Amazon's access control and authorization system is the current most important broken thing in the industry.
The Joe Sullivan details are the lurid stuff that propels news story copy, but the important takeaway is that almost nobody, including companies with serious investments in security, can safely get a large-scale dev team deploying onto AWS.
This story keeps getting re-told, and has been for something like 5 years now. It's a problem, and it needs to get fixed, decisively.
Full disclosure: I'm the founder of CloudSploit[1] which aims to reduce these risks.
You're definitely on to something here. While I wouldn't call AWS security "broken," it is next to impossible to implement it correctly in any medium to large size business. There are 30+ services that AWS provides, each with an infinite number of security controls, JSON-based policies, etc. Cross-service access is even worse. Almost every service has some form of sub control that extends or complements the main security tool (IAM). KMS has key policies, ECR has registry policies, SNS has delivery policies, etc. S3 has perhaps the most confusing permission policy in existence, which has led to scores of high profile hacks this year alone.
There are 12+ public regions now, with more coming every few months, each fully enabled, yet segregated within the UI and API (which makes detecting attackers who have embedded themselves in unused regions more difficult).
All it takes is literally one typo in a single user's policy and leaked credentials and you're environment is completely compromised. Recovery is next to impossible without basically starting from scratch because you'll never find every tiny hole the attacker left as a backdoor for later without combing through GB of CloudTrail logs.
Now take all that, put it in an organization with 500+ engineers and you can see how easy it is for this to happen. Think you're safe by putting each team in their own account? Well AWS supports cross account role provisioning and engineers can easily set that up within their accounts. The spider web of issues is endless.
The security itself is sound. AWS has very very few security incidents where their security was compromised. KMS hasn't been broken (to anyone's public knowledge). If you mark an S3 bucket as private, they've never been accidentally exposed at the fault of AWS.
The issue is in the user's use of the security features. Do you call bcrypt broken if someone uses a weak password and only 1 round of salting? Do you call TLS broken if someone misconfigures their NGINX installation?
The Joe Sullivan details are the lurid stuff that propels news story copy, but the important takeaway is that almost nobody, including companies with serious investments in security, can safely get a large-scale dev team deploying onto AWS.
This story keeps getting re-told, and has been for something like 5 years now. It's a problem, and it needs to get fixed, decisively.