Solution providers have urged Amazon Web Services to publicly explain how the cloud computing giant’s technology was used by the SolarWinds hackers in their campaign.
“I do wonder whether AWS has made a judgment error in not coming out to publicly defend their position in this high-profile case with such far reaching consequences,” said Karl Robinson, director of London-based AWS managed services provider Logicata. “That, to me, could be more damaging to AWS’ reputation in the long run than the issue of them hosting some of the infrastructure used in the attack.”
U.S. senators slammed AWS Tuesday for refusing to testify at a Senate Intelligence Committee hearing about the SolarWinds intrusion. AWS hosted most of the secondary command and control nodes used in the SolarWinds attack on infrastructure inside the United States, said Sen. Richard Burr, R-N.C. Tuesday’s hearing was one of the first times AWS’ role in the SolarWinds breach has been publicly discussed.
“We had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful,” Sen. Marco Rubio, R-Fla., said Tuesday. “Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”
Sen. Mark Warner, D-Va., said Amazon provided the Senate Intelligence Committee with one update, but said the committee is still expecting a “full update.” The Senate Intelligence Committee first held a closed hearing on the SolarWinds campaign Jan. 6 with the government agencies responding to the attack, according to Warner.
An AWS spokesperson told CRN that its service is not affected by the SolarWinds issue, “and we do not use their software. When we learned of this event, we immediately investigated, ensured we weren’t affected, and shared what we learned with law enforcement. We’ve also provided detailed briefings to government officials, including Members of Congress.”
The statement from AWS Wednesday echoed what AWS Channel Chief Doug Yeum said in January when he said that “AWS was not affected by the SolarWinds issue, and we don’t use their software.”
Logicata hasn’t seen any communications from AWS over the past two-and-a-half months regarding its role in the SolarWinds hack, Robinson said.
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise, No. 96 on the 2020 CRN Solution Provider 500, called AWS’ refusal to directly address how its infrastructure was used in the SolarWinds attack a “slap in the face” to the company’s partners and customers.
“With all of the security challenges we face as an industry now is the time – more than ever – for AWS to show up and speak about how they can prevent this from ever happening again on their watch,” Venero said.
Venero said he sees AWS’ refusal to show up at the hearing as a sign that the company thinks it is too big to have to answer questions on the SolarWinds breach. “They owe it to their customers and partners to be there and answer the questions,” he said.
AWS has a responsibility to ensure its platform is being used in accordance with their terms of business and the law, but Robinson said this is typically dealt with contractually by shutting down customers who are in violation such as Parler. Under AWS’ shared responsibility model, Robinson said customers are responsible for securing what’s in the cloud while AWS handles security of the cloud infrastructure itself.
“It is virtually impossible for AWS to police all activity on their cloud platform at the scale they operate,” Robinson told CRN. “By giving customers access to such a broad array of services with virtually limitless configuration options, AWS enables their customers to innovate at pace, but this flexibility makes it difficult to keep tabs on what every customer is doing.”
A cloud computing consultant, who didn’t wish to be identified, said AWS was unfairly targeted during the SolarWinds Senate hearing. The consultant compared bad actors using the AWS platform to a murderer who kills people with a gun.
“If AWS is simply the platform and somehow SolarWinds had a breach, why are we even talking about AWS?” the consultant said. “For example, do we blame Glock or Smith & Wesson?… It’s not the gun manufacturer’s fault.”
For the most part, the consultant said security in the cloud is the responsibility of customers rather than the cloud platform itself.
“We do, of course, select a cloud provider in part based upon how we can trust their security,” the consultant said. “But it’s too big of a problem for a cloud provider to try and provide immense technical value such that their customers can literally do whatever they want with the cloud services and also protect them soundly.”