I had to laugh when I read this story about Amazon Web Services. It’s posted with an attention grabbing title that implies this is an Amazon problem, but it is squarely down to user error/oversight.
Luckily I’ve not fallen into this trap yet, but I have done equally silly things in the past. That reminds me, I must go to a Pete Finnigan session next time we are at the same conference… 🙂
3 thoughts on “Security: It’s always the silly things that get you…”
I agree with hellfire (quote in IT world link), and some of the other commenters, this is a process problem on Amazon’s part. The more diverse an audience your product is designed for, the more the onus is on you not to leave tripwires and potholes all over the place, hoping the blind guy is going to read the “do not trip over wires or step in potholes sign.”
I’ve been fairly militant about this ever since my linux got p0wned ten years ago and people said it was my own fault. No. There is no way users are going to harden bleeding edge stuff, the onus ought to be on the vendor.
I think it depends on the service being offered. I see EC2 as being no different to dedicated servers, so I think it is up to user to do the hardening. In this situation, the user *should* be a sysadmin. In the case of “x as as service” products, like “RDS for Oracle Database” and “Elastic Block Storage”, you have so much control taken away from you, then it is definitely Amazon’s job to harden it.
Policing that is really difficult though, so it is going to cause problems for some time to come.
creating a safe public AMI doesn’t look easy. Someone with some experience in this could set up a tidy business doing it ‘as-a-service’.
Comments are closed.