Image via CrunchBase
Amazon Web Services today announced the release of Web based AWS Management
Console. This helps users manage their EC2 instances easily. Amazon is also
planning to release load balancing, auto scaling, S3 support, etc., through this
console. Users don’t have to figure out their public/secret keys and
certificates to launch an instance. They can just log into the console and
launch an instance with a few mouse clicks. Through the console, it is just a
few clicks to launch instances, manage AMIs, create security groups and key
pairs, manage elastic IP and elastic block store. In short, your
AWS EC2 management is reduced to just a few mouse clicks.
Even though Amazon touts it as a way to use EC2 without being tied into a single computer, the console also gives an option to get rid of this advantage. The instance launch wizard offers an option to restrict EC2 access to the computer used to launch it. From a purely security point of view, I would recommend this restriction. From the convenience point of view, this web based console is a boon for individuals and companies to manage their EC2 deployment. This has the potential to wreck the business of many companies in the AWS eco-system.
Having said that, convenience always comes at the cost of security. Two months back, I came across this blog post about the weak spot in Amazon’s Cloud Security.
Perhaps the weakest point to the whole S3 system is Amazon’s own password scheme. It allows for very weak passwords and I’m sure with some good social engineering could probably get them to reset it to a new e-mail address claiming the old address was changed due to a corporate e-mail policy change. Take any company, buy the domain mail-corportationname.com, and probably get any phone support person to believe you are infact working for that corporation. If needed do some fake letter head, get a fax number in the same town / phone exchange, and pretty soon you could be the head of the smallest branch office of that corporation. It must happen pretty often, Amazon even has a page for people’s who’s email has changed since the last order.
So, how secure is your cloud? Using the same techniques used to compromised domain names and have them transfered, it would be possible to recover Amazon passwords and login and download complete S3 collections, Start and Stop clouds, and manage any other Amazon web service.
So to answer the question, the answer is… it ain’t. So deal with it.
From the time I started using AWS, I was also wondering about the same weakness and I tried my best to protect my account by keeping a strong password. After I read this blog post, I was scouting around to see if I could get in touch with someone in AWS security team to get a response on this but I couldn’t talk to anyone. Maybe, I didn’t try harder. The release of Web Based AWS Management console has made it one step easier to hack into EC2 deployment of any user.
Before the release of console, someone who steals the Amazon password of an
user, could log into their AWS account and get the public/private key and
certificates. They can then use this information to cause havoc in the EC2
deployment. With this console, the hacker cracker has one less
step to manage. He/She can just log into the EC2 web based management console
with the Amazon.com account password they stole and create havoc. They don’t
even have to worry about looking for the public/private key and certificates.
This is plain risky from the security point of view.
Well, security minds can come up with far better solutions to this problem but to start with I would like to see the following implemented as soon as possible.
I don’t see any reason why these two can’t be implemented. This will definitely not close the loophole but it will, at least, make it harder for bad guys to take a shot at the potential victims.
[..] Cloud Ave notes that’s Amazon’s love for usernames and passwords are a security risk, but you can’t argue the ease of use. Personally, I wouldn’t want my infrastructure riding on a username and password–they are too easy to break. Give me those complicated secret keys. [..]
[..] At the same time, however, it should also be noted that Cloud Avepoints out that Amazon’s reliance on relatively weak passwords could be a potential security issue. [..]
Post Comment