November 02, 2012

Security researchers reported incorrect behavior in the SSL certificate validation mechanisms of some software development kits (SDKs) and application programming interface (API) tools maintained by AWS and third parties. Specifically, researchers identified versions of Elastic Cloud Compute (EC2) API tools, Elastic Load Balancing (ELB) API tools, and Flexible Payments Software (FPS) SDKs which may perform incorrect validation of SSL certificates. The incorrect SSL certificate validation reported in EC2 and ELB API tools could potentially allow a man-in-the-middle attacker to read, but not successfully modify, signed AWS REST/Query requests intended for secure (HTTPS) EC2 or ELB API endpoints. These issues do not allow an attacker to access customer instances or manipulate customer data. The incorrect SSL certificate validation reported in the FPS SDKs could potentially allow an attacker to read, but not successfully modify, signed AWS REST requests intended for secure (HTTPS) FPS API endpoints, and may also impact merchant applications that utilize Amazon Payments Software SDKs to verify FPS responses to Instant Payment Notification verification.

To address these issues, AWS has released updated versions of the affected SDKs and API tools, which can be found here:

EC2 API Tools


Amazon Payments Software Updates


AWS has addressed similar issues for additional SDKs and API tools; releasing updated versions, which can be found here:


Auto Scaling Command Line Tool

AWS CloudFormation Command Line Tools

Bootstrapping Applications using AWS CloudFormation

Amazon CloudFront Authentication Tool for Curl

Amazon CloudWatch Command Line Tool

Amazon CloudWatch Monitoring Scripts for Linux

Amazon EC2 VM Import Connector for VMware vCenter

AWS Elastic Beanstalk Command Line Tool

Amazon ElastiCache Command Line Toolkit

Amazon Mechanical Turk Command Line Tools

Amazon Mechanical Turk SDK for .NET

Amazon Mechanical Turk SDK for Perl

Amazon Route 53 Authentication Tool for Curl

Ruby Libraries for Amazon Web Services

Amazon Simple Notification Service Command Line Interface Tool

Amazon S3 Authentication Tool for Curl

In addition to using the latest AWS SDKs and API tools, customers are encouraged to update underlying software dependencies. Suggested versions for underlying software dependencies can be found in the README file of the SDK or CLI tool package.

AWS continues to recommend the use of SSL for additional security and to protect AWS requests or their responses from being viewed in transit. Signed AWS REST/Query requests via HTTP or HTTPS are protected from third-party modification, and MFA-protected API access using AWS Multi-Factor Authentication (MFA) provides an extra layer of security over powerful operations, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3.

For more information about signing AWS REST/Query requests, please see:

For more information about MFA-protected API access, please see:

AWS would like to thank the following individuals for reporting these issues and sharing our passion for security:

Martin Georgiev, Suman Jana, and Vitaly Shmatikov of the University of Texas at Austin

Subodh Iyengar, Rishita Anubhai, and Dan Boneh of Stanford University

Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. AWS security-related questions or concerns can be brought to our attention via