DEV Community

Cover image for The cyber-security impacts of an AWS Outage
Austin
Austin

Posted on

The cyber-security impacts of an AWS Outage

On the morning of December 7th, AWS had a major outage that effected a large portion of the us-east regions. The outage affected everything from the AWS Console to Disney+, Netflix and even home security devices such as Ring and Wyze.

The outage lasted a good duration of the afternoon where for a good portion of the time AWS service health dashboard didn't even report any issues per AWS: "This issue is also affecting some of our monitoring and incident response tooling."

For most people, it was an inconvenience but its situations like this where not only cyber criminals thrive but even average criminals can monopolize on this too.

Let's imagine you use a Ring camera ( without the security subscription ) to monitor your home while you're at work. Around lunch time, it was widely known that there was a major outage and even broadcasted on local TV news. Ordinary criminals become aware of the situation and act targeting anyone with that nice Ring sign in their front-yard.

Most products like Ring or Wyze have mandatory disclosures about outages like this; ironically enough I received one from Wyze which I have only a smart plug but never received one from Ring which I have setup around my entire home.

Now let's imagine your company has EC2 machines setup for monitoring or SAAS services to scan for phishing attempts or even security response automation. Sophisticated attackers have systems setup to monitor critical infrastructure like AWS for outages and then start attacks. If an attacker see that a system is down, they will launch a series of attacks to try and bypass the systems that might be down. If these systems are down then it creates opportunities for attacks to slide under the radar and likely never even be noticed until it's too late.

After everyone's PagerDuty alarms stop and the dust settles, situations like this can be good opportunities to remind organizations that putting all your eggs in one basket ( or us-east-1 in this case ) should be treated as a security vulnerability not just 'bad devops'.

These situations also highlight our reliance on infrastructure that most of us highlight as 'too big to fail' but it's better to be prepared for the worst than not.

Discussion (0)