author photo
By Bruce Sussman
Fri | Oct 25, 2019 | 10:22 AM PDT

Two big names in the U.S. Senate came out swinging (again) against Amazon Web Services.

Senator Elizabeth Warren and Senator Ron Wyden, who frequently criticize Big Tech, are asking the Federal Trade Commission to investigate AWS and its business practices related to cybersecurity.

AWS: more fallout from Capital One data breach

The new letter could be considered the aftermath from the Capital One data breach. SecureWorld wrote an in-depth report on the former AWS insider who allegedly stole the personal data of 100 million Americans in that case.

The question now: did AWS fail to implement particular cybersecurity defenses which in turn allowed the hack?

The senators sure think so: 

"As Amazon acknowledged... the hacker stole data from Amazon servers rented by Capital One using a hacking technique known as 'server side request forgery (SSRF)' attack.

Amazon's largest competitors have included mandatory protections against SSRF attacks in their products for several years—Google since 2013 and Microsoft since 2017."

Amazon did not. And according to the senators, that's both wrong and deceptive.

"Although Amazon competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public.

The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon's failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate Section 5 of the FTC Act."

AWS responds to Senators Warren and Wyden

This story is being covered in the mainstream media, as you might expect. 

CNBC has a great backgrounder which includes a response from AWS:

"The letter's claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall.

The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained."

Amazon feeling heat from these senators

While the FTC considers answering the questions the senators raised, Warren is continuing to campaign for president on her plan to breakup Amazon, Google, and Facebook. From her website:

"Today’s big tech companies have too much power—too much power over our economy, our society, and our democracy. They've bulldozed competition, used our private information for profit, and tilted the playing field against everyone else. And in the process, they have hurt small businesses and stifled innovation."

And Wyden has previously questioned Amazon Web Services about its cybersecurity. He wrote to Amazon CEO Jeff Bezos earlier this year:

"If Amazon's cloud computing services are found to be the common element in a series of high-profile hacks targeting large corporations, it would raise serious questions about whether other corporations and government entities that use Amazon's cloud computing products are also vulnerable."

Wyden has also introduced legislation that would jail senior executives if they lie about their organization's cybersecurity or privacy practices.

Will the FTC investigate AWS?

What do you think? Is AWS selling "defective cloud services," as the senators allege?

Or is this a "publicity attempt from opportunistic politicians," as AWS claims?

We'll let you know if the U.S. Federal Trade Commission weighs in on this debate.

Big Tech Employees Donate the Most Money to These Three Democratic Candidates for President

Easily Deploy Endpoint Security in AWS