Amazon AMI vulnerabilities overblown, experts say

3406853888_2a934e1019_z

The latest kerfuffle over reported vulnerabilities in Amazon Machine Images  is a tempest in a teapot, according to security experts.

Recent reports described the issue in florid terms. One headline characterized Amazon servers as “teeming with backdoors.” An Amazon Machine Image — or AMI —  is a preconfigured package of the operating system and virtual application software used to build a virtual machine in the Amazon Elastic Compute Cloud, or EC2. AMIs are the basic units of deployment for EC2 services.

Stories about potential security vulnerabilities strike a chord as more companies consider moving more of their IT workloads to public cloud infrastructure run by Amazon, Rackspace and others.

Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.

The message from security experts was clear: Stupid users get what they deserve.

“If someone’s practices are poor enough to embed credentials in AMIs and upload [them] as public, then it’s a big deal,” said Chris Hoff, the senior director and security architect at Juniper Networks.

Anyone who bothers to read Amazon’s documentation will know better than to leave these artifacts laying around. It’s the first or second thing Amazon warns people about, said Carl Brooks, a cloud computing analyst with Tier1 Research. The bigger problem is that despite all the warnings and documentation, people do it anyway.

Last June, GigaOM Pro analyst Paul Miller wrote about these issues (subscription required), saying that in general, users have poor security practices whether they are working on AWS or on their own company’s servers.

Do those users think it’s Amazon’s responsibility to ensure security? Does Amazon lead those users to think that they are absolved of responsibility? There is no suggestion that this behavior makes Amazon Web Services itself less secure, although Amazon does have the problem of dealing with the resulting negative press from any attack.

In general, this AMI issue may be old news, but as more users weigh a move into cloud computing, stories about security vulnerabilities — whether they are vendor or user induced — will crop up again.

Photo courtesy of Flickr user Evil Erin

loading

Comments have been disabled for this post