|
|
|
|
|
|
by SmellyGeekBoy
2515 days ago
|
|
|
> Good luck proving it was our fault not yours. Seems like it would be incredibly easy to prove that an S3 bucket was misconfigured in such a way that the data was publicly accessible. In fact this has been the case in the recent high-profile cases that I can recall. |
|
|
The hacker got ephemeral keys by remotely exploiting the WAF. The WAF had no reason to have privileges to read from S3, that was a mistake.
I’m unclear if data in bucket was encrypted at rest but I guess if you get keys to read it’s a moot point.