What do you make out of recent reports claiming vulnerabilities in Amazon's AMI?

SilverHawk

I've seen a couple of articles claiming that there are security vulnerabilities and backdoors. Clearly security is one major concern companies have with moving to a public cloud model. Amazon is such a huge player and has a pretty decent security history. Are these concerns about AMI well founded or bogus?

Answer this Question

Answers

2 total
jimlynch
Vote Up (14)

Hi SilverHawk,

GigaOm had an article about and seemed to feel it was overblown, according to certain experts.

Amazon AMI vulnerabilities overblown, experts say
http://gigaom.com/cloud/amazon-ami-vulnerabilities-overblown-experts-say/

"Stories about potential security vulnerabilities strike a chord as more companies consider moving more of their IT workloads to public cloud infrastructure run by Amazon, Rackspace and others.

Security experts said this is more of a people problem than a technology issue in that some people deploying AMIs leave passwords, SSH keys and other data that should be locked away, unattended. That flies in the face of Amazon’s recommended practices and makes AMIs vulnerable to hackers.

The message from security experts was clear: Stupid users get what they deserve."

nbetolli
Vote Up (12)

I looked at one of the articles making these claims earlier this week, and to use your term, I think they are booooogus!  It looks like most of the issues arise from people not following security best practices.  If you leave passwords and sensitive information "laying around" unsecured and unencrypted and someone takes advantage of it, I don't see how that is Amazon's fault.  I have seen so many instances of guidelines and procedures not being followed at companies large and small that I am not really surprised that some people are sloppy when they should be more cautious. 

Ask a question

Join Now or Sign In to ask a question.
Big Switch Networks this week is unveiling an SDN controller designed to bring Google-like hyperscale networking to enterprises.
Following through on promises from new CEO Satya Nadella, Microsoft continues to add support for non-Microsoft technologies, allowing them to run well on the company's Azure cloud hosting platform.
Researchers have concluded that those billions of connected devices could help save lives in the event of disaster, even one that knocks out the Internet
Companies adopting cloud computing most aggressively say that business agility -- not cost -- is the primary driver of adoption.
Companies interested in moving to cloud computing are increasingly choosing a private cloud for the increased security and, often, compliance features instead of the public cloud, according to a recent survey.
PingID for Apple iOS or Google Android mobile devices is an app that works to generate one-time passwords on a smartphone.
Microsoft has been screaming "cloud" in many partners' deaf ears for several years, but the company found a more receptive audience at this week's Worldwide Partner Conference.
Cisco this week expanded its data center arrangement with Microsoft with a multiyear sales and go-to-market effort for integrated products. The deal builds upon one agreed to 15 months ago, when the two companies combined cloud offerings under their respective Cisco Unified Data Center and Microsoft Fast Track 3.0 architectures.
System administrators take note: That mobile employee expense app you're building should be every bit as easy to use as Facebook. Oh, and you better deliver it quickly too, because that's how Facebook rolls.
The cable giant’s attachment to its subscribers is getting downright creepy

White Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness