Amazon Linux is Amazing - But Still Needs PROTECTing

While many companies host their Windows and Linux distributions, such as Red Hat, servers in Amazon Web Services (AWS), more and more companies are starting to stand up and run the Amazon version of Linux, called the Amazon Linux Amazon Machine Image (AMI). This flavor of Linux is provided by AWS for use on Amazon Elastic Compute Cloud (Amazon EC2) and even virtualized and local environments.

What Is It?

It was designed by Amazon to provide optimized machines for applications running on Amazon EC2. It’s based on Red Hat Enterprise Linux (RHEL) and also similar to CentOS, which is Red Hat’s free server distribution of Linux.

Who Uses It?

AWS currently owns 33% of the cloud infrastructure services market share and has numerous Fortune 100 customers, including Expedia, Boeing, and Intuit. Customers like these have multiple operating systems (OS) for various purposes, such as Windows, RHEL, Ubuntu, and of course, Amazon Linux. The reason why they’re using Amazon Linux is because of the many technical benefits that Amazon has written into this distribution.

Despite Linux being an inherently more secure OS and AWS securing their cloud, customers still need to understand that they need to secure their Amazon Linux AMIs.

Why Protect the Amazon Linux AMI?

Many people assume that once they host their images in AWS, they’re totally protected. They are quite well-protected in many respects due to the security that AWS implements for their infrastructure.

They follow compliance, implement firewalls, and encrypt data in transit, just to name a few of the safeguards put into place. But at the end of the day, what they’ve done is secure the parking lot and traffic, but not the vehicle itself because what the AWS cloud is doing is holding your images.

“Ok, but securing the OS is really a Windows problem, not a Linux problem,” is what some people say. It is totally accurate that Linux is much more secure by design. It is more secure for various reasons, including hackers themselves being involved in Linux development, exploits are fixed pretty quickly, but it is not immune to malware.

There are less places for malware to hide since most Linux software is open source. Linux systems are also designed to be a multi-user environment, which means multiple people can simultaneously use the machine without affecting each other’s files, preferences, etc., so users are granted specific privileges and access.

If the binary ran under a non-root account, an infection would likely be temporary because the Linux kernel is memory resident and read-only. In order to cause any real damage, you would need to have root access on the system. However, nothing is impossible, and Linux is still vulnerable to viruses, Trojans, worms, and cross-platform malware. Exploiting a privilege escalation vulnerability may enable infection of the entire system.

Growing popularity has its downsides, though. While true that there is less Linux market share, the number of systems is growing, especially among the more mature organizations, which makes them rich targets. These systems may store Windows format documents on Samba or NFS server that contain and propagate malware. In September 2016, the Mirai malware created a massive botnet by infecting Linux devices to launch a DDoS attack against computer security journalist Brian Krebs.

How to Protect Linux

The challenge many CISOs are facing is that as a CISO and SysAdmin at a large enterprise, the organization may run thousands of Amazon Linux hosts within their AWS EC2 cloud environment. Despite Amazon Linux being similar to CentOS, it is not similar enough due to the Amazon modifications, so there are fewer options to choose from when evaluating endpoint protection solutions.

The solutions must support AMI and Amazon Linux 2. At a high level though, Cylance solved the ability to meet the different startup and glibc requirements from other Linux distros in order to protect Amazon Linux from malware and memory-based attacks. We were also able to include detection of AWS Instance IDs to easily identify new instances that are spun up.

If you are an enterprise-class company running Amazon Linux, Cylance can protect your servers using our artificial-intelligence based endpoint protection solutions to keep your company safe. For more information on how we can support you today, contact