AWS networking intrigued Sunnyvale, Calif.-based Nexgate.

"What Dome9 allows us to do is set [instances] up so [their ports] are simply closed by default," said Rich Sutton, co-founder and CTO for Nexgate, which was acquired by security vendor Proofpoint last year. "There's no access at all. It's an attack surface that we eliminate."

When instances need to be accessed, individuals who are authorized to do so can use Dome9 to open a port for a small period of time, do the work they need to do, typically through Secure Shell, and then close the port back down when they are done.

"As we put systems into new regions we tend to try to fit them into VPCs, but there are still very good reasons even when you're using a VPC to take that closed-by-default stance," Sutton said.

Attackers look for services they can connect to once they gain access to a system, he said. That could be a Web interface or an administrative interface. Often, administrative applications aren't necessarily implemented with the same standards and security controls a shop might have on the front-end of an application that is exposed to the Internet, Sutton said.

"It's a great safety net to know that none of those applications are even open to the Internet -- they're not detectable or connectable by attackers because of Dome9," Sutton said.

This could be done inside of AWS as well, but it would be a manual process, he said. "Dome9 just curtails all that," Sutton said.

Dome9's product is priced at $599 per month for 50 servers. uncovers SSL vulnerabilities for AWS shop

More recently, another company that operates in the social media world, Jobvite, Inc., a talent acquisition firm in San Francisco, remediated against the HeartBleed and POODLE security vulnerabilities in its AWS infrastructure using's configuration scanning tool.

Jobvite, which links firms with job candidates via social media and also makes software to handle job interview scheduling and review, migrated its entire production infrastructure to AWS as of July of last year. The company had some instances running in the Elastic Ccompute Cloud (EC2) beforehand. Today it has more than 500 EC2 instances under management.

Jobvite's senior director of SaaS operations Theodore Kim encountered at AWS re:Invent 2013,the year the company launched. By the spring of 2014, when the Heartbleed SSL vulnerability was found in some instances of Amazon's Elastic Load Balancing (ELB), picked up on the vulnerability in Jobvite's infrastructure less than 24 hours after AWS delivered a patch and recommended SSL certificates be rotated.

"We then had the affected SSL certs re-keyed and re-installed on our ELBs," Kim said.

Then, in October of 2014,'s product found that many of Jobvite's ELBs were also vulnerable to the POODLE attack, which Amazon first acknowledged on its website the same day picked it up in Jobvite's environment.

"We removed SSLv3 protocol support from the ciphers to remediate," Kim said, a step also recommended by

Fast forward two years from the conference where Kim first encountered, and AWS rolled out its own security configuration scanning tools in Amazon Inspector and AWS Config Rules. Kim said he'll probably stick with the tool he knows in, though it comes with a significant price tag of $1,000 per month for the Enterprise plan, which Jobvite uses. Pricing has not yet been set for Amazon Inspector, which is in preview, but Config Rules costs $2 per active rule per month.

The Heartbleed and POODLE vulnerabilities were the most critical ones found by, but Kim said the tool also frequently informs Jobvite's change management system.

So, in the scenario of introducing a new host, can flag whether it's running a default Access Control List (ACL)

" immediately finds this and says, "This is running a default ACL. You shouldn't do this," Kim said. "That is something that can be missed, especially when you're running hundreds of systems."

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Next Steps

AWS has services to assess a cloud environment

Dig Deeper on AWS security