On Thursday, US Senators Ron Wyden (D-OR) and Elizabeth Warren (D-MA) asked the US Federal Trade Commission to examine whether Amazon Web Services may have broken the law by renting defective servers.
Their concern follows from the Capital One data theft earlier this year when a hacker accessed the financial company's AWS-hosted S3 storage buckets and obtained the personal data of around 106m customers.
Seattle-based software engineer Paige Thompson was arrested in connection with the incident in late July and has since been accused of stealing data from at least 30 organizations. A lawsuit was subsequently filed charging Capital One with security negligence and GitHub with failing to remove the technical details about the vulnerability.
The attack involved a technique known as server side request forgery, or SSRF. Wyden and Warren suggest AWS may have failed in its legal responsibility to respond to a warning that its systems were vulnerable to SSRF.
Their letter to the FTC says that Google since 2013 and Microsoft since 2017 have provided cloud customers with SSRF defenses, while AWS's failure to do so has been the subject of discussion at industry conferences for the past five years.
"In August 2018, Amazon's security team was contacted by email by a security expert, who recommended that Amazon adopt the same cybersecurity defense against SSRF attacks already used by Google and Microsoft," they said, noting that failure to implement a process to receive and act on security vulnerability notifications from researchers has been deemed an unfair business practice by the FTC.
Amazon failed to act on this warning and has not provided an explanation, the lawmakers claim.
Capital One 'hacker' hit with fresh charges: She burgled 30 other AWS-hosted orgs, Feds claimREAD MORE
A copy of the 2018 email urging AWS to implement SSRF protection has been appended to the lawmakers' letter to the FTC, with the sender's name redacted. However, the letter's text suggests the sender is involved in an AWS security training challenge called flaws.cloud. The Register asked the creator of flaws.cloud, AWS consultant Scott Piper, whether he could provide any further information. We've not heard back.
In response to previous questioning from Wyden, AWS CISO Stephen Schmidt argued that the attack took advantage of the misconfiguration of an application layer firewall that Capital One installed, which was made worse by insufficiently limited permissions.
"After gaining access through the misconfigured firewall and having broader permissions to access resources, we believe a SSRF attack was used," Schmidt wrote in a letter in August, emphasizing that SSRF is one of several ways an attacker might potential gain access to data after getting through the firewall.
In other words, whether or not SSRF played a role, the attack could not have happened if Capital One had properly set up its firewall and applied appropriate permissions.
An AWS spokesperson made a similar argument in a statement emailed to The Register.
“The letter's claim is baseless and a publicity attempt from opportunistic politicians," the AWS spokesperson said.
"As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained." ®