Reply to post: Re: S3 bucket default is *private* to that account

Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Adam 52 Silver badge

Re: S3 bucket default is *private* to that account

"The fact that AWS was said to send out reminders of misconfiguration"

I'm not sure how often AWS do this in all honesty. I've had one, about a month ago, in 5 years of using AWS (and we've had deliberately open buckets for about 2 years, because we have developers who can't cope with authentication and we're publishing it to the Internet anyway).

Securing s3 buckets properly is hard though. Configuring vpc access only involves modifying the subnet routing table and setting deny rules on the bucket security groups. I bet I'm one of the very few have actually done this.

And then a whole load of AWS stuff stops working (lambda, for example, until recently - the new AWS toys are released without VPC support initially).

And then you get into all the Big Data and EMR stuff, which doesn't support application level encryption.

Redshift Spectrum, a Data Warehouse technology, launched without (and still doesn't have) encryption or VPC support.

The combination of AWS products not understanding encryption and not understanding VPCs leads the lazy to rely on just IAM, and IAM is so easy to get wrong. As I've said before here, their documentation often recommends grant * to *, which isn't helpful.

Security comes through multiple layers. In their rush to get products out AWS tend to start without those layers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020