Over the past few months there has been a series of stories in the news about Amazon Web Services accounts being compromised. Most of these attacks occur when a user accidently publishes his or her access keys on GitHub or similar sites like SourceForge or CodePlex. This article examines this issue and the tools Amazon offers customers to protect themselves.
So, what is an access key? Amazon Web Services (AWS) offers three forms of authentication. First, a username and password is used to access the AWS Management Console. Second, access keys are used to access the REST API. Third, certificates are used to access the, now deprecated and seldom used, SOAP API.
The attacker exploits the access keys, used in most programing languages, to gain access to the REST API. It begins when a developer accidently publishes source code that includes his or her access keys to GitHub. A quick search for "SECRET_ACCESS_KEY" on GitHub will return thousands of files that include AWS access keys.
Attackers are well aware of this rich source of credentials. They regularly search GitHub for new keys, and many victims report their account being hacked within hours of publishing code to GitHub. In a few cases the attackers terminated servers and deleted data. In others, the attackers launched machines to mine Bitcoins running up large bills for the account owner.
Below are a few tools that can be used to protect an AWS account.
Security begins with training. Make sure developers are aware of the risk. Then, teach them how to protect their access keys.
Train developers to store keys outside of the source code. AWS supports Java, PHP, Python, Ruby and .Net. All of these libraries allow developers to store access keys in environment variables or similar locations outside the source code. If developers omit the keys from their code, the language will automatically load them from the environment. This makes code portable and ensures the keys will not be inadvertently published to sites like GitHub along with the source code.
Furthermore, if code is running on a server hosted at AWS, no access keys are required at all. AWS offers identity and access management (IAM) instance roles. Permissions are assigned to a role. Then, the instance is associated with the role when it is launched. With an associated role, any code executed on the server implicitly gets the permission defined by the role, and there are no keys to compromise.
Define IAM policies
Amazon IAM policies can be used to further protect an account. AWS gives account owners everything they need to protect themselves, but users need to weigh security against ease of use. Here are a few policies to consider implementing.
If all the developers are working from one place, consider adding an IP restriction. For example, if all of the developers are working from one office, a policy could be used to restrict access to that one office.
Note: Policies can be defined for specific methods. For example, a policy can be written that allows a developer to reboot a server from anywhere but requires that he or she is in the office to launch a new server or terminate an existing one.
If all servers are running in a few regions, restrict access to only those regions. For example, if there are no servers in Asia, write a policy that denies access to Tokyo, Sydney and Singapore. Smart attackers will launch servers in an unused region where they are less likely to be noticed.
If possible, require that developers use multi-factor authentication (MFA). MFA requires a user to enter an authentication code generated by a smartphone app such as AWS Virtual MFA or Google Authenticator. This is different from simply enabling MFA on an account, which only requires users to enter a code when logging into the Web console. Specifying an MFA restriction in an IAM policy affects API access as well.
Note: This policy may not be compatible with some third-party applications.
Enable CloudWatch notifications
In many of the reported cases of access key theft, the victim said that AWS notified them of the mistake. They received an email that began similar to the following:
"Your security is important to us. We recently became aware that the following AWS Access Key along with the corresponding Secret Key are publicly available on GitHub."
Amazon is proactively notifying customers, but account owners can enable other notifications using CloudWatch alerts to get notified even sooner.
CloudWatch is Amazon's monitoring service. It is typically used to monitor server performance, but it can be configured to send an alert as soon as the total number of servers exceeds a minimum or maximum -- possibly indicating an attacker is either deleting or launching servers.
In addition to monitoring servers, you can configure CloudWatch to monitor spending. Alerts can be configured to send a notification when the total bill exceeds a certain threshold, again indicating an attack is potentially underway.
With AWS adoption on the rise, attacks are likely to become more common. Amazon provides a variety of tools to help, but users must balance security and ease of use when deciding which tools to implement.
About the author:
Brian Beach is an enterprise architect with more than 15 years of experience in software engineering and information technology management. Brian is an Amazon Certified Solution Architect, Microsoft Certified Solution Developer (MCSD) and Certified Information Systems Security Professional (CISSP). He holds a BS in Computer Engineering from NYU Poly, an MBA from Rutgers Business School and is a member of American Mensa. Brian is an advocate for cloud computing on the AWS platform and currently manages a team of cloud engineers at a Big Four accounting firm. He can be contacted through his blog at http://blog.brianbeach.com or LinkedIn at http://www.linkedin.com/in/brianjbeach.