back to article AWS strains to make Simple Storage Service not so simple to screw up

Amazon wants you to know that it's not to blame for the data you've exposed though its cloud storage service. AWS Simple Storage Service (S3) is, after all, simple. No doubt you tried to keep your data secure. But let's face it, in the sixteen years S3 has been available, the cloud-based data storage service hasn't been simple …

  1. captain veg Silver badge

    well, der

    Storage in "the cloud", i.e. "the internet" is all very well, probably convenient, possibly cost-effective, but it requires that somebody be able to access it over the internet. Then it gets hard.

    It's USB memory sticks all the way for me. Hmm, maybe encrypted.

    -A.

    1. Dave_A

      Re: well, der

      Can't really run an enterprise application off USB sticks ...

      1. captain veg Silver badge

        Re: well, der

        In my first job we shipped enterprise applications that ran in 30MB of disk and 512KB of RAM. We didn't have USB sticks, but if we had, that would have been unbelievable luxury.

        -A.

        1. Anonymous Coward
          Anonymous Coward

          Re: well, der

          The first commercial product I wrote ran from an 8K EEPROM and needed about 4K of RAM to use along with (usually) an 800K floppy for storage. 512K would have been unbelievable ;-)

  2. anothercynic Silver badge

    Funny that...

    ... I had my first experience(s) with S3 this year... that interface is utterly, utterly crap. It truly boggles the mind. No wonder newbie admins for S3 cock it up left, right and centre.

    1. Claptrap314 Silver badge

      Re: Funny that...

      I agree that S3's control interface is a huge wreck. (15 months here) What I DON'T agree with is at someone can make the access public "by accident". You have to either be a ******* yourself & either not read or not bother to understand what you are doing, or you do it intentionally.

      It's almost a shame that when these things blow up, it's not literally in the face of the culprits.

  3. ronkee

    Making a bucket private is really simple, it's default.

    Adding more complexity and additional controls doesn't actually make it easier, though it can help with compliance tasks like verifying that buckets are still private.

    The problem is that connecting to a public bucket is far easier. When security is hard, people work around it.

    It's not an easy fix but it's not wildly difficult either, it's just that AWS aren't on the hook for your mistakes (when implementing their broken process) and customers have low standards.

    1. Dave_A

      Yeah ...

      If S3 was as easy to admin as a NetApp filer it would be far more secure....

      1. Anonymous Coward
        Anonymous Coward

        Re: Yeah ...

        "as easy to admin as a NetApp filer" ... used to be....

        FTFY.

      2. Snake Silver badge

        Re: if S3 were as easy to admin....

        It's true: with all their (tech) power and resources, AWS UI's are simply an absolute mess. AWS shows to me, IMHO, what programmers will create when they have little concern for end user experience; all the power and ability is there, if you can understand the disaster that passes for "concept in design" and can then comprehend exactly what they are trying to communicate to you within said structural disaster.

        It is a design failure and rather than admit that, and create a web UI that makes sense, they either come up with excuses or apply simple overlay patches in hopes of mitigating the UIX failures.

        1. Robert Grant

          Re: if S3 were as easy to admin....

          > AWS shows to me, IMHO, what programmers will create when they have little concern for end user experience

          Why do you think it was designed by programmers?

          1. Snake Silver badge

            Re: progammers??

            "Why do you think it was designed by programmers?"

            Well, *some* 11-year old did the coding for that website, didn't they??

          2. An_Old_Dog Silver badge

            Re: if S3 were as easy to admin....

            Some programmers will create bad UIs, and bad program concepts/organization, just as some programmers create terrible variable- and function- names; their brains just aren't wired for doing it in a sensible, meaningful-to-others fashion.

            This is not a new phenomonon. One of DEC's early OSes for the PDP-8 had an account admin program which used the [Escape] / [Alt Mode] key to delete an account! Quite counter-intuitive.

            1. Robert Grant

              Re: if S3 were as easy to admin....

              I don't see how that relates to my question.

      3. An_Old_Dog Silver badge

        Re: Yeah ...

        Ah, for the days of Novell's inherited rights filters, and the "rights" command to view them.

      4. OnlyMee

        Re: Yeah ...

        It's mostly used as application storage so I think UI management is a pretty secondary concern as long as API is ok.

    2. yetanotheraoc Silver badge

      You had an extra word when. "Security is hard, people work around it." Otherwise, your post neatly summarized my thinking as well.

      It's not *setting* the security that needs to be made simpler. It's *debugging* which security setting is causing the application to halt (or return no records) that needs to be made simpler. `grep -Fi "auth" security.log` isn't going to cut it for the low code folks. They would rather search for "how do I allow all on amazon s3". It's the "I just need this working now, I'll figure out the security later" mentality that needs to go, but boss is tapping his toes.

  4. Kevin McMurtrie Silver badge

    Cursed IAM

    Bidirectional grants in IAM, assumed roles, inherited roles, instance roles, deployment/tools roles, global bucket rules, and temporary access tokens. Multiply that by a ton of internal operation codes that no longer match APIs. You can see why an outsourcing company with a tight deadline is simply going to flip the switch to make it public.

    Between that and needing to use a multi-part API for streaming uploads, I think the word "simple" might be misused.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cursed IAM

      > I think the word "simple" might be misused.

      That's a pretty kind way of putting it.

    2. thejoelr

      Re: Cursed IAM

      This is why all the buckets end up public. People encounter the extremely difficult access control blocks and either make mistakes or just grant full access to move onto other tasks. The change sounds more like CYA.

  5. nijam Silver badge

    Out of interest (not being a user myself), what do you have to do to "unintentionally expose" data to the internet?

  6. Pierre 1970
    WTF?

    AWS won't resist too much time before saying: "You are all holding the bucket the wrong way"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like