AWS Services Updated to Address OpenSSL Vulnerability

April 08, 2014

We have reviewed all AWS services for impact for the issue described in CVE-2014-0160 (also known as the Heartbleed bug). With the exception of the services listed below, we have either determined that the services were unaffected or have been able to apply mitigations that do not require customer action.

Elastic Load Balancing: We can confirm that load balancers affected by the issue described in CVE-2014-0160 have been updated in all Regions except US-EAST-1. In the US-EAST-1 Region, the vast majority of load balancers have been updated and we continue to work on the remaining load balancers and expect them to be updated within the next few hours. We will update this thread when the remaining load balancers are done updating. As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html

Amazon EC2: Customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug described in CVE-2014-0160. Links for instructions on how to update several of the popular Linux offerings can be found below. As an added precaution, we recommend that you rotate any secrets or keys (e.g. your SSL certificates) that were used by the affected OpenSSL process.

Amazon Linux AMI: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/

Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2014-0376.html

Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/

AWS OpsWorks: To update your OpsWorks-managed instances, run the update_dependencies command for each of your stacks to pick up the latest OpenSSL packages for Ubuntu and Amazon Linux. Newly created OpsWorks instances will install all security updates at boot by default. For more information please see: https://forums.aws.amazon.com/ann.jspa?annID=2429

AWS Elastic Beanstalk: We are working with a small number of customers to assist them in updating their SSL enabled Single Instance Environments that are affected by this bug.

Amazon CloudFront: We have mitigated this issue. As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the CloudFront documentation: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html