AWS Cloud Cybersecurity: Customer Errors Threaten Amazon’s Credibility

The massive Capital One data breach, disclosed July 29, allegedly involved a misconfigured Web application firewall (WAP) on Amazon Web Services (AWS).

Amazon is working hard to distance itself from the breach, communicating that AWS itself was not hacked — essentially blaming the breach on a customer that failed to properly configure the cloud firewall. In a statement to Newsweek, an AWS spokesperson said:

“AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”

Still, the statement begs the question: Was AWS actually designed properly? If so, how come so many customers continue to misconfigure their AWS services — leaving data exposed and potentially open for a hacker to steal?

AWS: User Configuration Errors Lead to Data Leaks

In addition to the Capital One data breach, additional data leaks involving customers and contractors that misconfigured AWS include:

In Amazon’s defense, the company has taken numerous steps to help AWS customers to properly configure and secure their cloud services. The efforts include launching:

Still, user errors and customer misconfigurations continue. The latest example apparently involves the massive Capital One data breach. It makes you wonder: Is it time for Amazon to reconfigure the default settings of AWS — or warnings when users change settings — to ensure a more secure security stance for customers?


Return Home



    Phil Kramer:

    If you employ/manage people that do NOT know what they are doing, then that is your fault.

    If you employ people that are not kept up to date with continuing education or were not properly trained:
    – the defaults won’t really matter
    – and it is your fault for giving them the responsibility

    You can have the “best” FW, but if it is not installed/configured properly it is perceived as a failure..

    Joe Panettieri:

    Hi Phil: Thanks for your readership and comment. Your views mirror many of the emails I received from readers, stressing that all IT requires properly trained professionals who know how to configure software, hardware, services, etc.

    I still wonder if there are steps that AWS can take to simplify and/or point out when data potentially remains exposed or open to prying eyes.

Leave a Reply

Your email address will not be published.