This article is a part of the SearchCloudSecurity.com AWS security and Amazon EC2 security tutorial
German scientists released research this week that shows Amazon Web Services customers are carelessly creating security vulnerabilities in many of the virtual machines they publish.
Scientists from the Darmstadt Research Center for Advanced Security (CASED) looked at 1,100 public Amazon Machine Images (AMIs) and found that about 30% were vulnerable to attackers manipulating or compromising Web services or virtual infrastructures. An AMI is a type of pre-configured operating system and virtual application software used to create a virtual machine within Amazon EC2.
AMI publishers are disregarding the security recommendations from AWS, opening the door to potential cloud computing security threats, according to the CASED study. The most serious vulnerability researchers discovered were several AWS API keys used for authentication for services like EC2. Attackers could use the keys to access the user’s entire virtual infrastructure in AWS or to create a virtual infrastructure at the expense of the key holder, researchers said. They also found private SSH keys, source code of unpublished software and other private data.
“The most likely reasons for this unintentional leakage lie in the security unawareness of the users i.e., they simply forgot to detect and remove their private data before publishing the VM image or are not familiar with the image creation process,” CASED scientists wrote.
More than one third of the AMIs examined by the scientists already contained an SSH host key. Unless the user removes the key, all instances derived from the image use the same host key on SSH login, they said. This oversight could lead to a variety of attacks, including man-in-the-middle attacks on the SSH authentication, according to CASED.
The scientists said they contacted AWS, which took steps to protect its customers, including issuing more guidance about using and sharing public AMIs securely.
“The problem clearly lies in the customers’ unawareness and not in Amazon Web Services. We believe customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations,” Professor Dr.-Ing. Ahmad-Reza Sadeghi, who led the research team, said in a prepared statement.