April 08, 2014

We have reviewed all AWS services for impact for the issue described in CVE-2014-0160 (also known as the Heartbleed bug). With the exception of the services listed below, we have either determined that the services were unaffected or have been able to apply mitigations that do not require customer action.

Elastic Load Balancing: We can confirm that all load balancers affected by the issue described in CVE-2014-0160 have now been updated in all Regions. If you are terminating your SSL connections on your Elastic Load Balancer, you are no longer vulnerable to the Heartbleed bug. As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html

Amazon EC2: Customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug described in CVE-2014-0160. Links for instructions on how to update several of the popular Linux offerings can be found below. As an added precaution, we recommend that you rotate any secrets or keys (e.g. your SSL certificates) that were used by the affected OpenSSL process.

Amazon Linux AMI: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/

Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2014-0376.html

Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/

AWS OpsWorks: To update your OpsWorks-managed instances, run the update_dependencies command for each of your stacks to pick up the latest OpenSSL packages for Ubuntu and Amazon Linux. Newly created OpsWorks instances will install all security updates at boot by default. For more information please see: https://forums.aws.amazon.com/ann.jspa?annID=2429

AWS Elastic Beanstalk: We are working with a small number of customers to assist them in updating their SSL enabled Single Instance Environments that are affected by this bug.

Amazon CloudFront: We have mitigated this issue. As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the CloudFront documentation: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html