Unsecure user behaviour on Amazon cloud services leaves virtual machines vulnerable
Surveying 1,100 public Amazon Machine Images (AMIs), which are used to provide cloud services, it found that around 30 per cent were vulnerable and could allow attackers to manipulate or compromise web services or virtual infrastructures.
It claimed that the main failure lies in the ‘careless and error-prone manner' in which Amazon's customers handle and deploy AMIs. The research group, led by professor Ahmad-Reza Sadeghi at CASED, found that even though Amazon Web Services (AWS) provides its customers with very detailed security recommendations on its web pages, at least one third of the machines under consideration have flawed configurations.
The research team reported that it was able to extract critical data such as passwords, cryptographic keys and certificates from the analysed virtual machines.
Sadeghi said: “The problem clearly lies in the customers' unawareness and not in Amazon Web Services. We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations.”
In coordination with the AWS security team, affected customers have been informed. AWS also said that it is publishing guidance for customers on how to manage their private keys.
Mike Smart, European solutions director at SafeNet, said: “What the researcher's work reveals, and the rapid response of AWS demonstrates, is that users can avoid these loopholes easily when they are reminded of the correct guidelines.
“However we shouldn't forget that cloud computing is virgin territory and more organisations are going to make similar simple mistakes, making user education a real priority for service providers and the industry as a whole.
“End-users should go further and ensure their digital keys are never stored on the cloud, but are held and used within hardware security modules in their premises. This kind of technology is widely used within the financial sector and has evolved to the point where it can be used much more widely to secure all kinds of secure infrastructure including those associated with private or public clouds.
“With this approach, the kind of incident spotted by the German researchers can never happen because the risk has been designed out of how the cloud service works.”