Unknown

AWS AI services ToS allow sharing of customer data

Published Thu, Jan 6th, 2022

Platforms

Summary

Use of the AI services on AWS allows customer data to be moved outside of the regions it is used in and potentially shared with third-parties. Note: This issue is outside the scope of this database's usual criteria for inclusion, but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.

Affected Services

N/A

Remediation

Customers can opt out of this data usage by following the instructions included in the linked reference.

Tracked CVEs

No tracked CVEs

References

https://twitter.com/benbridts/status/1280934515305824256 https://summitroute.com/blog/2021/01/06/opting_out_of_aws_ai_data_usage/

Contributed by https://github.com/0xdabbad00

Disclosure Date

Wed, Jul 8th, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ben Bridts

More vulnerabilities...

low

Dataflow RCE via unauthenticated JMX service

Dataflow worker nodes ran an unauthenticated Java Management Extensions (JMX) service that under certain circumstances would be exposed to the Internet, thus allowing unauthenticated remote code ex...

Mike Brancato

Tue, Dec 28th, 2021

medium

Overprivileged AWS support IAM role policy

AWS added an excessive s3:getObject permission to AWSSupportServiceRolePolicy IAM policy used by AWS Support teams, and removed it a day later.

Scott Piper, Summit Route

Wed, Dec 22nd, 2021

high

LPE vulnerability in Eltima (3rd-party cloud desktop driver)

Several cloud desktop solutions rely on a 3rd-party library called Eltima SDK to provide USB over Ethernet capabilities, to allow users to connect and share local devices such as webcams. SentinelL...

Kasif Dekel, SentinelOne

Tue, Dec 7th, 2021

View all