darkwater 5 days ago

I think they know it. They are complaining it's not enabled by default (and so do I).

Reply View 3 replies
  • otterley 5 days ago

    AWS VPCs are secure by default, which means no traffic traverses their boundaries unless you intentionally enable it.

    There are many IaC libraries, including the standard CloudFormation VPC template and CDK VPC class, that can create them automatically if you so choose. I suspect the same is also true of commonly-used Terraform templates.

    Reply View 0 replies
  • hylaride 5 days ago

    As others have pointed out, this is by design. If VPCs have access to AWS resources (such as S3, DynamoDB, etc), an otherwise locked down VPC can still have data leaks to those services, including to other AWS accounts.

    It's a convenience VS security argument, though the documentation could be better (including via AWS recommended settings if it sees you using S3).

    Reply View 0 replies
  • conradludgate 4 days ago

    I've been testing our PrivateLink connectivity at work in the past few weeks. This means I've been creating and destroying a bunch of VPCs to test the functionality. The flow in the AWS console when you select the "VPC and more" wizard does have an S3 Gateway enabled by default

    Reply View 0 replies
SOLAR_FIELDS 5 days ago

The problem is that the default behavior for this is opt-in, rather than opt-out. No one prefers opt-in. So why is it opt-in?

Reply View 8 replies
  • icedchai 5 days ago

    If it were opt-out someone would accidentally leave it on and eventually realize that entire systems had been accidentally "backed up" and exfiltrated to S3.

    Reply View 3 replies
    • SOLAR_FIELDS 5 days ago

      What? The same is possible whether it's opt-in or opt-out. It's just that if you have the gateway as opt-out you wouldn't also have this problem AND a massive AWS bill. You would just have this problem.

      Reply View 2 replies
      • Spivak 5 days ago

        The bad situation is if you created a VPC with no internet access but the hypothetical automatic VPC endpoint still let instances access S3. Then a compromised instance has a vector for data exfiltration.

        Reply View 0 replies
      • icedchai 5 days ago

        No, with opt-in the VPC subnet is secure by default. Someone has to explicitly allow access to S3 (or anything else.)

        Reply View 0 replies
  • otterley 5 days ago

    AWS VPCs are secure by default, which means no traffic traverses their boundaries unless you intentionally enable it.

    Reply View 3 replies
    • SOLAR_FIELDS 5 days ago

      "The door is locked, so instead of suggesting to the end user that they should unlock the door with this key that we know how to give the end user deterministically, we instead tell them to drive across town and back on our toll roads and collect money from it"

      This has been a common gotcha for over a decade now: https://www.lastweekinaws.com/blog/the-aws-managed-nat-gatew...

      Reply View 2 replies
      • otterley 5 days ago

        Speaking solely on my own behalf: I don't know a single person at AWS (and I know a lot of them) who wants to mislead customers into spending more money than they need to. I remember a time before Gateway Endpoints existed, and customers (including me at the time) were spending tons of money passing traffic through pricey NAT Gateways to S3. S3 Gateway Endpoints saved them money.

        Reply View 1 reply
        • SOLAR_FIELDS 5 days ago

          Clearly you guys are aware of the problem though. I mean, every time this thing happens there's probably a ticket. I've personally filed one myself years ago when it happened to me. So why has the behavior not changed? You don't have to give up security to remove this footgun, it's possible to remove it and still make it an opt-in action for security purposes.

          Reply View 0 replies
hinkley 5 days ago

Your job depends upon you misunderstanding the problem.

Reply View 0 replies