Hacker News new | past | comments | ask | show | jobs | submit login

Is there enough space in an S3 bucket access policy to include DENY rules for every known Tor IP address?

By the sounds of it, the s3 bucket was internally accessible only. But attacker connected through the corp's Web Application Firewall after grabbing the credentials to login to the S3 bucket.

"Internally accessible only" just means you have to have credentials to access it.

You can also add IP address restrictions to a bucket access policy; this was obviously not done here because once she had the credentials, it didn't matter where she was accessing from.

Looks to me that it should rather be using an IP white list. It's not like their systems would need access to these documents from an dynamic IP dial up connection.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact