- Amazon Web Services is unaware of "any other noteworthy" compromises of AWS customers, the company's chief information security officer, Stephen Schmidt, said in response to an inquiry from Sen. Ron Wyden (D-OR) into AWS's role in the Capital One data breach.
- The hacker exploited a "Server-Side Request Forgery" (SSRF) vulnerability to gain access, which was amplified by abusing permissions escalation, Schmidt said. Although SSRF was not the "primary factor" in the bank's breach, "it's possible that there have been small numbers of these that haven't been escalated to us."
- Though the onus of the security gaps falls on Capital One, Schmidt said AWS is taking on several initiatives to better support customer security, including scanning the public intellectual property space for customers' firewall resources. The proactive scan will allow AWS to try to detect the presence of misconfigurations and "err on the side of over-communicating."
Capital One disclosed a data breach last month affecting 106 million customers. Its public cloud strategy and use of AWS drew criticism, though the cloud provider was quick to distance itself from responsibility.
Cloud customers, while supported by providers, have their own access management. Most of the security around the cloud is within control of the customer.
The bank had a misconfigured web application firewall (WAF), its first layer of protection, which is mostly outside AWS's purview.
AWS provides "documentation, how-to-guides and professional services" for customers' WAF set up, Schmidt said. Only customers have a true sense of "what they intended with resources under their control."
To help customers avoid the mistakes Capital One made, AWS will "redouble" its efforts to help customers adjust their "permissive permissions" to a low level, Schmidt said.
Wyden questioned the role AWS played in Capital One's breach, but AWS's response is a reminder that customers pick up the burden of security beyond the perimeter of AWS's infrastructure.
Accused hacker Paige Thompson allegedly breached more than 30 other "victim companies," law enforcement said last week. AWS contacted those companies to offer assistance and further security support, Schmidt said. Those customers have yet to report significant issues.
Capital One's exploited SSRF, however, is the only compromise of "significant scale" that AWS is aware of at this time, he said.