Amazon Web Services Customers Blindly Deploying VMs with Security Holes
German researchers uncovered multiple security problems within Amazon's cloud-computing services caused by customers ignoring or forgetting security tips.
Researchers looked at some 1,100 Amazon Machine Images and found a majority of them contained security keys used to authenticate with other services and servers, Thomas Schneider, a post-doctoral researcher in the System Security Lab of Technische Universitat Darmstadt, wrote in a paper June 20.
"They [customers] just forgot to remove their API keys from machines before publishing," Schneider said.
Amazon Machine Images are preconfigured operating systems and application software used to create virtual machines. Anyone can create these images and allow others to use them when rolling out their own virtual infrastructure. Anyone with an Amazon Web Services account can browse through the public AMIs.
Researchers found that the private keys used to authenticate with Amazon services such as EC2 (Elastic Compute Cloud) or S3 (Simple Storage Service) were published in those AMIs. About a third of the studied AMIs also contained SSH (Secure Shell) host keys or user keys. SSH is a common tool used to log into and manage a virtual machine and the keys authenticate the user onto the server.
Unless the host key is removed and replaced from the AMI, every virtual machine created from that image will use the same key, creating the possibility of a malicious user impersonating the server and launching phishing attacks. SSH user keys are also used for root-privileged log-ins. With the user keys, the interloper can log in using super-user privileges unless the owner discovers and closes the "backdoor," researchers said.
With the authentication keys for EC2 and S3, any third-party miscreant can connect and create "virtual infrastructure worth several thousands of dollars per day at the expense" of the original customer, the researchers found.
The AMIs also contained valid SSL (Secure Sockets Layer) certificates and their private keys, which would allow attackers to impersonate the servers. The researchers also uncovered source code for unpublished software products, passwords and personal identifiable information such as pictures and notes.
Amazon Web Services is very easy to use, and customers can easily purchase and roll out servers and storage services. It's also so easy to use that users are creating virtual machines without following Amazon's recommendations on security and implementation, according to Schneider.
"These guidelines are very detailed," Schneider said.
Security experts have paid close attention to underlying cloud infrastructures and providers, but have underestimated or ignored the "threats caused by the cloud customers when constructing services," the researchers said. Flawed configurations meant anyone could harvest critical data such as passwords and cryptographic keys and certificates from virtual machines. Attackers would be able to "operate criminal virtual infrastructures, manipulate Web services and circumvent security mechanisms," the researchers wrote.
Customers can endanger themselves and other users with the "careless and error-prone manner" in which AMIs are handled and deployed, the researchers said.
Once the researchers uncovered the problem, they contacted Amazon Web Services with their findings at the end of April. Amazon notified those account holders of the security issues, Schneider said.
The study was done by the Center for Advanced Security Research Darmstadt and the Fraunhofer Institute for Security in Information Technology in Darmstadt, Germany.