The Case Against AWS – And It’s Not AWS' Fault

passwordRecently the NSA, a highly secure US government entity, left an unprotected disk image loaded with classified information right out in public on AWS. The NSA left it there on an “unlisted” server, but it didn’t have a password. Thus, if you stumbled across it, or someone went looking for it (a cybersecurity person at UpGuard did just that), it was yours for the taking.

I will bypass all the ironic commentary/jokes that could/should be made and get to the point: It isn’t Amazon’s fault.

If you are dumb enough to put this out there unprotected, you get what you deserve. Don’t blame the highway commission because you drove into a tree at 200MPH.

What it does highlight, beyond human stupidity, is the ease of doing damage because no one is there to protect you from yourself. If this were any reasonable enterprise storing these records themselves, SOMEONE would be watching or protecting things like this from occurring. A security officer would have created policy that was pushed down to IT admins who would set up specific volumes that could be used for sensitive data with permissions to access that data enforced all over the place. Someone would be an adult. It’s not AWS' job to be your babysitter. It’s their job to give you what you pay forin this case, a virtual machine with a virtual disk.

Amazon executed perfectly, and by doing so, proved that you shouldn’t be using Amazon for anything that requires the tiniest bit of security. Because apparently you can’t handle it.

(For reference, see: https://www.cnet.com/news/nsa-breach-spills-over-100gb-of-top-secret-data/#ftag=CAD590a51e )

Topics: Cybersecurity AWS nsa