The research team at Ruhr University Bochum used a variety of XML signature-wrapping attacks to gain administrative access to AWS customer accounts. They then created new instances of the customer’s cloud, added images and deleted them.
While the researchers said they’ve notified AWS about the security loopholes and Amazon worked with the researchers to fix them, they believe the same type of gaps exist in other cloud architectures.
“It’s not only a problem of Amazon’s,” said Juraj Somorovsky, one of the researchers. “These are general attacks. Public clouds are not so secure as they seem to be. These problems could be found in other cloud frameworks also.”
AWS posted a list of best practices that would have protected customers from these attacks, as well as other attacks. Here they are:
- Only use the SSL-secured/HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation. A very small percentage of all authenticated AWS API calls use non-SSL endpoints, and AWS intends to deprecate non-SSL API endpoints in the future.
- Enable and use Multi-Factor Authentication (MFA) for AWS Management Console access.
- Create Identity and Access Management (IAM) accounts that have limited roles and responsibilities, restricting access to only those resources specifically needed by those accounts.
- Limit API access and interaction further by source IP, utilizing IAM source IP policy restrictions.
- Regularly rotate AWS credentials, including Secret Keys, X.509 certificates, and Keypairs.
- When utilizing the AWS Management Console, minimize or avoid interaction with other websites and follow safe Internet browsing practices, much as you should for banking or similarly important / critical online activities.