2017/05/17 7:00PM PDT
AWS is aware of the WannaCry ransomware (also known as WCry, WanaCrypt0r 2.0 and Wanna Decryptor) that leverages issues in multiple versions of Microsoft Windows SMB Server. By default, SMB operates on UDP ports 137 & 138, and TCP ports 139 & 445. This service provides remote systems with file and print sharing capabilities. On March 14, 2017, Microsoft released a critical security update for Microsoft Windows SMB Server, which mitigates this issue. More information is available from Microsoft in the Microsoft MSRC blog and in Microsoft Security Bulletin MS17-010. AWS services are unaffected with the exception of those listed below:
AWS customers using the AWS-provided Windows AMIs from the 2017.04.12 release, or that have enabled automatic updates are not affected. We encourage customers using an older AMI or who do not have automatic updates enabled to install the security update. As always, AWS recommends that customers follow security best practices, and to review their security group settings and grant access to the aforementioned ports only to instances and remote hosts that require it. By default, EC2 security groups block these ports.
AWS's Windows AMI release notes are available here.
WorkSpaces created on or after April 15, 2017, or that have automatic updates enabled, are not affected. We encourage customers who created their WorkSpace(s) prior to April 15, 2017, and do not have automatic updates enabled to either install the security update or to rebuild their WorkSpace.
UPDATE 2017/05/20: We have completed patching of Microsoft AD customer directories. No customer action is required.
2017/05/17: We are actively patching Microsoft AD directories. Customers are protected from external access by default Directory Service configuration which only permits access from within the customer’s VPC. We will update this bulletin when patching is complete.
Amazon Simple AD, AD Connector and AWS Cloud Directory are not affected by this issue.
Elastic Beanstalk environments using the Windows Server platform created or updated after May 4, 2017 are not affected by this issue. We encourage customers with existing Elastic Beanstalk Windows environments to update their platform version to receive the update. This can be accomplished via the AWS Management Console, or by rebuilding the environment. Elastic Beanstalk release notes for the latest platform version are available here.