

Compromised EC2 image includes root access SSH key - whiskers

A friend just forwarded me this e-mail he received from the Amazon EC2 Security Team.<p>http://pastebin.com/q1VH4rmF<p>Looks like a public Ubuntu EC2 image was available that included an SSH key to allow the publisher to log into any instance that is using this image as root.
======
paulofisch
Hi there, I originally made this AMI and I would like to apologise to anyone
who's instance has been taken offline because they used this image.

Through inexperience I left my public SSH key in the AMI, which I failed to
appreciate the implications of despite a blog comment highlighting that I'd
done so.

For the record I'd like to state that I didn't use my unintended powers of
root at any point for good or evil.

This post stands as a good education of why it's worth checking images of
unknown provenance and how to check your public key store for credentials.

This issue will mainly affect anyone who wanted an AMI to check out Amazon's
free tier which has a 10GB limit on EBS.

~~~
whiskers
Thanks for the response.

If I was building an image for the first time I no doubt could easily make the
same mistake. It'll definitely be something I make sure of I ever decide to
make my own image in the future.

------
snapbuzz
Wow! my instance was running this AMI. I am glad that this was not
intentional. Kudos to the aws team for looking after it's customers.

------
NeedLucidAMI
paulofisch - are you planning to make a replacement ami that does not include
the security hole, for those of use who still want to use ubuntu 10.04 server?

~~~
NeedLucidAMI
ok, never mind. i see that ami-3e02f257 can be used in place of the
compromised one.

