Does AWS Stand For ‘Awkwardly Weak Security’?

There was a little known story that was overlooked by many in the security industry last month, where Amazon Web Services (AWS) was contacting customers because the AWS secret keys used to log into their accounts had been “mistakenly hard-coded into applications.”

AWS is warning users to remove any hard-coded AWS access and secret keys from their applications.  Many people saw these credentials become publicly available, leading to unauthorized use of AWS services.

The problem has not completely gone away – as demonstrated by the fact that hackers are hijacking AWS accounts to make some extra cash.

AWS is a widely use cloud service – including by many companies using the service to run critical infrastructure.  Imagine what could happen to your business if you run critical systems on AWS and your AWS keys were compromised.  You wouldn’t even know it until you got your monthly AWS invoice and saw it was 4-5x its normal size, or worse – if someone compromised your data center and leaked the information.

If you use AWS, you should immediately make sure you haven't inadvertently exposed your AWS log-in credentials. Anyone who has your access key has the same level of access to your AWS resources that you do.

For information on how CyberArk can help you, the CyberArk Privileged Account Security solution allows you to store sensitive information like the AWS keys in a secure and tamper-proof vault.  This protects the keys from misuse, ensuring the keys are programmatically extracted in a secure, highly-available and high performance way without exposing the keys to anyone in the outside world.

Tuesday, May 6, 2014