https://www.chenk.top/en/tags/zero-trust/Recent content in Zero Trust on Chen Kai BlogHugoenSun, 07 May 2023 09:00:00 +0000https://www.chenk.top/en/cloud-computing/security-privacy/Sun, 07 May 2023 09:00:00 +0000https://www.chenk.top/en/cloud-computing/security-privacy/<p><figure class="article-figure"> <img src="https://blog-pic-ck.oss-cn-beijing.aliyuncs.com/posts/en/cloud-computing/security-privacy/illustration_1.png" alt="Cloud Computing (6): Cloud Security and Privacy Protection — Chapter overview" loading="lazy" decoding="async" class="content-image"> </figure> </p> <p>In 2019 Capital One lost a hundred million customer records. The exploit chain was small: a misconfigured WAF allowed server-side request forgery against the EC2 metadata endpoint, that endpoint handed back IAM credentials, and the IAM role those credentials belonged to had wildcard <code>s3:*</code> on every bucket in the account. One misconfiguration, one over-broad role, one rule the security team had not written. The bill, before legal: more than 80 million dollars.</p>