The first vulnerability is that AWS RDS does not enforce SSL/TLS encryption. AWS RDS is a managed relational database service that allows users to rapidly set up fully operational instances on the cloud and use them as data sources within applications. AWS RDS Engine configurations are applied via a resource called Parameter group. These parameter groups are engine specific and contain settings that are pre-configured by AWS. During a review of a MySQL RDS Engine, it was noticed that the security setting that forces RDS to only accept encrypted connections from clients was set to null while being unmodifiable.
The Vulnerability: AWS RDS does not force clients to connect using a secure transport layer
The Mitigation: Fixing the default insecure network connection option for RDS instances
The second vulnerability is the Google Cloud Armor packet size bypass. Google Cloud Armor provides a rule-based policy framework that can be used by customers of the Google Cloud Platform to mitigate various types of common web application attacks. The Cloud Armor service has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behaviour of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application.
The Vulnerability: Piercing the Cloud Armor - The 8KB bypass in Google Cloud Platform WAF
The Mitigation: A guide to protect against the 8KB WAF limitation in Google Cloud Armor
Kloudle aims to continue bringing these insightful research pieces to develop the nascent Cloud Security industry. You can read some more Insight pieces on the Kloudle Blog here. If you wish to learn more about cloud security, you can head to Kloudle Academy and even subscribe to Academy alerts!
