Comment by icedchai

Comment by icedchai 5 days ago

3 replies

View on Hacker News

If it were opt-out someone would accidentally leave it on and eventually realize that entire systems had been accidentally "backed up" and exfiltrated to S3.

SOLAR_FIELDS 5 days ago

What? The same is possible whether it's opt-in or opt-out. It's just that if you have the gateway as opt-out you wouldn't also have this problem AND a massive AWS bill. You would just have this problem.

Reply View 2 replies
  • Spivak 5 days ago

    The bad situation is if you created a VPC with no internet access but the hypothetical automatic VPC endpoint still let instances access S3. Then a compromised instance has a vector for data exfiltration.

    Reply View 0 replies
  • icedchai 5 days ago

    No, with opt-in the VPC subnet is secure by default. Someone has to explicitly allow access to S3 (or anything else.)

    Reply View 0 replies