Though Amazon has protection against confused deputies for Principals , even wit... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		arianvanp on Aug 8, 2024 \| parent \| context \| favorite \| on: Critical vulnerabilities in 6 AWS services disclos... Though Amazon has protection against confused deputies for Principals , even within an account (every principal has a unique ID, and is account scoped), it doesn't have the same for Resources. And s3 buckets are not scoped to an account and their ARN is global and doesn't contain the account id. For the same reason i advice anybody to always use random suffixes (easily done in Terraform with name_prefix) when generating bucket names.

hypeatei on Aug 8, 2024 [–]

> And s3 buckets are not scoped to an account

Never used AWS, but how does it handle auth for data plane operations then?

noctarius on Aug 8, 2024 | [–]

It handles authentication on a request basis (which was its own issue just a little while ago): https://www.infoq.com/news/2024/05/aws-empty-s3-bucket-billi...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact