Brilliant

Interestingly, the author of that Netflix article had joined CaptitalOne about a month before the incident.

CapOne also maintains Cloud Custodian, which a lot of people use to great effect to help prevent stuff like this.

Ultimately I think it just shows that securing cloud infrastructure is difficult to do consistently when you move quickly and broadly at scale. It also shows that the specific mechanism for authenticating EC2 instances had some design issues. These have been known about for a long time of course and it is kind of disappointing how long it took AWS to do something about it.

Cloud custodian is maintained by the community, capitalone has not had any maintainers on staff for around a year, though they still use and occasionally contribute prs. The major contributors and maintainers over the last year have been the cloud providers. The community has been working with capitalone to move it into cncf in 2020.

Huge fan working with you on one issue and glad to see you are everywhere setting the record straight, Kapil!

The S3 bucket was not public.

The hacker got ephemeral keys by remotely exploiting the WAF. The WAF had no reason to have privileges to read from S3, that was a mistake.

I’m unclear if data in bucket was encrypted at rest but I guess if you get keys to read it’s a moot point.

Language compare and contrast is whats interesting to me.

I don't use either day to day but have had some exposure to both. I think both languages will have influence on future of language design at a minimum. Doubtful Perl does a phoenix routine but weirder things have happened.

Interesting, confirmed my bias from read of abstract.