An awful lot of people use Amazon’s cloud services for an awful lot of things. And many of those people have pretty awful implementation practices. That’s what the folks at Newvem are watching like a hawk.
Based on Newvem’s study of Amazon users, here are the five biggest screwups they make in the Amazon cloud.
- Leaving database server IP ports open to the universe. Usually there’s no reason for database servers to be accessed direct from the net. Database entry should be via web or application servers, which act as a buffer.
- Opening access to IP ports from all internal AWS servers. This is easy to do by mistake but it can be costly. It can happen if one security group was configured to allow access to the following IP range – 10.0.0.1/8.
- Leaving IP ports open to all IP addresses. The best practice is to keep open ports to a minimum and limit access from the outside world to only those services that really require Internet facing access like port 80 for HTTP and port 443 for HTTPS.
- Allowing access to critical IP ports from public Internet IP addresses. These ports are similar to the database ports mentioned above, but services like memcached may expose your cloud environments to risk if they’re accessible from non-trusted IP addresses. Critical IP ports should be locked down, limiting access to them from private networks only.
- Making Amazon Machine Images publicly accessible. AMIs often contain sensitive data so leaving them ajar is risky but it happens all the time. Rule of thumb: When building an AMI, make sure to set the policy to private. (Conversely, if you want to share AMIs, make sure sensitive data is redacted.)
Cameron Peron, Newvem’s VP of marketing and business development said most of these mistakes are just that, mistakes. “The most shocking thing is that nearly all of these are caused from confusion when making changes and scaling up AWS,” he said via email.
Of course, Newvem, the Israeli startup, wants customers to use its analytics service to find these flaws in Amazon cloud implementations and correct them. There are a growing number of tools from vendors like Cloudability, Cloudyn and others to help users get a better handle on what, exactly, is going on in their public cloud deployments.