SensePost showed in a video how easy it was to make Amazon EC2 users to instantiate malicious images. After thousands of automated trials, they managed to register their own AMI with a small ID and thus have it a prominent place in the Amazon AMI catalogue. Several thousand EC2 Users instantiated it within a short time-interval without any verification.
Amazon does not provide any certification or validation of images. It doesn’t even provide an outbound filtering option in its firewall feature (security groups) that would limit the impact of malicious instances starting any kind of attacks. Hoff suggests to instantiate only images you created yourself. But that would also mean another ugly and awkward little thing to do before being able to start, another technical obstacle to use the cloud. And it doesn’t protect you necessarily against glitches in the official and generally trustworthy images of Amazon itself, neither.
One solution to his problem could be an AMI Marketplace, a simple web-portal that would provide relevant information about any AMI. That information would be retrieved by running scanning software that identifies server-processes on that AMI, open ports, scheduled tasks, integrity checks on kernel files and packages, and that generates warnings about potential viruses/rootkits/malware. In addition, user generated information like ratings and comments could be added – users of the same AMI could be easily connected. Such a portal would solve a couple of today’s issues with AMIs:
- Lack of Integrity: the problem described above. How can I be sure that the AMI I want to use does not contain any malware? How can I be sure that the AMI contains really what its description promises?
- Lack of Trust: How can I trust small and unknown providers? The portal could help microISVs to build a reputation in the AMI market
- Lack of Transparency: How can I find the appropriate image for my needs? Many images contain similar software, misleading names, or insufficient subscriptions (Test: try to search for images yourself on Amazon’s AMI Catalogue).
- Lack of Support: Often other users are the best sources to discuss issues concerning a certain AMI. How can I reach them and get feedback from them?
Isn’t there a business opportunity? Well, maybe. If the problem would be so pressing, Amazon itself would have probably already released such a portal. I suspect that the people who instantiated SensePost’s malicious AMI were simply playing around a bit with the EC2 platform. Any sensible IT administrator intending to do something serious with EC2 would either get an AMI directly from Amazon or other well-known and trusted providers like Alestic or create an image himself based on an original and official AMI created by Amazon. Maybe AMIs are not considered as a kind of DVD that simply needs to be plugged in and played, but just as a basis to work with and install other software on top. Will there be such an AMI market? What do you think?