German researchers have said they found flaws in Amazon Web Services that they believe exist in many cloud architectures and enable attackers to gain administrative rights and to gain access to all user data.
While the researchers say they have told AWS about the security holes and AWS has fixed them, they believe the same types of attacks would be effective against other cloud services, "since the relevant Web service standards make performance and security incompatible."
A research team at Ruhr University Bochum used a variety of XML signature-wrapping attacks to gain administrative access of customer accounts, then create new instances of the customer's cloud, add images and delete them. In a separate exploit, the researchers used cross-site scripting attacks against the open-source, private-cloud software framework Eucalyptus.
They also found the Amazon service to be susceptible to cross-site scripting attacks.
"It's not only a problem of Amazon's," says Juraj Somorovsky, one of the researchers. "These are general attacks. Public clouds are not so secure as they seem to be. These problems could be found in other cloud frameworks also."
Somorovsky says the researchers are working on a high-performance libraries that can be used with XML security to eliminate the vulnerability that was exploited with the XML signaturewrapping attacks. They will be ready sometime next year. Signature-wrapping attacks re-use validAmazon Web Services acknowledged it worked with the Ruhr University team to correct the problems they found.
"...[N]o customers have been impacted," a spokesperson for AWS said in an email. "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported.
AWS has posted a list of best practices that, if followed, would have protected customers from the attacks the Ruhr University team devised as well as other attacks. These are:
- Only utilize the SSL-secured / HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation. A very small percentage of all authenticated AWS API calls use non-SSL endpoints, and AWS intends to deprecate non-SSL API endpoints in the future.
- Enable and use Multi-Factor Authentication (MFA) for AWS Management Console access.
- Create Identity and Access Management (IAM) accounts that have limited roles and responsibilities, restricting access to only those resources specifically needed by those accounts.
- Limit API access and interaction further by source IP, utilizing IAM source IP policy restrictions.
- Regularly rotate AWS credentials, including Secret Keys, X.509 certificates, and Keypairs.
- When using the AWS Management Console, minimize or avoid interaction with other websites and follow safe Internet browsing practices, much as you should for banking or similarly important / critical online activities.
- AWS customers should also give consideration to using API access mechanisms other than SOAP, such as REST / Query.