Most people won’t ever touch Amazon’s cloud computing service. They will, however, touch an application that touches the service (FourSquare, Reddit, Percolate to name a few). What Amazon offers developers is the ability to bring up and down a server in an instant, only paying for the time it was live (for the initialized, this is all thanks to virtualization, which is pretty amazing). The other really neat thing about what Amazon offers is that they have a ton of server images to choose from when you launch your new box. That means in addition to the size and speed you can choose from different operating systems and even very specific configurations with additional software pre-installed (for instance, there’s a WordPress image that comes with all the software one would need to run a blog on Amazon’s cloud).
Anyway, some researchers looked into the security of these images and things didn’t turn out so peachy:
The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.