A Security Analysis of Amazon’s Elastic Compute Cloud Service – Long Version –

Cloud services such as Amazon’s Elastic Compute Cloud and IBM’s SmartCloud are quickly changing the way organizations are dealing with IT infrastructures and are providing online services. Today, if an organization needs computing power, it can simply buy it online by instantiating a virtual server image on the cloud. Servers can be quickly launched and shut down via application programming interfaces, offering the user a greater flexibility compared to traditional server rooms. A popular approach in cloud-based services is to allow users to create and share virtual images with other users. In addition to these user-shared images, the cloud providers also often provide virtual images that have been pre-configured with popular software such as open source databases and web servers. This paper explores the general security risks associated with using virtual server images from the public catalogs of cloud service providers. In particular, we investigate in detail the security problems of public images that are available on the Amazon EC2 service. We describe the design and implementation of an automated system that we used to instantiate and analyze the security of public AMIs on the Amazon EC2 platform, and provide detailed descriptions of the security tests that we performed on each image. Our findings demonstrate that both the users and the providers of public AMIs may be vulnerable to security risks such as unauthorized access, malware infections, and loss of sensitive information. The Amazon Web Services Security Team has acknowledged our findings, and has already taken steps to properly address all the security risks we present in this paper.