A team of German scientists has found that around 30% of virtual machines hosted on Amazon Web Services are vulnerable to attack because they have been improperly configured by the user.
Researchers from Darmstadt Research Center for Advanced Security at Fraunhofer SIT university studied the Amazon Machine Images (AMI) of 1,100 hosted machines, and found that three in ten are exposed, "allowing attackers to manipulate or compromise web services or virtual infrastructures".
"Even though AWS provide their customers with very detailed security recommendations on their web pages," the researchers found, "at least one third of the machines under consideration have flawed configurations."
The scientists found that they could steal critical information including passwords and private keys that "could be used to control the [user’s] entire virtual infrastructure in AWS or to create a virtual infrastructure worth several thousands of dollars per day at the expenses of the [user]."
"The problem clearly lies in the customers’ unawareness and not in Amazon Web Services," commented research lead Professor Ahmad-Reza Sadeghi. "We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations."
The team said it had informed Amazon of the issue, and it had responded by publishing guidance for customers on how to manage their private keys.