Virtual machines published on Amazon's (NASDAQ: AMZN) cloud have major security problems, which were discovered by researchers from the Center for Advanced Security Research Darmstadt in Germany. Private keys, SSL certificates, source code and even passwords were not removed prior to pre-configured machines being published in Amazon Machine Images. AMIs are pre-configured templates used to create virtual machines.

As reported by PCWorld, Thomas Schneider, a researcher at Technische Universität Darmstadt, noted the presence of private keys used to authenticate with EC2 and S3. Schneider observed that customers "just forgot to remove their API keys from machines before publishing."

The consequences of failing to remove the keys could be expensive, since this opens the door to an interloper firing up services using a customer's keys. This could result in the key holder being charged thousands of dollars per day for virtual infrastructure. Moreover, some AMIs were also found to contain the SSH user keys for root-level access. Hackers aware of these keys can log into instances derived from vulnerable templates.

For now, the team has developed a vulnerability scanner for virtual machines, which can be downloaded here.

For more
- check out this article at PCWorld
- check out this article at SYS-Con Media

Related Articles:
New research explores cross-VM attacks in cloud computing
Startup unveils 'cloud storage gateway'
Security downplayed by cloud providers