Code Spaces, a Subversion and Git hosting service recently encountered a DDoS attack. We know how the story goes – an attacker try’s to blackmail an online company into paying a fee to stop a DDoS attack, the company rejects the demand, and the attacker starts a DDoS campaign against the victim. In most cases, the victim mitigates the problem. Unfortunately, this story doesn’t have a happy ending. Besides launching the DDoS attack, the attacker gained administrative access to Code Spaces AWS Control Panel, and started deleting production instances and backups. Code Spaces ended up shutting down its business. This has to be one of the worse security breaches on record, and it’s a nightmare scenario for any online business.
While Code Spaces bears the responsibility for not having the proper mechanisms in place to mitigate this kind attack, does Amazon AWS bear some of that responsibility? That’s not for me to decide, but I will say that AWS needs to make its security offering easier to work with. AWS offers encryption, firewalls, and a few other security features, but the challenge lies in its complexity, in trying to figure what security feature provides what kind of protection. AWS should just take the initiative and bake-in some of these security features, such as two-factor authentication, into accounts by default, in order to minimize the impact of a serious security breach.
Security is very complex, with dozens of moving parts. Trying to have an AWS customer become a security expert well versed in Defense-in-depth strategy is difficult. The Code Space incident is a lesson for all online businesses using AWS that implementing the proper security measures is a must, especially two-factor authentication, and having backups to backups outside of the AWS ecosystem.
Here is a Quote from Code Spaces:
We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances. In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.