Re: [S3] users have to actively turn off security
They find it a hassle to create an AWS VPN, especially when they are an agency dev and used to working directly on LAN servers, will continue to develop the app once the intial builds have been dropped and the new VPN would need to be transferred (or second one created) for the customer. WHich will then require some configuration of their firewall ... etc..
So you just assign it a public IP, open it to the public and connect to that from the application. Works from Dev, From Test, From customer and from partners (oh and from anyone else who wishes to connect to it without you knowing).
It's just lazy (non)security. Then again it is still possible to find SQL injections floating around, even from major enterprise communication companies. So it's no surprise.
Biting the hand that feeds IT
