News

After Capital One Data Hack, AWS Will Scan for Misconfigurations

• By David Ramel
• 08/21/2019

After the recent hack of Capital One data stored on Amazon Web Services Inc. (AWS) infrastructure enabled by a user-misconfigured firewall, the cloud giant said it will proactively scan for such issues.

As we reported last week, AWS and others were named as defendants in multiple lawsuits after a hacker took advantage of the misconfigured firewall to launch a server-side request forgery (SSRF) attack to gain access to Capital One data.

AWS for years has been plagued by a continuing series of well-publicized hacks and discoveries of open data stores on the cloud platform, with nearly all of such incidents enabled by user misconfigurations, often on AWS S3 storage buckets.

After the Capital One hack, AWS disclosed its new more proactive scanning strategy in response to questions about the incident from U.S. Sen. Ron Wyden.

After responding to individual questions about the hack from Wyden, AWS's Stephen Schmidt, chief information security officer, said, "While the Capital One attack happened due to the application misconfiguration mentioned above, there are several actions AWS will take to better help our customers ensure their own security." These include:

• AWS will proactively scan the public IP space for customers' firewall resources to try and assess whether they may have misconfigurations.
• AWS will redouble efforts to help customers set the least permissive permissions possible.
• AWS will push harder to make its Macie and GuardDuty anomaly detection services more broadly adopted and accessible across all regions.

"We will look at additional 'belt and suspenders' we can add to subsystems deeper in our stack (like the instance metadata service) to provide even more protection for customers," Schmidt said. "Security will always continue to evolve at a rapid pace, and we will surely find other areas we can improve moving forward. But, you can rest assured that we will learn from this event alongside our partner, and be relentless in continuing to evolve our services over time."

According to Capital One, the breach affected some 100 million people in the U.S. and another 6 million in Canada. The company provided more information on the incident here and here.

After the incident, AWS said its cloud platform was not compromised in any way and functioned as it was designed.