Insecure Defaults and Missing Security Controls

2 min read Infrastructure & DevOps Security

Insecure Defaults and Missing Security Controls

Cloud services often prioritize ease of use over security in their defaults. IaC templates that don't explicitly override these defaults inherit insecure configurations. Logging might be disabled by default, preventing security incident investigation. Versioning might be off, making ransomware recovery impossible. Backup configurations might be missing, risking data loss.

Security headers and protocol configurations frequently use insecure defaults. HTTP might be allowed when only HTTPS should be permitted. Older TLS versions might be enabled for compatibility. CORS policies might be overly permissive. These transport security issues create opportunities for man-in-the-middle attacks and data interception.

# Common DEFAULT SECURITY vulnerabilities in CloudFormation

# VULNERABLE: ALB without security headers
VulnerableALB:
  Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  Properties:
    Scheme: internet-facing
    SecurityGroups:
      - !Ref ALBSecurityGroup
    # Missing: No security headers configuration

# VULNERABLE: CloudFront without security headers
VulnerableDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      DefaultCacheBehavior:
        TargetOriginId: myOrigin
        ViewerProtocolPolicy: allow-all  # DANGER: Allows HTTP
        # Missing: No security headers

# SECURE: ALB with security headers via response headers policy
SecureALB:
  Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  Properties:
    Scheme: internet-facing
    SecurityGroups:
      - !Ref ALBSecurityGroup

SecureALBListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    LoadBalancerArn: !Ref SecureALB
    Port: 443
    Protocol: HTTPS
    Certificates:
      - CertificateArn: !Ref Certificate
    DefaultActions:
      - Type: fixed-response
        FixedResponseConfig:
          StatusCode: 200
          ContentType: text/plain
          MessageBody: "OK"
    SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01  # Enforce TLS 1.2+

# Lambda function to add security headers
SecurityHeadersFunction:
  Type: AWS::Lambda::Function
  Properties:
    Runtime: python3.9
    Handler: index.handler
    Code:
      ZipFile: |
        def handler(event, context):
            response = event['Records'][0]['cf']['response']
            headers = response['headers']
            
            # Security headers
            headers['strict-transport-security'] = [{
                'key': 'Strict-Transport-Security',
                'value': 'max-age=31536000; includeSubDomains'
            }]
            headers['x-content-type-options'] = [{
                'key': 'X-Content-Type-Options',
                'value': 'nosniff'
            }]
            headers['x-frame-options'] = [{
                'key': 'X-Frame-Options',
                'value': 'DENY'
            }]
            headers['x-xss-protection'] = [{
                'key': 'X-XSS-Protection',
                'value': '1; mode=block'
            }]
            headers['referrer-policy'] = [{
                'key': 'Referrer-Policy',
                'value': 'strict-origin-when-cross-origin'
            }]
            headers['content-security-policy'] = [{
                'key': 'Content-Security-Policy',
                'value': "default-src 'self'; script-src 'self' 'unsafe-inline'"
            }]
            
            return response

Monitoring and alerting configurations often rely on insecure defaults. CloudTrail might not be enabled, preventing security incident investigation. VPC Flow Logs might be disabled, hiding network attacks. CloudWatch alarms might not be configured for security events. These missing controls create security blind spots.