Researchers find "large" security vulnerabilities in various cloud architectures

Source: Internet
Author: User
Keywords Security vulnerabilities cloud security cloud security
Tags access api cloud cloud security cloud services customer data find
German researchers say they found errors in Amazon Web Services (AWS), and they believe that similar errors exist in many cloud architectures that could lead to an attacker acquiring administrative privileges to steal data from all users. While the researchers say they have informed AWS about these vulnerabilities, and AWS has fixed them, they think the same type of attack is equally effective for other cloud services, "because the relevant Web service standards do not match performance and security." "A team of researchers at the University of Bochum in Germany used a variety of XML signature encapsulation attacks to gain administrator privileges on a number of customer accounts, and then create a new instance of the customer cloud that can add mirrors or remove mirrors." On another occasion, the researchers also used Cross-site scripting to attack the Open-source private cloud software framework Eucalyptus. They also found Amazon's services vulnerable to Cross-site scripting attacks. "It's not just Amazon's problem," says Juraj Somorovsky, one of the researchers. "These attacks are common types of attacks. This means that the public cloud is not as safe as it looks. These problems can also be found in other cloud architectures. "Somorovsky said they were developing a high-performance library, with XML security, to eliminate vulnerabilities that could be exploited by XML signature encapsulation attacks. The work will be finished sometime next year. AWS acknowledges the possibility of a signature-encapsulation attack and says it has worked with the Ruhr University to correct the problems they found. "No customer has been affected," a AWS spokesman said in an e-mail. It must be noted that this potential vulnerability relates only to a small portion of authorized AWS API calls, and is only part of a non-SSL endpoint invocation, not as reported as a potentially widely spread vulnerability. "AWS has released a list of best practices to follow best practices, and customers are free from such attacks and other types of attacks that are discovered by the LU University team." This is the best time list that AWS publishes: only use the HTTPS endpoint based on SSL security to invoke the AWS service to ensure that the client application executes the appropriate peer authentication program. The proportion of all AWS API calls to non-SSL endpoints is minimal, and AWS may not support the use of non-SSL API endpoints in the future. Multi-factor authentication (MFA) is best used when accessing the AWS Management Console. Create an identity and access management (IAM) account that has limited roles and responsibilities and is open only to accounts with special resource requirements. Limited API access, deeper interaction with source IP, using IAM source IP policy restrictions. Periodically rotate AWS certificates, including Keys, X.509 certifications, and KeyPair. When using the AWS Management console, try to avoid interacting with other sites, allowing only safe internet browsing behavior. AWS customers should also consider using API access mechanisms without SAOP, such as Rest/query. "Editorial Recommendations" cloud Security: The latest "security" view of using grid cloud to counter DDoS cloud security in the application layer the five questions on the cloud security of SaaS vendors how to solve the cloud security problem of SaaS vendors how to resolve mobile cloud security issues? McAfee launches innovative cloud Security program to ensure cloud security? Give you eight tips. Six ways to improve cloud security for Enterprises "responsible editor: Shang TEL: (010) 68476606" to force (0 votes) is tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) Text: Researchers found that various cloud architectures have "a large number of" security vulnerabilities Back to network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.