← Back to context

Comment by SOLAR_FIELDS

5 days ago

The problem is that the default behavior for this is opt-in, rather than opt-out. No one prefers opt-in. So why is it opt-in?

8 comments

SOLAR_FIELDS

Reply
icedchai  5 days ago

If it were opt-out someone would accidentally leave it on and eventually realize that entire systems had been accidentally "backed up" and exfiltrated to S3.

  • SOLAR_FIELDS  5 days ago

    What? The same is possible whether it's opt-in or opt-out. It's just that if you have the gateway as opt-out you wouldn't also have this problem AND a massive AWS bill. You would just have this problem.

    • Spivak  5 days ago

      The bad situation is if you created a VPC with no internet access but the hypothetical automatic VPC endpoint still let instances access S3. Then a compromised instance has a vector for data exfiltration.

    • icedchai  5 days ago

      No, with opt-in the VPC subnet is secure by default. Someone has to explicitly allow access to S3 (or anything else.)

otterley  5 days ago

AWS VPCs are secure by default, which means no traffic traverses their boundaries unless you intentionally enable it.

  • SOLAR_FIELDS  5 days ago

    "The door is locked, so instead of suggesting to the end user that they should unlock the door with this key that we know how to give the end user deterministically, we instead tell them to drive across town and back on our toll roads and collect money from it"

    This has been a common gotcha for over a decade now: https://www.lastweekinaws.com/blog/the-aws-managed-nat-gatew...

    • otterley  5 days ago

      Speaking solely on my own behalf: I don't know a single person at AWS (and I know a lot of them) who wants to mislead customers into spending more money than they need to. I remember a time before Gateway Endpoints existed, and customers (including me at the time) were spending tons of money passing traffic through pricey NAT Gateways to S3. S3 Gateway Endpoints saved them money.

      1 reply →