Onus for cloud security falls on customers, but AWS could do more, CISO says
- Amazon Web Services CISO Stephen Schmidt said the company is unaware of “any other noteworthy” compromises of AWS customers, in response to Senator Ron Wyden’s, D-Ore., inquiry into AWS’ role in Capital One’s data breach.
- Paige “erratic” Thompson exploited a “Server-Side Request Forgery” (SSRF) vulnerability to gain access, which was amplified by abusing permissions escalation, according to Schmidt. Though SSRF was not the “primary factor” in the bank’s breach, “it’s possible that there have been small numbers of these that haven’t been escalated to us.”
- Though the onus of the security gaps falls on Capital One, Schmidt said AWS is taking on several initiatives to better support customer security, including scanning public IP space for customer’s firewall resources. The proactive scan will allow AWS to try to detect the presence of misconfigurations and “err on the side of over-communicating.”
Last month, Capital One disclosed a data breach impacting 106 million customers. Its public cloud strategy and use of AWS drew criticism, though the cloud provider was quick to distance itself from responsibility.
Cloud customers, while supported by providers, have their own access management and manage access security brokers. Most of the security around the cloud is within control of the customer.
The bank had a misconfigured web application firewall (WAF), or its first layer of protection, which is mostly outside the realm of AWS’ oversight.
AWS provides “documentation, how-to-guides and professional services” for customer’s WAF set up, Schmidt said. Only customers have a true sense of “what they intended with resources under their control.”
To help customers avoid the same mistakes Capital One made, AWS will “redouble” its efforts to help customers adjust their “permissive permissions” to a low level, according to Schmidt.
Though Wyden questioned the role AWS played in Capital One’s breach, it’s a reminder that AWS’ security stops at the perimeter of its infrastructure. Customers pick up the security from there.
Last week, law enforcement disclosed Thompson had breached more than 30 other “victim companies,” with data stored on servers in her bedroom. AWS contacted those companies to offer assistance and further security support, said Schmidt. Those customers have yet to report significant issues.
Capital One’s exploited SSRF, however, is the only compromise of “significant scale” AWS is aware of at this time, he said.