The ease with which AWS credentials can be found using Google Code Search illustrates the importance of developer education but also highlights cloud computing risks, according to researchers at Stach & Liu, LLC.
The Phoenix, Ariz.-based security research firm, which developed a set of Google hacking tools, has been testing cloud service security with its Google CodeSearch Diggity tool tuned to search for AWS credentials. Armed with the credentials, an attacker could gain extensive access to unwitting administrators’ AWS infrastructure, said Francis Brown, managing partner at Stach & Liu.
Using about a dozen regular expressions to hunt down Amazon cloud keys, the Google CodeSearch Diggity tool can unearth thousands of hard-coded AWS credentials, he said. The tool works on top of Google Code Search, a separate Google search engine that indexes publicly accessible source code.
In a demonstration, the tool quickly finds a pair of keys, which Brown said are like a username and password.. Attackers could plug the credentials into freely available management tools to access a cloud user’s S3 resources or take full control over the user’s Amazon EC2 infrastructure, he said.
So far, Stach & Liu has only created checks for Google CodeSearch Diggity to search for AWS credentials, but Brown suspects the issue may affect other cloud services. “It only takes one developer embedding [credentials] in some insecure way,” he said.
The 2011 CWS/SANS list of the top 25 most dangerous software errors includes use of hard-coded credentials as No. 7.
“Most cloud security teams are focused on securing the individual virtual machines or the interaction between them, but from a hacker’s perspective, going after the administrative interface gives you access to all the instances and virtual machines that may be running in the cloud,” Brown said.
The research underscores the need for user and developer education in protecting cloud credentials, Brown said. “Most people don’t realize what they’re doing when they put [hard-coded credentials] out there,” he said.
However, the nature of cloud services amplifies this problem, he said. “You don’t want to be putting a lot of your infrastructure into the cloud and put yourself in the position where one mistake by a developer could be the end game,” Brown said. “It’s a bad situation.”
He noted that Amazon’s customer agreement provides no guarantee about security of customers’ data, and believes organizations should broker better deals with regards to AWS cloud services security.
An AWS spokesperson said it’s important that customers protect passwords and security keys and not post them publicly. The company provides best practices for securing credentials in the AWS Security Best Practices whitepaper.
Many CTOs and CIOs have told AWS they can achieve higher levels of security at AWS than they can in house, the spokesperson said. The AWS cloud uses the same security isolations as a traditional data center, the spokesperson said, adding that the company also routinely works with enterprises to address their security concerns, operationally as well as contractually.