It’s the battle against misconfigured security settings in the cloud.
U.S. Senator Ron Wyden, D-OR, had a few questions for Amazon Web Services about the Capital One data breach. Especially because the Department of Defense is considering AWS for a $10 billion JEDI cloud contract.
The AWS response sent an overwhelming message to Congress and revealed new steps the company is taking when it comes to cloud security.
AWS explained its perspective on the vulnerability exploited during the incident:
"After gaining access through the misconfigured firewall and having broader permissions to access resources, we believe a Server-Side Request Forgery was used."
AWS says that, because the web application firewall (WAF) wasn't configured properly, this "front door" to resources gave the attacker access.
But it reassured Senator Wyden that it "gives clear guidance" on how to protect its systems from SSRF and develop a strong firewall.
Of the Capital One breach, AWS said: "Sometimes humans make mistakes."
At the end of the letter, AWS introduced three measures it will implement to improve security in the cloud on its services:
Cloud security is one of the hottest topics in cybersecurity right now, and it's on the agenda at each of our SecureWorld conferences this fall.
You can check out the full letter from AWS here.