What can AWS customers do to protect from Apache Log4j2 (CVE-2021-44228) vulnerability?

Disclaimer:

• This article is my personal opinion and in not endorsed by AWS
• This article addresses specific use-cases and may not be useful or applicable to to everyone, so please don't assume following this article is sufficient
• Any AWS usage charges incurred by following this article is your responsibility

Why this article?

Security of AWS environment follows the shared responsibility model. Security of the cloud is AWS's responsibility and Security in the cloud is customer's responsibility.

AWS is working on security of the cloud. It has published and is constantly updating this public security bulletin on this topic. Please check that out for the latest information and AWS official stance on this matter.

This article specifically talks about security in the cloud which falls into customer's responsibility area, more specifically:

1. How can AWS customers block Web attacks from the internet targeting this vulnerability
2. How can AWS customers detect resources in their AWS environment that needs remediation

How can AWS customers block attacks targeting this vulnerability ?

If you have Internet facing Web applications deployed using Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API you can integrate AWS WAF web application firewall very easily.

Please follow AWS documentation on how to set this up

What I want to mention in this article is that AWS WAF has a AWS Managed Rule group called "Known bad inputs" which can block these requests.

How can AWS customers detect resources in their AWS environment that needs remediation ?

If you have a large fleet of Amazon EC2 instances, Amazon EKS/ECS compute environment and using Amazon Elastic Container Registry (ECR) you can use Amazon Inspector to understand the footprint that needs remediation.

From the documentation "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure."

Inspector is an easy service to quickly deploy, it integrates with AWS Organizations if you have several (hundreds or thousands) AWS accounts and can centrally manage it from a central designated account.

It is also worth mentioning that Amazon inspector has a 15 day free trial, more details here.

Here is a snapshot of Inspector dashboard deployed on the management account, having full organization view.

Following screenshot shows the dashboard view of this vulnerable package found in an ECR repo.

As you can see I have provided you way to block public internet ingress via web protocols and also to detect resources in their AWS environment that needs remediation. Hope this was useful!