Amazon Takes Offense to Bkav Blog, Clarifies Policy

Last Thursday, Bkav Corporation made some waves with accusations that Amazon, HP, GoGrid and others are not following best practices, leaving customers vulnerable to attack. Specifically, Bkav asserted that the Cloud providers' methods for keeping Windows server images up-to-date were inadequate and a precedent for disaster and stolen customer data.

An Amazon spokesperson reached out to me shortly after the news hit and this is the response:

“The Amazon Machine Image AMI (AMI) referenced the Bkav blog was published in 2010 and is not on the AWS Marketplace, or available in the AMI catalog, making the entire premise of the blog incredibly misleading. AWS prominently features AMIs of the latest versions of Windows operating systems, complete with the most recent set of Microsoft patches, for AWS customers to launch a secure-by-default Windows instance. This means that when a customer launches a new Amazon EC2 AMI, they get the latest available software patches. 

As a standard practice we release new, fully patched Windows AMIs within a week of Microsoft’s patch Tuesday. Customers can customize their Software Update settings in accordance with their corporate software patching policies and security best practices. This includes setting them to automatically check for updates, and choosing whether to download and install them manually or have them install automatically. Once a customer launches an instance of an AMI, they become responsible for managing its software updates, including the updates issued after the build or revision of that specific AMI. To do this for Windows instances, customers can use the Windows Update service, the Automatic Updates tool, or other software update tools they may have deployed in-house.

AWS makes AMIs available on the AWS Marketplace, and we encourage customers to find and use the AMIs we list there as they are vetted for viruses and vulnerabilities on an ongoing basis. In the case this blogger describes in his tests, the customer would have had to intentionally seek out and deploy an old AMI that is not on the AWS Marketplace, then forgo the security best practice of running a software update, in order to run a Windows instance that would allow unauthorized access.”

No word yet from HP or GoGrid.