As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

You May Also Like

And here they are...

THE WINNERS OF THE 24 HOUR STARTUP CHALLENGE

Remember, this money is just fun. If you launched a product (or even attempted a launch) - you did something worth MUCH more than $1,000.

#24hrstartup

The winners 👇

#10

Lattes For Change - Skip a latte and save a life.

https://t.co/M75RAirZzs

@frantzfries built a platform where you can see how skipping your morning latte could do for the world.

A great product for a great cause.

Congrats Chris on winning $250!


#9

Instaland - Create amazing landing pages for your followers.

https://t.co/5KkveJTAsy

A team project! @bpmct and @BaileyPumfleet built a tool for social media influencers to create simple "swipe up" landing pages for followers.

Really impressive for 24 hours. Congrats!


#8

SayHenlo - Chat without distractions

https://t.co/og0B7gmkW6

Built by @DaltonEdwards, it's a platform for combatting conversation overload. This product was also coded exclusively from an iPad 😲

Dalton is a beast. I'm so excited he placed in the top 10.


#7

CoderStory - Learn to code from developers across the globe!

https://t.co/86Ay6nF4AY

Built by @jesswallaceuk, the project is focused on highlighting the experience of developers and people learning to code.

I wish this existed when I learned to code! Congrats on $250!!
A brief analysis and comparison of the CSS for Twitter's PWA vs Twitter's legacy desktop website. The difference is dramatic and I'll touch on some reasons why.

Legacy site *downloads* ~630 KB CSS per theme and writing direction.

6,769 rules
9,252 selectors
16.7k declarations
3,370 unique declarations
44 media queries
36 unique colors
50 unique background colors
46 unique font sizes
39 unique z-indices

https://t.co/qyl4Bt1i5x


PWA *incrementally generates* ~30 KB CSS that handles all themes and writing directions.

735 rules
740 selectors
757 declarations
730 unique declarations
0 media queries
11 unique colors
32 unique background colors
15 unique font sizes
7 unique z-indices

https://t.co/w7oNG5KUkJ


The legacy site's CSS is what happens when hundreds of people directly write CSS over many years. Specificity wars, redundancy, a house of cards that can't be fixed. The result is extremely inefficient and error-prone styling that punishes users and developers.

The PWA's CSS is generated on-demand by a JS framework that manages styles and outputs "atomic CSS". The framework can enforce strict constraints and perform optimisations, which is why the CSS is so much smaller and safer. Style conflicts and unbounded CSS growth are avoided.