Amazon is not just the kingpin of online retail. Increasingly, thanks to Amazon Web Services (AWS), the Seattle-based company is at the center of many companies’ clouds.
The rise of AWS is impressive, and Amazon owes much of its success to the breadth and depth of its cloud platform, which is used by hundreds of thousands of customers, large and small.
It’s not always easy for Amazon, however. In the world of cloud computing, when it rains, it pours, and Amazon has fallen victim to several high profile outages this year.
And now one of the most popular products in the AWS family, Amazon Elastic Cloud Compute (EC2), is coming under fire from researchers who claim that many of the Amazon Machine Images (AMIs) that are made available to EC2 customers are home to security vulnerabilities and malware. Forbes’ Andy Greenberg details:
Researchers at France’s Eurecom technology institute, Northeastern University and the security firm SecludIT ran automated scanning tools on more than 5,000 of the virtual machines images published on Amazon’s catalog of virtual machines set up with preset software and configurations and ready to run on Amazon’s Elastic Compute Cloud (EC2) service.
The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.
Amazon’s response? EC2 customers have complete control over the AMIs they make available publicly, and customers who use those AMIs are responsible for their use of them. To be sure, this response is a fair one.
While it’s somewhat disturbing to think about the risks created by AMIs laden with vulnerabilities, malware and personal data, it’s important to recognize that the ability to publicly distribute AMIs, and use AMIs offered by other customers, is for convenience. The AMIs do not come with any guarantees and competent customers should know this.
There is one key takeaway, however: the cloud is increasingly putting power in the hands of individuals who may not be equipped to use it. For many companies, the system administrator is a thing of the past.
After all, if you no longer have a farm of collocated servers and your developer is capable of firing up new servers on demand through cloud platforms like Amazon’s, why pay to keep a sysadmin on staff or contract?
The reality, of course, is that not all developers and individuals tasked with building systems in the cloud have the expertise they really need.
A developer, for instance, might have no problem setting up a development environment on a Linux EC2 server, but does he or she know how to secure it, or check to make sure that the AMI used is free from malware? And what happens when your developer thinks he’s doing the community a favor by publicly sharing an AMI, but forgets or doesn’t know how to remove your most confidential data?
At the end of the day, the apparent prevalence of dangers lurking in Amazon AMIs is a result of the same thing that led to so many high-profile websites going down for the count when one Amazon AWS region failed: companies believing that developers can and should do everything now that they’re in the cloud.
In most cases, developers can’t do everything and those companies that ask their developers to play the role of system architect or system administrator will inevitably learn this the hard way.