Security Holes Abound in VMs Deployed by Amazon Web Services CustomersBy Channel Insider Staff | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Researchers found a number of security holes in virtual machines created on Amazon Web Services. But, surprise! The problem wasn't with Amazon, but the customers themselves.
German researchers uncovered multiple security problems within Amazon's cloud-computing services caused by customers ignoring or forgetting security tips.
Researchers looked at some 1,100 Amazon Machine Images and found a majority of them contained security keys used to authenticate with other services and servers, Thomas Schneider, a post-doctoral researcher in the System Security Lab of Technische Universitat Darmstadt, wrote in a paper June 20.
"They customers just forgot to remove their API keys from machines before publishing," Schneider said.
Amazon Machine Images are preconfigured operating systems and application software used to create virtual machines. Anyone can create these images and allow others to use them when rolling out their own virtual infrastructure. Anyone with an Amazon Web Services account can browse through the public AMIs.
Researchers found that the private keys used to authenticate with Amazon services such as EC2 (Elastic Compute Cloud) or S3 (Simple Storage Service) were published in those AMIs. About a third of the studied AMIs also contained SSH (Secure Shell) host keys or user keys. SSH is a common tool used to log into and manage a virtual machine and the keys authenticate the user onto the server.
Unless the host key is removed and replaced from the AMI, every virtual machine created from that image will use the same key, creating the possibility of a malicious user impersonating the server and launching phishing attacks. SSH user keys are also used for root-privileged log-ins. With the user keys, the interloper can log in using super-user privileges unless the owner discovers and closes the "backdoor," researchers said.
To read the original eWeek article, click here: Amazon Web Services Customers Blindly Deploying VMs with Security Holes