Amazon Advises me to be Responsible with Tomcat

I just received an email from Amazon concerning proper Security around Tomcat. Here is part of the message:

You can avoid being vulnerable to attackers by following the below best practices to increase the security of your Tomcat installation:

  1. Ensure that the version of Tomcat you are using is up to date and does not have any known or unaddressed security vulnerability. You can find a list of vulnerabilities by version on the Apache Tomcat website at: http://tomcat.apache.org/security.html.

  2. If you have enabled administrator or manager user accounts with access to the Tomcat Manager application (managed within the tomcat-users.xml file), ensure they are given appropriately complex passwords and difficult to guess usernames. Additional information regarding configuring access to Tomcat Manager can be found here:

  • For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access
  • For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
  • For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access
  1. Verify that you are implementing the recommended security guidelines for your Tomcat installation. For some of the later versions, you may find the following guides helpful:
  • For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html
  • For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
  • For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
  1. Subscribe to Apache Tomcat’s mailing list for the latest security updates by visiting: http://tomcat.apache.org/lists.html

Additional assistance and documentation related to AWS security best practices may be found at: http://media.amazonwebservices.com/Whitepaper_Security_Best_Practices_2010.pdf