A friend just forwarded me this e-mail he received from the Amazon EC2 Security Team.<p>http://pastebin.com/q1VH4rmF<p>Looks like a public Ubuntu EC2 image was available that included an SSH key to allow the publisher to log into any instance that is using this image as root.
Hi there, I originally made this AMI and I would like to apologise to anyone who's instance has been taken offline because they used this image.<p>Through inexperience I left my public SSH key in the AMI, which I failed to appreciate the implications of despite a blog comment highlighting that I'd done so.<p>For the record I'd like to state that I didn't use my unintended powers of root at any point for good or evil.<p>This post stands as a good education of why it's worth checking images of unknown provenance and how to check your public key store for credentials.<p>This issue will mainly affect anyone who wanted an AMI to check out Amazon's free tier which has a 10GB limit on EBS.
paulofisch - are you planning to make a replacement ami that does not include the security hole, for those of use who still want to use ubuntu 10.04 server?