April 13th, 2009

Does EC2 have security best practises?

After being attacked by an EC2 server running an http://alestic.com/ built image.. it got me to thinking. What are the EC2 security best practises?

Has anything changed at all since Russell Coker wrote about this?  http://etbe.coker.com.au/2008/10/13/ec2-security/

Russell goes into some detail concerning EC2 approach to kernels specifically. But I have some more basic questions about the security culture populating the EC2 customer space. I think EC2 may have very big problem with breeding a culture of insecurity.  EC2 lowers the barrier of getting a virtual host up and running.... but doesn't not balance that lower barrier with mandated security practises. 

Out of all the shared AMIs on EC2 how many have ssh enabled root with password authing out of the box? How many people running those AMIs or derived private AMIs have punched a hole in the AWS firewall to allow ssh access from anywhere?  Are the AWS admins tracking how many EC2 instances are attempting to ssh password auth against other EC2 instances ? How widespread is ssh password attack attempts internal to EC2?  Some aggregate AWS firewall log datamining should be able to give a picture of that.

How many of the public AMIs come out of the box with known vulnerabilities?  Public AMIs sit on a shelf, and may not get vulnerability updates for months at a time..if ever.  Are people doing the same with private AMIs derived from those shared AMI's..not patching them for security for months at a time? How long does a vulnerability persist in the cloud? Longer than traditional IT shops or remote hosting setups?
Does the EC2 pricing model discourage users from aggressively applying security updates?

Do AMI cataloguing have any sort of "heritage" or "series" metric so that you can tell how individually registered AMIs relate to each other? If a publicly shared AMI like alestic's  Gutsy image reaches EOL (this month)...do all the private derived images based on that AMI reach EOL as well or do they live on without access to security updates? How long do they live on? Forever?  The fact that Amazon is still offering public AMIs for linux distributions that have gone EOL indicates the answer to this..is the wrong answer. It's really not cool to continue to offer AMIs that are EOL and won't be receiving security updates. This is a problem.

How many people are running updated AMI that do correct for vulnerabilities when an updated AMI becomes available?  When public AMI's are revved for security, are the people running private AMI's derived from that public AMI encouraged to rev their private AMI as well or do people patch forward manually?  Does the EC2 pricing model encourage or discourage frequent revving of AMIs to include security updates?
How frequent is frequent enough? Once a quarter? Once a month? alestic seems to be doing it once a quarter, but are people picking up the updates are rebasing their private images from those updated shared AMIs?

How many AMIs use selinux policy as a layer of protection out of the box?  Is Amazon doing anything in terms of making it easy find the AMIs which do support selinux out of the box? Are they making it possible to re-bundle instances with functional selinux policies?  Selinux has demonstrated track record of mitigating vulnerabilities..when used.