Amazon Cloud Customers Create Security Holes, Vulnerabilities


Amazon's cloud is rife with vulnerabilities, security holes that are left open by users who fail to follow Amazon's security guidelines, a team of German security researchers has found.

Those cloud security vulnerabilities, uncovered by Scientists from the Darmstadt Research Center for Advanced Security (CASED), could give hackers access to passwords and cryptographic keys that are used to authenticate with Amazon's Elastic Compute Cloud (EC2) and its Simple Storage Service (S3). Using that data, a hacker or unauthorized user could launch cloud services using an Amazon cloud user's credentials.

CASED examined numerous virtual machines published by Amazon cloud users and among 1,100 public Amazon Machine Images (AMIs) used to provide cloud services the researchers found that 30 percent are vulnerable and attackers could manipulate or compromise Web services or virtual infrastructures.

"The main reason lies in the careless and error-prone manner in which Amazon's customers handle and deploy AMIs," CASED researchers wrote.

According to CASED, security experts have paid close attention to underlying cloud infrastructures and providers, but have underestimated or ignored the "threats caused by the cloud customers when constructing services."

A research group led by Ahmad-Reza Sadeghi at CASED and scientists at Fraunhofer SIT in Darmstadt and the Systems Security Lab at the Technische Universitat Darmstadt examined cloud services published by Amazon Web Services (AWS) customers and found that even though Amazon provides customers with detailed security recommendations on its Web site, at least a third of the machines created have flawed configurations.

"The research team could extract security critical data such as passwords, cryptographic keys and certificates from the analyzed virtual machines," CASED wrote. "Attackers can use such information to operate criminal virtual infrastructures, manipulate Web services or circumvent security mechanisms such as Secure Shell (SSH)."

Sadeghi stressed that the security holes and vulnerabilities are introduced by Amazon cloud users, not by Amazon itself.

"The problem clearly lies in the customers' unawareness and not in Amazon Web Services," Sadeghi added. "We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations."

The security holes were revealed as the spotlight continues to shine on cloud security and Amazon and other cloud service providers battle security issues.

Earlier this month, it was found that Amazon Web Services cloud was hosting numerous pieces of malware that hackers used to pilfer financial data. And this week, cloud storage service provider Dropbox suffered an authentication bug that left its 25 million users' accessible to anyone.