[thoraway1010]

This frankly doesn't match my experience and I have to say I find it unlikely.

Before going into our AWS production S3 buckets, looking at our databases for customer lists AWS seems to be pretty careful to get an OK.

Now we are being told that production customer data was normal to trawl? How in the HELL are they passing all their certs with all production data so wide open. I do customer managed keys - I mean, this is a HUGE backdoor.

Either Amazon is lying about AWS security (and has fooled a bunch of others) or routinely trawling AWS customer production workloads for data is a false statement.

[starfallg]

My understanding is that Customer Managed CMK in KMS only means that the customer has control over the key operations - like rotation, key policies, IAM policies, etc. AWS still has actual control over the KMS system and full access to the HSM.

[donor20]

Even under this definition how in the HELL are they "routinely" trawling our production data secured by these keys. I mean, does not one think that is rediculous?

This isn't amazon billing data etc (obviously I expect they analyze that carefully given they bring in billions from billing). To ROUTINELY go through AWS customer production datasets is beyond all reason.

[p0rkbelly]

No. AWS has no access to your material, nor is there a code path where they could get it.

[thoraway1010]

We just had someone claiming to work for amazon who said it was "routine" to "trawl" through CUSTOMER production data.

How are they trawling through all our buckets and databases without codepaths for access?

Again, they aren't talking about amazon data (ie, billing, support inquiries etc). They are talking about customer production data.

[flak48]

I would assume the comment you're replying to means things like resource usage patterns and costs to estimate a client's profits for example. Rather than reading actual data from S3 or a database.