Amazon says cloud customers can take precautions to defend against Heartbleed

Customers can update their Linux VMs to ensure protection

Amazon Web Services, one of the most popular cloud computing platforms, which hosts a large number of websites on the Internet, said this week that it has been able to mitigate the impact of the Heartbleed OpenSSL bug revealed this week. But, it because of a "shared security" model that AWS operates under, some customers can take action if they want to take extra precautions to ensure the vulnerability does not impact their operations.

+ MORE HEARTBLEED AT NETWORK WORLD: The critical, widespread Heartbleed bug and you: How to keep your private info safe | Heartbleed Bug hits at heart of many Cisco, Juniper products +

In a blog post, AWS recommends that customers using the popular Elastic Compute Cloud (EC2) service - which provides virtual machine images - who implement OpenSSL on their own Linux images should update VMs to ensure the OpenSSL patch is in place. "As an added precaution, we recommend that you rotate any secrets or keys (e.g. your SSL certificates) that were used by the affected OpenSSL process," AWS recommends. AWS provides instructions on its blog of how to update Amazon Linux, Red Hat Enterprise Linux and Ubuntu VMs.

Other AWS services could be impacted too. In the Elastic Load Balancing services (ELBs) and CloudFront content management services, AWS says that load balancers across all regions have been updated. AWS says that "as an added precaution, we recommend that you rotate your SSL certificates" for both ELBs and CloudFront. The blog post links to directions of how to do this as well.

AWS OpsWorks customers may have some changes to make as well. OpsWorks automates the use of AWS resources, such as the creation of new VMs. As a precaution, AWS says customers can update their OpsWorks-managed instances by running a "update_dependencies" command to get the latest patch to OpenSSL. Any new OpsWorks instances will automatically have the security update installed.

A small number of ElasticBeanStalk customers were recommended to update their SSLs, but AWS says it is working with them.

AWS said that its other services are either unaffected or mitigations have been applied and no customer action is necessary.

AWS's shared security model means that the company provides a base level of security of its services, but customers have a wide variety of options to customize the cloud resources to their own specifications. When doing so, customers are responsible for the security of their applications that run on AWS's protected infrastructure services. 

 Senior Writer Brandon Butler covers cloud computing for Network World and NetworkWorld.com. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Join the discussion
Be the first to comment on this article. Our Commenting Policies