Researchers Find "Massive" Security Flaws in Cloud ArchitectResearchers in Germany claim to have found flaws in Amazon Web Services (AWS) that they believe will exist in many cloud architectures. The flaws will allow attackers to gain administrative rights to therefore access to all user data. AWS have been informed of the security holes and fixed them. "No customers have been impacted," a spokesperson for AWS said in an email. "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported." The team of researchers from Ruhr University Bochum used a variety of XML signature-wrapping attacks to gain administrative access to customer accounts, create new instances of the customer's cloud, add images and delete them. The researchers also used cross-site scripting attacks against the open source, private cloud software framework Eucalyptus. The Amazon service was also found to be susceptible to cross-site scripting attacks. "It's not only a problem of Amazon's," says Juraj Somorovsky, one of the researchers. "These are general attacks. Public clouds are not so secure as they seem to be. These problems could be found in other cloud frameworks also." Amazon has published a list of best practices that, if followed, would have prevented these attacks as well as others:
- Only utilise the SSL-secured / HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation. A very small percentage of all authenticated AWS API calls use non-SSL endpoints, and AWS intends to deprecate non-SSL API endpoints in the future.
- Enable and use Multi-Factor Authentication (MFA) for AWS Management Console access.
- Create Identity and Access Management (IAM) accounts that have limited roles and responsibilities, restricting access to only those resources specifically needed by those accounts. Limit API access and interaction further by source IP, utilizing IAM source IP policy restrictions.
- Regularly rotate AWS credentials, including Secret Keys, X.509 certificates, and Keypairs. When utilising the AWS Management Console, minimize or avoid interaction with other websites and follow safe Internet browsing practices, much as you should for banking or similarly important / critical online activities.
- AWS customers should also give consideration to utilising API access mechanisms other than SOAP, such as REST / Query.
View Security News Archive