2014/11/20 10:30AM PST-

AWS Elastic Beanstalk
We have pushed an update to all Elastic Beanstalk Windows containers with a fix for MS14-066, as described at https://technet.microsoft.com/library/security/ms14-066. Customers with single instance environments need to update to remediate the issue described in MS14-066. In addition, we recommend that customers with multi-instance environments also update. The steps that our customers will need to take to update their environments are posted on our Discussion Forums at https://forums.aws.amazon.com/ann.jspa?annID=2760.



2014/11/18 10:30AM PST -

We have reviewed all AWS services for impact for the issue described in the Microsoft security bulletin MS14-066: Vulnerability in SChannel could allow remote code execution (CVE-2014-6321). With the exception of the services listed below, we have been able to verify that the services were unaffected or we have been able to apply mitigations that do not require customer action.

Amazon EC2:
Customers running Amazon EC2 instances launched from Microsoft Windows AMIs, including AMIs from the AWS Marketplace and custom AMIs, should update their instances by running Windows Update or by following directions at https://technet.microsoft.com/library/security/ms14-066. Our customers launching new Windows instances will need to run Windows update to install the security update. Updated Windows AMIs containing the update for this issue, without requiring a run of Windows Update, are expected to be available by 2014/11/25.

AWS Elastic Beanstalk:
We have determined that only single Windows instance environments are affected by the issue described in MS14-066. We are creating updated solution stacks that customers will be able to swap to with minimal downtime, and expect to have these available by 23:59 PST on 2014/11/18. We will provide detailed instructions in the Elastic Beanstalk Forum at that time.




2014/11/14 5:30PM PST -

We are continuing to investigate the reported issues with the patch that was supplied for MS14-066. This updated status is being provided for the service below. We will continue to update this Security Bulletin for the other services previously identified as more information becomes available.

Amazon Relational Database Service (RDS):

Amazon RDS will build and deploy any required updates to affected RDS SQL Server instances. Any needed updates will require a restart of the RDS database instance. Communication of the specific timing of the update for each instance will be communicated via email or AWS Support directly to customers prior to any instance restart.




2014/11/12 9:30 PM PST-

We have received reports that the patch that Microsoft supplied for MS14-066 has been causing issues, specifically that TLS 1.2 sessions are disconnecting during key exchange.
While we investigate this issue with the patch provided, we suggest that our customers review their security groups and ensure that external access to Windows instances have been appropriately restricted to the extent possible. Below is guidance that our customers can refer to when reviewing their security groups.

EC2 Windows instance security group documentation: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

AWS Elastic Beanstalk security groups documentation: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.ec2.html

Amazon RDS SQL Server security group documentation: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html

We will continue provide updates to this security bulletin.


2014/11/11 9:00 PM PST-

We are aware of MS14-066 for which a patch was released 11th November 2014. We are currently reviewing AWS services and will update this bulletin with more details shortly.