
Announcing the New AWS Secret Region - marvinpinto
https://aws.amazon.com/blogs/publicsector/announcing-the-new-aws-secret-region/
======
cwkoss
Hopefully it prevents S3 buckets from being set to public.

~~~
STRML
The new S3 console/flow sets to private by default - so some progress there,
all jokes aside.

~~~
nhumrich
S3 has _always_ been private by default. But too many people open it up to the
world for convenience.

~~~
mtgx
Yes, but now Amazon will show them orange alerts if they do that!

I've argued this before around here - I believe it's a platform provider's
responsibility for the most part to secure data, and less so the
responsibility of the developer or user. Amazon should go much further and
make it _hard_ to open-up the data to the public, at least for certain
categories of buckets.

So for instance some buckets should always be public by default, and some
should always be encrypted and private by default. That should make
intelligence agencies' choice easier, because I would imagine even if it's
"harder" to process the data from an encrypted bucket, they would still prefer
that option to the _always public_ bucket.

And maybe both categories could still be configured to either be private or
public, respectively, but the account owners should have to really go out of
their way to make those changes. So most shouldn't bother, and just use the
defaults for each category of buckets.

~~~
colechristensen
>I believe it's a platform provider's responsibility for the most part to
secure data, and less so the responsibility of the developer or user

I would say that is going too far, or maybe I'd say it differently. If a
certain problem becomes very frequent relative to it's severity, the problem
is a design bug and not just user error. The provider isn't responsible for
every mistake, but they are responsible for designing with mistakes in mind.

~~~
staticassertion
If your design allows insecure setups without users understanding the risks in
full, I think that's on the providers and not the user. If the user
understands the risks fully, then it's on the user.

I think we are way far away from users fully understanding the risks, and
we're still mostly dealing with people not realizing they're vulnerable. So I
put this primarily on the provider.

------
softgrow
From the headline I was actually expecting a ‘mystery trip’ region, cut price
but you don’t find out where till you start using it.

~~~
SimbaOnSteroids
Right like its actually AWS Atlantis-West.

~~~
Antrikshy
Wakanda

~~~
Cyphase
Or NEXUS. Ding ding ding, you're a winner!

------
mockery
_" With the new AWS Secret Region, we are bringing the same tools and
workflows that are already available for Top Secret workloads to customers
with Secret datasets and workloads."_

Does this mean they already had an AWS "Top Secret" Region?

~~~
dantiberian
[http://www.defenseone.com/technology/2015/07/how-break-
cias-...](http://www.defenseone.com/technology/2015/07/how-break-cias-cloud-
amazon/117175/)

------
AaronFriel
Article says that this is the first cloud provider certified for these
workloads, but I believe both Microsoft Azure and Amazon AWS began negotiating
these contracts around the same time.

Microsoft announced their version a few weeks ago[1]. I wonder if Google will
follow shortly?

[1] [https://azure.microsoft.com/en-us/blog/announcing-new-
azure-...](https://azure.microsoft.com/en-us/blog/announcing-new-azure-
government-capabilities-for-classified-mission-critical-workloads/)

~~~
killjoywashere
Microsoft's announcement has a lot "will". Amazon's has a lot of "is".

~~~
jknoepfler
Where the "is" should be generally understood as "is[1]"

[1] but in such a poorly tested, underbaked fashion you probably shouldn't
bother for a few years

~~~
pnathan
I see someone's experienced in AWS product rollout.

~~~
jknoepfler
Yeah, I worked on an AWS product launch for a product that was not ready to go
live, and we ended up trying to dog-food a bunch of other AWS services that
were also not ready to be live. It was honestly pretty shocking.

~~~
killjoywashere
Thanks. This is the sort of experience-based comment that I read Hacker News
for.

------
jlgaddis
Now all of your e-mails and private data don't have to be carried all the way
around the world back to Bluffdale, they can simply be dumped into AWS!

------
hackcasual
Sounds like this is an expansion of this:
[https://www.theatlantic.com/technology/archive/2014/07/the-d...](https://www.theatlantic.com/technology/archive/2014/07/the-
details-about-the-cias-deal-with-amazon/374632/)

to non-Intelligence Community users. You'll still need US Government Secret
Clearance though.

------
gesman
AWS is a 3-letter agency from now on :)

------
Rebelgecko
Is this part of Govcloud? Unfortunately Govcloud doesn't support a handful of
AWS services, it would be nice if this was more complete

~~~
hackcasual
It's not, though it's related. Govcloud only supports up to "Controlled
Unclassified Information." This can handle Secret and Top Secret. I'd expect
it to be even further restricted in terms of supported services.

------
CJKinni
What does it mean for something to be an "air-gapped commercial cloud"?

~~~
jlgaddis
The "Top Secret" cloud is not connected to the Internet.

~~~
user5994461
Which obviously can't be true or it would be inaccessible and thus utterly
useless.

~~~
jlgaddis
Why? It can still be connected to SIPRnet or JWICS.

Or customers can get a Direct Connect from their existing facilities into the
region. I presume the USG has plenty of fiber straight into these new
datacenters and I'm not sure why Amazon wouldn't allow Direct Connect.

As someone else mentioned, perhaps this will get contractors to stop using
public S3 buckets to share data.

~~~
jsjohnst
That’s not “air gapped” if it’s connected to another government network.

~~~
jlgaddis
It's air-gapped _from the Internet_.

~~~
jsjohnst
The term “air gap” does not directly imply anything to do with the Internet
(doesn’t exclude it, but it applies more generally than specific networks).
Yes, IC uses it to signify high/low networks, but the original usage of the
term was to indicate a machine with no direct connection to the outside world.
The theory being (since proven wrong), you can’t exfiltrate data remotely from
a device not connected to a network.

------
alexnewman
I spent a lot of time on gov cloud console at a couple of jobs. It's very
limited. At the time they didn't have lambda.

------
frabbit
> the CIA has placed a big bet on adopting > commercial cloud technology

Can't they get the NSA to rent them some of their spare capacity from the
CNCI? Or is this because they trust Amazon to have actually solved the hard
problems?

[https://en.wikipedia.org/wiki/Utah_Data_Center](https://en.wikipedia.org/wiki/Utah_Data_Center)

------
dsr_
As long as there is only one Secret region, you can have reliability or you
can have classified data, but not both.

~~~
jacquesm
If your secret region goes down the data just got _more_ secret.

~~~
degenerate
Somehow I can see this being an actual argument in government bids, and
contracting officers gobbling it up...

------
WatchDog
Does anyone know what sort of price premium AWS charge for their secret
regions over their public commercial regions?

~~~
discodave
They're not charging per GB of S3 or whatever. It's likely a fixed(ish) priced
contract that basically covers their cost of building a complete region. So
the pricing doesn't really compare.

Basically, AWS is all public cloud, none of this private cloud nonsense...
until you come along with a $600MM check and then you can have a private
region all to yourself!

~~~
mrep
Someone's still got to pay the energy bill and for new servers to account for
growth.

I don't see why they would throw at their current billing model for something
else.

------
zitterbewegung
Anyone use this feature ? Also where is this region located ? ( Washington DC
?)

------
rad_gruchalski
What's the point of announcing it publicly?

~~~
jandrese
If they didn't nobody would know about it. It's not like Amazon has a big list
of email addresses of people who have Secret data that they might want to put
on the cloud. Even if they did have a list of government people like that,
most of the people interested in this service are contractors who don't
officially work for the government.

The government doesn't work like those spy movies where everybody knows
everything the instant it happens. It's more like a big bloated corporation
with thousands of subcontractors and generally lousy communication all around.

~~~
empath75
There’s hardly anyone in tech with a clearance in dc who didn’t know this was
coming. They’re recruiting like crazy for it.

------
rbanffy
Cue in the "Dammit! We are not supposed to talk about it" jokes

~~~
philipov
When I first saw the headline, I thought it had something to do with secrets
management, for, like, ssh keys... Why would they need an entire region for
_that_?

~~~
nathan_long
I thought it was going to be like East or West, but We're Not Telling You
Where. :)

~~~
cgore
atlantis-east-1 :-)

------
jazoom
_We are pleased to announce the new AWS Secret Region. The AWS Secret Region
can operate workloads up to the Secret U.S. security classification level. The
AWS Secret Region is readily available to the U.S. Intelligence Community (IC)
through the IC’s Commercial Cloud Services (C2S) contract with AWS._

~~~
jazoom
Usually when I post a quote from the article to shed light on what it's
actually talking about it is appreciated. What's different about this time
that causes a bunch of downvotes?

------
andy_ppp
Will it be locatable by latency (roughly) or is that not the point?

Additionally, if I was doing secret things I'd really think it was not a great
idea to put that into a data centre marked "Definitely where I keep all of my
secrets".

~~~
mewfree
I don't think the point is to hide its real location or to hide secrets, but
to be able to build services that comply with US classification levels
(sensitive, secret, top secret).

