1. Home
  2. System Vulnerabilities
  3. How to remediate – Amazon Web Services Settings
Searching...

How to remediate – Amazon Web Services Settings

Contents

1. Introduction

Amazon Web Services Settings refers to misconfigurations in your AWS environment that can allow unauthorized access for security checks. These settings, if not properly configured, could expose sensitive data or allow attackers to gain control of your cloud resources. This affects any organisation using Amazon Web Services. A likely impact is compromised confidentiality, integrity and availability of data stored within the affected AWS services.

2. Technical Explanation

This vulnerability occurs when authentication settings for security checks are not correctly initialized in scan policies. Without these credentials, security scans cannot properly authenticate with the AWS API, potentially leading to inaccurate results or missed vulnerabilities. An attacker could exploit this by identifying systems where scans are running without valid credentials and then exploiting other known weaknesses on those systems undetected.

  • Root cause: Missing or invalid Amazon Web Services API authentication settings in scan policies.
  • Exploit mechanism: An attacker identifies a system performing AWS checks with incomplete credentials, allowing them to bypass security scans and potentially exploit other vulnerabilities.
  • Scope: Systems using Amazon Web Services for security scanning.

3. Detection and Assessment

To confirm whether your systems are vulnerable, check the configuration of your scan policies. A quick check involves reviewing the ‘Preferences’ section within your scan policy settings.

  • Quick checks: Navigate to your scan policy in your security scanning tool and verify that Amazon Web Services API Settings are configured with valid credentials.
  • Scanning: Nessus plugin ID 16284 can be used as an example for detecting missing AWS credentials, but results should be verified manually.
  • Logs and evidence: Review scan logs for errors related to authentication failures when connecting to the Amazon Web Services API.

4. Solution / Remediation Steps

To fix this issue, ensure that valid credentials are set for Amazon Web Services API checks within your scan policies.

4.1 Preparation

  • Ensure you have the necessary AWS access keys and secret keys available. A roll back plan is to restore the previous version of the scan policy.
  • Change window needs are minimal, but approval from a security administrator may be required depending on your organisation’s policies.

4.2 Implementation

  1. Step 1: Edit your scan policy in your security scanning tool.
  2. Step 2: Navigate to the ‘Preferences’ section of the scan policy.
  3. Step 3: Select ‘Amazon Web Services API Settings’.
  4. Step 4: Enter your AWS access key ID and secret access key.
  5. Step 5: Save the updated scan policy configuration.

4.3 Config or Code Example

Before

Amazon Web Services API Settings: Not configured

After

Amazon Web Services API Settings: Access Key ID = AKIAXXXXXXXXXXXX, Secret Access Key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

  • Practice 1: Least privilege – grant only the necessary permissions to AWS access keys used for scanning, limiting potential damage if compromised.
  • Practice 2: Secure defaults – configure scan policies with secure settings by default, including requiring authentication for all API checks.

4.5 Automation (Optional)

No suitable script is available as this requires configuration within a specific scanning tool.

5. Verification / Validation

To confirm the fix worked, verify that scans are now successfully authenticating with the AWS API. Check for successful scan results and no authentication errors in your scan logs.

  • Post-fix check: Run a scan and verify it completes without any authentication errors related to Amazon Web Services.
  • Re-test: Re-run the earlier detection method (reviewing scan policy settings) to confirm that valid credentials are now configured.
  • Monitoring: Monitor scan logs for any new authentication errors related to Amazon Web Services API access.

6. Preventive Measures and Monitoring

Update your security baselines to include a requirement for configured AWS credentials in scan policies.

  • Baselines: Update your security baseline or policy to require authentication for all Amazon Web Services API checks, such as through CIS controls.
  • Asset and patch process: Review scan policy configurations regularly (for example, quarterly) to ensure they remain secure and up-to-date.

7. Risks, Side Effects, and Roll Back

Incorrectly configuring AWS credentials could lead to unauthorized access to your cloud resources.

8. References and Resources

No specific references are available for this vulnerability.

  • Vendor advisory or bulletin: Not applicable.
  • NVD or CVE entry: Not applicable.
  • Product or platform documentation relevant to the fix: AWS Security Hub Scan Policies.
Updated on October 26, 2025

Was this article helpful?

Yes No

Related Articles