Amazon Fires Back Against Bkav Security Accusations
Late last week, we reported on supposed security flaws found on Amazon Web Services, HP Public Cloud and GoGrid. The report regarding outdated Microsoft Windows Server deployments surfaced because of a blog posted by security firm Bkav. Now Amazon has come out to dispute the blog's findings, with its public relations team calling elements of the blog "misleading."
April 30, 2014
Late last week, we reported on supposed security flaws found on Amazon Web Services (AWS), HP Public Cloud and GoGrid. The report regarding outdated Microsoft Windows Server deployments surfaced because of a blog posted by security firm Bkav. Now Amazon has come out to dispute the blog’s findings, with its public relations team calling elements of the blog “misleading.”
A note to Talkin’ Cloud mentioned Amazon‘s (AMZN) shared security responsibility model with customers. According to Amazon, once a customer launches an EC2 instance using Amazon Machine Instance (AMI), the customer is responsible for managing the updates, including updates issued after the build or revision that was specific to that AMI. The AMI in question that put Bkav on the alert was a Windows Server 2003 AMI from 2010, the email noted.
Amazon also indicated its standard practice is to release fully patched Windows AMIs within a week of Microsoft’s Tuesday patches. But customers can customize their software update settings, which seems to be what Amazon suggests happened in the case of Bkav’s customer.
Additionally, Amazon noted the AMI that Bkav claimed to have used to test its theory around Amazon security is not currently on the AWS Marketplace. According to Amazon, Bkav would have had to intentionally search for and deploy an old AMI not currently available. Not exactly best security practices, and if true, Bkav’s assertions are suspect.
Amazon released this official statement regarding the Bkav blog: “The Amazon Machine Image AMI (AMI) referenced the Bkav blog was published in 2010 and is not on the AWS Marketplace, or available in the AMI catalog, making the entire premise of the blog incredibly misleading. AWS prominently features AMIs of the latest versions of Windows operating systems, complete with the most recent set of Microsoft patches, for AWS customers to launch a secure-by-default Windows instance. This means that when a customer launches a new Amazon EC2 AMI, they get the latest available software patches.”
Neither HP Public Cloud nor GoGrid have touched base with Talkin’ Cloud regarding the allegations by Bkav.
At the very least, this looks like a reminder for partners and customers to take extra care when it comes to cloud security on their applications and data. Understand what the responsibilities of cloud services providers and customers are, and then take the most appropriate actions.
About the Author
You May Also Like