How much sensitive data is sitting in S3 buckets? How much of it is at risk if I have a Xen 0day in my pocket?

Securing an S3 bucket with proper permissions, encryption, and bucket policy is not necessarily rocket science. The tools are all there, but tell someone who doesn’t care about security to set up an S3 bucket for your company and the end result will likely reflect that. While AWS has plenty of faults worth discussing, this specific issue is not on Amazon.

> not necessarily rocket science

But it does sustain a cottage industry of consultants that either sell the work of configuring it, or second-order grifters that just sell the "know-how".

As a consultant in the last role I am feeling attacked, though you’re not exactly wrong.

1. Basically all of it.

2. Probably not much, since S3 doesn't give you code execution (does S3 rely on Xen in the first place?).

Discussed a few days ago: https://news.ycombinator.com/item?id=19565408.