Many Amazon cloud users reveal confidential data
Sharing Amazon Machine Images (AMIs) to run on Amazon's Web Services (AWS) can open the door to attackers when users do not follow appropriate safety advice. The AMIs may contain private cryptographic keys, certificates and passwords, as researchers at the Darmstadt Research Center's CASED (Center for Advanced Security Research Darmstadt) found.
In a report, they say that they examined 1100 public AMIs for cloud services and found that 30 per cent were vulnerable to manipulation that could allow attackers to partially or completely take over virtual web service infrastructure or other resources.
The published AMIs are provided as a service from the community of developers for other developers. Instead of creating a virtual environment from scratch – with a Linux system, Apache, a database and other services – to deploy an application, it is possible to find a preconfigured shared AMI over the web front end of AMS. But, if the publisher has left confidential information in the system or, for example, if the Bash shell history had not been deleted prior to publication, that data can be extracted and used.
Amazon has long been aware of this potential security problem and has published guides on Sharing AMIs Safely and How To Share and Use Public AMIs in A Secure Manner. CASED has produced a Python script, available from the project site on Google Code, which will scan AMIs before publication and warn of any issues. Amazon Web Services have also been informed which customers are affected.