• Alien Nathan Edward@lemm.ee
    link
    fedilink
    English
    arrow-up
    61
    ·
    8 months ago

    I work in a HIPAA-covered industry and if our AWS and GCP buckets are insecure that’s on us. Fuck Amazon, but a hammer isn’t responsible for someone throwing it through a window and a cloud storage bucket isn’t responsible for the owner putting secret shit in it and then enabling public access.

    • zalgotext@sh.itjust.works
      link
      fedilink
      arrow-up
      19
      ·
      8 months ago

      Yeah I hate Amazon as much as the next person, but this is a people/process problem, not an Amazon problem. Amazon doesn’t know or care what you put into an AWS bucket (within reason, data tracking, etc, blah blah blah). People taking classified documents and uploading it to an Internet-connected cloud service is procedurally wrong on so many levels.

        • zalgotext@sh.itjust.works
          link
          fedilink
          arrow-up
          7
          ·
          8 months ago

          No, it literally cannot be both, full stop. There should rigorous, well defined procedures and processes for handling classified data, and chiefly among those should be something along the lines of “don’t upload classified documents to a publicly-available internet-connected location/service/filestore/etc”. If it’s not, a security officer has not done their job.

        • nxdefiant@startrek.website
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          The north east US is dotted with high (physical) security Amazon data centers . I promise those aren’t hosting files you can search Google for, if you know what I mean.

    • dejected_warp_core@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      8 months ago

      What kills me about S3 is that the use cases for publicly accessing S3 contents over HTTP have got to be vanishingly small compared to every other use of the service. I appreciate there’s legacy baggage here but I seriously wonder why Amazon hasn’t retired public S3 and launched a distinct service or control for this that’s harder to screw up.

      • capital@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        Public access is disabled by default and it warns you when you enable it. How much more idiot proof does it need to be?

        • dejected_warp_core@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          Honestly, I’m for removing the option and moving that “feature” somewhere else in AWS entirely. And those warnings aren’t really a thing when using IaC. Right now it’s still a “click here for self harm” button, even with the idiot proofing around it.