It’s their servers, they can do whatever they want with them. What are you going to do about it they have physical access, you have an API key.
Suggestion, if you want to secure your data don’t put it on other peoples computers, and for fucks sake don’t store your crypto keys on someone else’s computer.
That is a really false statement. This is why contracts, audits,... exists and they define what each party can and can't do. When in violation this could result in huge fines, loss of business,...
You can also securely storage your data on other servers by using client-side encryption.
Not every business/person has the means or knowledge to have their own datacenter.
> You can also securely storage your data on other servers by using client-side encryption.
Hey but you have audits, contracts, why would you need that? You are effectively saying the same thing that parent comment is. You're just offering a more practical solution.
There are many reasons to do client-side encryption, some of them are that you want to storage the data on multiple storage providers but with the same key.
A national law of the country explicitly tells the company to do so, or a company you are in contract with asks of you to do so. The key that S3 can provide is not good enough for your internal usage,...
Stop looking at everything pure technically because that is not how the real world works.
> When in violation this could result in huge fines, loss of business,...
The stress is on could. AWS is too big to be allowed to fail. Has Facebook seen such severe consequences because of known misconduct? And AWS is in a much more critical role for many businesses.
But it could impact them if there came an issue out of it (someone can prove that AWS downloaded some of their files). AWS doesn't want to go in the news that they look at their customer data as that would impact the decisions of future and current deals of hosting their data on AWS.
I've worked for some big financial institutions and the longest part of the contract with AWS was all lawyers going over what is happening with the data, how AWS has access to it and especially how it doesn't have access to it.
Sorry a small startup does not have the resources to go against behmouts like Amazon, Microsoft or Alphabet in US courts if that is your defence it is worthless.
Amazon has many cases where they’ve been found to have violated contracts, laws, etc.
The rest of the points save for keeping the keys on your own hardware is orthogonal to whether Amazon with physical access to your data could access it.
I think we are both in agreement that in most cases the data isn’t worth accessing which is the real world protection most data on Amazon has.
A very shortsighted take. Sure, yes "they" can do whatever they want.
But even in the world you are imagining where AWS is peeking at customer's data willy-nilly, I have to imagine you don't believe that every tech support representative should have default access to every AWS customer's storage data, do you?
Even a dishonest unethical company that created backdoors for its employees would surely gate their backdoors.
This change (a mistaken one that was rolled back immediately) would have given the keys through the front door to presumably thousand low-level employees.
BTW, AWS spends a long time talking about how verifiably they do not have access to customer data. If you're interested in crypto (otherwise not sure why you are referencing it here), this kind of thing should be right up your alley: https://www.youtube.com/watch?v=4J8REvs7zaY
AWS has regions in China, they verifiably DO have access to your data.
They also have regions in the US where they verifiably DO have access to your data.
Both points of access are verifiable by their compliance with the law in those countries ensuring that the government can access that data.
If you use their CA or EU locations it’s conceivable that they’ve developed separate software that actually protects your data but I would hazard a guess that they use the same backdoored software there once it has been sufficiently beta tested in us-east-1
Suggestion, if you want to secure your data don’t put it on other peoples computers, and for fucks sake don’t store your crypto keys on someone else’s computer.