The public IPs were the big part: if you had the default 0.0.0.0/0 rule allowing SSH, you’d see brute force attacks within a few seconds of launching a new instance.
VPCs gave a little more room to prevent that but the big thing was really better tooling - the average developer still doesn’t think about security enough to be trusted with the EC2 or GCP launch wizard.
I remember this. I don’t remember if it was cloud unit or something else like a pre hardened ami, but basically that - you got hammered in seconds after starting in default config so was good to take some steps right on launch.
Yeah, the official AWS AMIs have had password auth disabled for a very long time but I’m pretty sure I remember some third parties learning the hard way that setting a default password and telling people to change it isn’t good enough.
VPCs gave a little more room to prevent that but the big thing was really better tooling - the average developer still doesn’t think about security enough to be trusted with the EC2 or GCP launch wizard.