
Image via
CrunchBase
Amazon Web Services today announced the release of Web based AWS Management
Console. This helps users manage their EC2 instances easily. Amazon is also
planning to release load balancing, auto scaling, S3 support, etc., through this
console. Users don’t have to figure out their public/secret keys and
certificates to launch an instance. They can just log into the console and
launch an instance with a few mouse clicks. Through the console, it is just a
few clicks to launch instances, manage AMIs, create security groups and key
pairs, manage elastic IP and elastic block store. In short, your
AWS EC2 management is reduced to just a few mouse clicks.
Even though Amazon touts it as a way to use EC2 without being tied into a
single computer, the console also gives an option to get rid of this advantage.
The instance launch wizard offers an option to restrict EC2 access to the
computer used to launch it. From a purely security point of view, I would
recommend this restriction. From the convenience point of view, this web based
console is a boon for individuals and companies to manage their EC2 deployment.
This has the potential to wreck the business of many companies in the AWS
eco-system.
Having said that, convenience always comes at the cost of security. Two
months back, I came across this blog post about the weak spot in Amazon’s Cloud
Security.
Perhaps the weakest point to the whole S3 system is Amazon’s own password
scheme. It allows for very weak passwords and I’m sure with some good social
engineering could probably get them to reset it to a new e-mail address claiming
the old address was changed due to a corporate e-mail policy change. Take any
company, buy the domain mail-corportationname.com, and probably get any phone
support person to believe you are infact working for that corporation. If needed
do some fake letter head, get a fax number in the same town / phone exchange,
and pretty soon you could be the head of the smallest branch office of that
corporation. It must happen pretty often, Amazon even has a page for people’s
who’s email has
changed since the last order.So, how secure is your cloud? Using the same techniques used to compromised
domain names and have them transfered, it would be possible to recover
Amazon passwords and login and download complete S3 collections, Start and Stop
clouds, and manage any other Amazon web service.So to answer the question, the answer is… it ain’t. So deal with it.
From the time I started using AWS, I was also wondering about the same
weakness and I tried my best to protect my account by keeping a strong password.
After I read this blog post, I was scouting around to see if I could get in
touch with someone in AWS security team to get a response on this but I couldn’t
talk to anyone. Maybe, I didn’t try harder. The release of Web Based AWS
Management console has made it one step easier to hack into EC2 deployment of
any user.
Before the release of console, someone who steals the Amazon password of an
user, could log into their AWS account and get the public/private key and
certificates. They can then use this information to cause havoc in the EC2
deployment. With this console, the hacker cracker has one less
step to manage. He/She can just log into the EC2 web based management console
with the Amazon.com account password they stole and create havoc. They don’t
even have to worry about looking for the public/private key and certificates.
This is plain risky from the security point of view.
Well, security minds can come up with far better solutions to this problem
but to start with I would like to see the following implemented as soon as
possible.
- Separate Amazon.com account from AWS account. In fact, the percentage of
Amazon.com users who will also use AWS is quite negligible and such a separation
will not affect badly. - Force the users to select a really hard to crack password. It is important
to develop a policy to enforce strong passwords in every AWS account.
I don’t see any reason why these two can’t be implemented. This will
definitely not close the loophole but it will, at least, make it harder for bad
guys to take a shot at the potential victims.