Friday, April 25, 2014

"Amazon Cloud IaaS Service servers riddled with vulnerabilities" - really???

So this article came across my Twitter feed and I had to check it out.  I've long wanted to probe at Amazon's IaaS service and see if something shakes loose, but then I remember the CFAA.  I generally dislike prison, so I've avoided probing the service up to this point.  But I figured "hey, if someone else did it, I'll learn from their research."

My problem with this "research" (which is detailed here) is that they didn't really do much research here.  The entirety of their research can be summarized in Amazon's own documentation.
We recommend that you run the Windows Update service as a first step after every Windows instance that you launch.
That sounds like good advice to me.  Earlier in the same documentation, we find these nuggets:
AWS updates the AWS Windows AMIs several times a year. 
In addition to the public AMIs provided by AWS, AMIs published by the AWS developer community are available for your use. We highly recommend that you use only those Windows AMIs that AWS or other reputable sources provide.
So I don't know what your definition of "several times a year" is, but let's just say that it isn't every patch Tuesday.  Further, the article doesn't mention whether the official Amazon AMIs were years out of date or whether it was a community contributed AMI.  Community contributed AMIs might never be updated after being released, and we shouldn't expect that Amazon has any control/influence over this.

So what's the answer here?  Well, I certainly side with Amazon in advocating that users enable Windows updates and update their systems before entering production.  However, there's a good reason why updates are disabled by default.  EC2 instances can be configured to terminate on shutdown.  That means that the EBS volumes backing them cease to exist.  If you have automatic updates enabled, that won't work well if you depend on this behavior.

The bottom line is that you have to be smart.  Moving some processing to the cloud solves a great many problems.  Patching is unfortunately not one of them...  Just like you wouldn't install a Windows server from DVD and deploy it without patching, you shouldn't start up an AMI and deploy it without patching either.

As an aside, Help-Net Security should be ashamed of themselves for the tag line they used in the article.  It's just sensationalism, plain and simple.


Note: Only a member of this blog may post a comment.