Amazon's Cloud Is Full of Holes

itwbennett writes "Amazon's Web Services is so easy to use that customers create virtual machines without following Amazon's 'very detailed' security guidelines, says Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt. Most notably, Schneider and his fellow researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines. '[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

Known issue

[Mullen]

This is a known issue and when Amazon.com finds out that certain AMIs have preinstalled root ssh keys, they send you an email letting you know, along with instructions on how to remove the root ssh key. Non-issue.

Re:Known issue

[Ignominous]

You can also deactivate your account credentials just in case you did do this.

Re:How does that mean it is full of holes?

[ChrisKnight]

No, your example posits a situation where you are privately sending your physical keys to a known individual in a 1:1 transaction. Apples to oranges.

The situation being described is where people build server images, and them publish them to share, without first having striped them of their security keys.

A better comparison is if you wrote up an email for your dog walker with very detailed instructions on how to take care of your dog and you included the security code for your alarm. Then, you thought it would be a terrific idea to share your great dog walking tips with an email list and forwarded your original email without editing out your security code. Now anyone who accesses your dog walking tips has access to your house.

Easy to use?

[BradleyUffner]

If it allows you to do something incorrectly then it isn't very easy to use.

Re:Easy to use?

[ackthpt]

If it allows you to do something incorrectly then it isn't very easy to use.

Nonsense. Windows has been allowing people to get things wrong for decades and millions claim it's easy to use ... nevermind.

Re:Easy to use?

[element-o.p.]

I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

Re:Easy to use?

[Nerdfest]

It's becoming more common and accepted these days though ... Apple seems to use that philosophy in a lot of their products. I think the drawbacks outweigh the benefits, but there are those that don't.

Re:How does that mean it is full of holes?

[ep32g79]

Your analogy is confusing. Can I get one with cars?

Re:How does that mean it is full of holes?

[vlm]

Your analogy is confusing. Can I get one with cars?

A better comparison is if you wrote up an email for your driver with very detailed instructions on how to run over a dog and you included the security code for your garage door. Then, you thought it would be a terrific idea to share your great dog running over tips with an email list and forwarded your original email without editing out your garage door code. Now anyone who accesses your dog running over tips has access to your garage.

Better now?

is this Amazon-specific?

[Trepidity]

This seems like basically the same issue as "forgot to remove my SQL password from the config file in the code I uploaded to github", which is also quite common. If you upload a working version of some of your infrastructure somewhere, you need to be careful about whether it contains any sort of authentication tokens.

Re:How does that mean it is full of holes?

[chemicaldave]

Bad phrasing. When they say Amazon's cloud they really mean the customers in the cloud, not Amazon themselves.