Daniel Grzelak initiates a thought-provoking blog post on the complexities of AWS security, particularly focusing on unauthorized access to S3 buckets. He delves into the quirky API of Amazon S3, highlighting its unique design patterns and the implications they have on security. Grzelak uncovers surprising vulnerabilities, such as the ability to delete a bucket without authentication and the leakage of sensitive information like principal ARNs. Moreover, he emphasizes how several S3 object-related aspects, including storage class and access controls, are primarily controlled by the uploader. Through insightful examples and detailed explanations, Grzelak navigates the intricate landscape of AWS security with wit and expertise, shedding light on critical issues and possible solutions.
https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/