| ▲ | SOLAR_FIELDS 5 days ago |
| The problem is that the default behavior for this is opt-in, rather than opt-out. No one prefers opt-in. So why is it opt-in? |
|
| ▲ | icedchai 5 days ago | parent | next [-] |
| If it were opt-out someone would accidentally leave it on and eventually realize that entire systems had been accidentally "backed up" and exfiltrated to S3. |
| |
| ▲ | SOLAR_FIELDS 5 days ago | parent [-] | | What? The same is possible whether it's opt-in or opt-out. It's just that if you have the gateway as opt-out you wouldn't also have this problem AND a massive AWS bill. You would just have this problem. | | |
| ▲ | Spivak 5 days ago | parent | next [-] | | The bad situation is if you created a VPC with no internet access but the hypothetical automatic VPC endpoint still let instances access S3. Then a compromised instance has a vector for data exfiltration. | |
| ▲ | icedchai 5 days ago | parent | prev [-] | | No, with opt-in the VPC subnet is secure by default. Someone has to explicitly allow access to S3 (or anything else.) |
|
|
|
| ▲ | otterley 5 days ago | parent | prev [-] |
| AWS VPCs are secure by default, which means no traffic traverses their boundaries unless you intentionally enable it. |
| |
| ▲ | SOLAR_FIELDS 5 days ago | parent [-] | | "The door is locked, so instead of suggesting to the end user that they should unlock the door with this key that we know how to give the end user deterministically, we instead tell them to drive across town and back on our toll roads and collect money from it" This has been a common gotcha for over a decade now: https://www.lastweekinaws.com/blog/the-aws-managed-nat-gatew... | | |
| ▲ | otterley 5 days ago | parent [-] | | Speaking solely on my own behalf: I don't know a single person at AWS (and I know a lot of them) who wants to mislead customers into spending more money than they need to. I remember a time before Gateway Endpoints existed, and customers (including me at the time) were spending tons of money passing traffic through pricey NAT Gateways to S3. S3 Gateway Endpoints saved them money. | | |
| ▲ | SOLAR_FIELDS 5 days ago | parent [-] | | Clearly you guys are aware of the problem though. I mean, every time this thing happens there's probably a ticket. I've personally filed one myself years ago when it happened to me. So why has the behavior not changed? You don't have to give up security to remove this footgun, it's possible to remove it and still make it an opt-in action for security purposes. |
|
|
|
