Cloud Hygiene is a Cloud Security problem. When you cannot see the roses in the weeds, you can’t prioritize what issues to fix and which are minimal risk.
If you’ve been in AWS as long as I have, or if your organization has been in AWS for any period of time, you have one of these overgrown accounts full of abandoned resources.
Maybe a VP said, “ClickOps-ing VPCs is too hard, so we’ll only have five accounts”. Or maybe it was an account that started as “just another data center,” where you fill out a Word Document to request an EC2 Instance. Perhaps it’s a developer account that automates the building of environments but not the cleanup. And there’s always the “This once was an important business line, and it still makes money but isn’t strategic, so we underfund the DevOps team supporting it”.
The real question is: Can a free, securely configured, yet unused and abandoned cloud resource have a detrimental effect on the overall security and governance of the environment? The answer is a resounding yes.
And to that, I’d say yes. First, TANSTAAFR - There ain’t no such thing as a free resource. Even free resources need to be indexed by Config or a CSPM. Those indexing events cause CloudTrail events. If you’re doing things right, CloudTrail events have storage costs and generate GuardDuty analysis costs ($4.00 per one million events). These aren’t going to break the bank, even for hobbyists, but they can add up to money at scale. Resources with actual costs are burning money and contributing to global warming for no good reason.
However, the more insidious danger of these abandoned resources is that they become cloud pollution. Pollution breeds poverty. Let’s face it: these abandoned resources aren’t properly configured. They’re public buckets that no one knows how they’re referenced. They’re EC2 instances that have been running since Barack Obama was president. They’re the access keys that are who knows where, waiting to be exposed.
Well-funded cloud teams can build fancy autobahns so their developers can safely travel at extreme speeds. They manage their cloud resource lifecycle properly from creation to death. Teams with a lot of cloud pollution cannot go as fast—their DevOps processes aren’t as healthy as those of well-funded cloud teams. The more pollution, the more cloud security poverty there is.
Pollution is locally caused but globally felt. Poverty and unrest are driving the migrant crises that are upending the Western (classically) liberal world order. These same security pollution and poverty issues are causing external costs beyond the organizations that are underfunded or unable to fund proper security programs. Every single data breach was an externality imposed upon the general public.
The market and cloud providers must take notice of this issue. As cloud pollution is only going to increase, we must advocate for change. As the Shared Irresponsibilities Model dictates, the media and public will hold the providers accountable for their customers’ actions.