If a customer takes an enterprise class firewall and configures it in such a way to be insecure, is it the customer at fault or the manufacturer who "allows" its products to be used insecurely?
What ever happened to taking responsibility for your own stuff? We aren't talking about a $40 home router bought at a box store and plugged into a cable modem, we are talking about enterprise-class device configurations that don't route ANYTHING unless being told to do so. Proper security is HARD and mistakes can happen, but this senator sounds sounds clueless. I read his request as a demand for Amazon to deliver a list in 6 days of "all other companies that in the last 2 years have had their data pillaged while stored on AWS using both known and unknown vulnerabilities as well as misconfiguration". The scope of that question is enormous, and to expect an accurate answer in days?
I get the points about asking if there are known security-related bugs in their services or whether she used inside knowledge and access from her brief stint at Amazon to conduct the raid, but at this point I haven't even seen enough on the Capitol One fiasco to know whether the misconfigured firewall even sat in the AWS cloud or was a on-premise firewall that had a tunnel to AWS. All I have seen is that Capitol One (not Amazon) reconfigured the firewall to close the hole, and that she used the same VPN to hit the buckets as her GitHub account so it was trivilly easy to trace her back. Neither of those makes it sound like an inside job, nor would I expect AWS to be the one heading up the forensic examination.
I'm going to wait on the dust to settle so that an after-action report supported by documentation is written and published before I draw any other conclusions, and the US Senate should too. My guess is that the investigation by the FBI is "ongoing" and it would be improper for Amazon to even answer some of those questions.