[tmotwu]

It was only a year ago since the most recent, one of several, leaks associated with AWS/S3. Have people forgotten?

[banana_giraffe]

I'm aware of several leaks that were basically "account holder left bucket wide open"

Some of that is on AWS for initially making the defaults too open, but at the end of the day, S3 was doing what it was told.

Is there some case where S3 was locked down, and the data still leaked?

[tmotwu]

Yes, that is what leakage is. Even the SolarWinds breach was likely made possible due to a cloud leak. Not a strong argument for cloud setups.

[unclekev]

> Even the SolarWinds breach was likely made possible due to a cloud leak

What? Their internal build system was comprised and the password for the FTP that hosted their software updates was "solarwinds123"

This had nothing to do with the cloud/a issue with a cloud provider.

[tmotwu]

> password for the FTP that hosted their software updates was "solarwinds123"

Secrets in a public github repository is a leak, in the cloud.

[unclekev]

> Secrets in a public github repository is a leak, in the cloud.

Someone uploading their secrets to GitHub has nothing to do with the cloud and everything to do with the incompetence of the people using it.

"This is the clouds fault because one of our engineers made a mistake and 'the cloud' didn't stop them!" does not really hold up.

[richwater]

IF you're referring to the Capital One incident, that had nothing to do with AWS. Their systems behaved as intended. It was a error in the implementation of Capital One's systems.

[tmotwu]

OP suggests cloud setups with AWS are inherently secure due to practice, but many past breaches demonstrate otherwise.

[acdha]

Your misinterpretation of their comment is the source of your confusion: note that they said “a lot” and “more secure”, not perfect. There are many more breaches of on-premise systems but we don’t say that those are too risky to use — it all comes down to cost. One big advantage that cloud environments have is that you can assume everything is API-driven and there are off the shelf tools to look for common problems like the Capitol One WAF setup. You certainly can do that on-premise but you have more work to do and the bespoke nature of the environment makes misunderstandings easier.

[atwebb]

Having trouble finding a reference since the search terms aren't too friendly (lots of targeted ads though), was there one where it wasn't an account configuration issue?