Hacker News new | ask | show | jobs
by Kocrachon 1947 days ago
Not to sound like a jerk but why do you think this would be some "OMG" response from AWS? This is not some sort of "hacking", this is a tool that is being used to detect whether you misconfigured API access to be overly permissive. The tools job is to find them and them "abuse" them. Its not like AWS is not aware of user misconfigurations. The issue is AWS does not provide tools to detect these very well. Tools like CloudAware also exist because of things AWS don't provide. Not like AWS isn't aware of the ability to make such tools, considering these are just crawling and attempting to use a series of already existing AWS calls.

The tool is great as a free tool and very helpful, but its also not like AWS doesn't already have the people smart enough to make something just as good, if not better. It just obviously not AWS's priority. They can just leave the blame on the user for not properly managing IAM permissions.
1 comments
dodobirdlord 1947 days ago
And yet, it now 404s on both the salesforce project and the owners own personal GitHub.
link
Kocrachon 1947 days ago
And? Thats not because "AWS" was like "OMG so smart", AWS is already well aware of this issue but lays the blame on "Shared Responsibility" and are likely annoyed that Salesforce, a partner of AWS< released this without communication.

Honestly, my guess is there was a lapse in Salesforce somewhere, where either legal or PR didn't check this because this likely goes against Salesforce and AWS NDA for their partnership. I worked as an AWS partner before, there are requirements that go into place before you can release stuff like this to the public. Plus, having worked with Salesforce as well, I assume they have a PR policy to not use the word "hacking" in tool names or description, especially in regards to partners. My company has similar rules for OSS stuff.

This was more of a bad PR / Legal issue. AWS is well aware that people misconfigure permissions...

And again... better tools and more popular tools already existed... This is not new

https://rhinosecuritylabs.com/aws/pacu-open-source-aws-explo...

link