Security researchers have discovered a critical vulnerability in Amazon Web Services (AWS) that allows attackers to gain unauthorized code execution on EC2 instances.
Dubbed “whoAMI,” the attack exploits a flaw in how users select Amazon Machine Images (AMIs), the pre-configured templates used to create virtual servers.
Attackers can publish malicious AMIs with names that mimic those of legitimate AMIs, tricking users into selecting and launching these malicious images.
This can occur when users:
- Fail to specify the owner of the AMI: When retrieving AMIs, users should always specify the owner to ensure they are selecting trusted images.
- Use wildcards in their AMI searches: This can inadvertently include malicious AMIs that match the search criteria.
- Utilize “most_recent=true” in tools like Terraform: This setting automatically selects the latest matching AMI, which could be a malicious one.
AWS has acknowledged the vulnerability and implemented a fix. However, organizations must update their code and configurations to mitigate the risk.
This attack highlights the importance of secure coding practices and careful consideration of security measures when utilizing cloud services.