Amazon is facing additional scrutiny for the Capital One data breach revealed in July after Senators Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., called for the Federal Trade Commission to open an investigation into the incident on Thursday. Their inquiry concerns whether Amazon Web Services' "failure to secure" servers used by Capital One "violated federal law," according to a letter sent to Joseph Simons, chairman of the FTC.
The attacker accessed the information of 106 million individuals from the U.S. and Canada using a "server-side request forgery" (SSRF) attack, according to the letter. While cloud offerings from Google and Microsoft include "mandatory protections against SSRF attacks," AWS does not. Because of its failure to deter against SSRF attacks, "Amazon shares some responsibility for the theft of data on 100 million Capital One customers."
The letter also says AWS was aware of the SSRF attack vulnerabilities since a cybersecurity researcher made a "high-profile demonstration" in 2014. A third-party researcher also notified AWS in August 2018 of the vulnerability and recommended it adopt precautions similar to Google and Microsoft.
The request for an FTC investigation follows up on an August letter from Wyden to AWS asking about the nature of the attack. In response to the attack, AWS CISO Stephen Schmidt said the company would "err on the side of over-communication" and proactively scan customers' security to deter against such mishaps.
The configurations Capital One struggled with are its responsibility to secure as part for the "shared responsibility model" companies partake in when they use cloud vendor services.
It's the difference between the security of the cloud vs. security in the cloud. Vendors make the promise they will protect all underlying hardware, storage and software that makes the cloud tick. When customers engage with cloud services, they have to ensure access is locked down and data is effectively managed.
It's a theme for cloud customers. The services have a lot of moving parts and a simple misconfiguration can cause a PR nightmare.
AWS is by far the dominant cloud provider, accounting for 47.8% of the IaaS public cloud market share in 2018. Because of its role in the market, it draws attention with even the slightest service hiccup.
The segment is a cash cow for Amazon, bringing in $8.9 billion in Q3 2019, growing 35% year-over-year, the company announced Thursday. While it pales next to Amazon's North America segment, which brought in $42.6 billion in Q3, AWS pulls in a larger operating income.
AWS had $2.3 billion in operating income in Q3; Amazon's North America earned $1.3 billion.
Even with the potential for an investigation, AWS customers are still growing their usage, which allows the segment to grow even as AWS reduces prices. There is also more room for adoption. Forrester research shows just one-fifth of enterprise applications run in the cloud.