Published: October 27th, 2011

German researchers say they found flaws in Amazon Web Servicesthat they believe exist in many cloud architectures and enableattackers to gain administrative rights and to gain access to all userdata.

While the researcherssay they have told Amazon Web Services about thesecurity holes and AWS has fixed them, they believe the same types ofattacks would be effective against other cloud services, “since therelevant Web service standards make performance and securityincompatible.”

A research team at Ruhr University Bochum used a variety of XMLsignature-wrapping attacks to gain administrative access of customeraccounts, then create new instances of the customer’s cloud, add imagesand delete them. In a separate exploit, the researchers used cross-sitescripting attacks against the open-source, private-cloud softwareframework Eucalyptus.

They also found the Amazon service to be susceptible to cross-sitescripting attacks.

“It’s not only a problem of Amazon’s,” says Juraj Somorovsky, one ofthe researchers. “These are general attacks. Public clouds are not sosecure as they seem to be. These problems could be found in other cloudframeworks also.”

Somorovsky says the researchers are working on a high-performancelibraries that can be used with XML security to eliminate thevulnerability that was exploited with the XML signaturewrappingattacks. They will be ready sometime next year. Amazon WebServices acknowledged it worked with the Ruhr University team tocorrect the problems they found. “…[N]o customers have beenimpacted,” a spokesperson for AWS said in an email. “It is important tonote that this potential vulnerability involved a very small percentageof all authenticated AWS API calls that use non-SSL endpoints and wasnot a potentially widespread vulnerability as has been reported.”

AWS has posted a list of best practices that, if followed, would haveprotected customers from the attacks the Ruhr University team devised aswell as other attacks. These are:

• Only utilize the SSL-secured / HTTPS endpoint for any AWS service andensure that your client utilities perform proper peer certificatevalidation. A very small percentage of all authenticated AWS API callsuse non-SSL endpoints, and AWS intends to deprecate non-SSL APIendpoints in the future.

• Enable and use Multi-Factor Authentication (MFA) for AWS ManagementConsole access.

• Create Identity and Access Management (IAM) accounts that havelimited roles and responsibilities, restricting access to only thoseresources specifically needed by those accounts.

• Limit API access and interaction further by source IP, utilizing IAMsource IP policy restrictions.

• Regularly rotate AWS credentials, including Secret Keys, X.509certificates, and Keypairs.

• When utilizing the AWS Management Console, minimize or avoidinteraction with other websites and follow safe Internet browsingpractices, much as you should for banking or similarly important /critical online activities.

• AWS customers should also give consideration to utilizing API accessmechanisms other than SOAP, such as REST / Query.