I do find it odd that they encourage you to use the same account to sign into Amazon the store and AWS. That seems a bit like asking for a Subway loyalty card to buy a gun.

From the article, one problem is that even if you don't use your AWS account on the Amazon store, you could, and so XSS vulnerabilities in the store can be used to hijack AWS accounts. Unfortunately the store is large and complex and so has a large attack surface area.

Amazon offer security token authentication for accessing AWS account resources, which can limit the impact of a breach in another part of their system.

When did they start doing that? When I started using S3 to back up other people's photos I immediately created a second Amazon account for AWS. I don't remember them discouraging me from doing that.

What I meant was that if you use the email registered for amazon.com when signing up to AWS they don't create a separate account for you or suggest that you use a different e-mail to create a new account.

Their focus is on fast user acquisition. So fastest is the best.

I wonder how many do care if it's the same account. Like people sleep well with their data on DropBox.

Those who care, think and create separate account.

Is DropBox particularly insecure?

There was that four hour period earlier this year in which their authentication system defaulted to "allow" for incorrect passwords.

I think commenter was just pointing them out as an example of a service that's built on AWS/S3.

That's a good point. I suppose it's not surprising, though, that they streamline the signup process for a service that they charge for.

WS-* and XML cryptography is such a clusterfuck. It's ironic to see Amazon injured by use of "standard" constructions; they'd have been better off rolling their own here.

You shouldn't really be surprised though; especially after Yegge's rant the other week. Software quality at Amazon is pretty mediocre, and pales in comparison to Google's (I worked at both places.)

Is it just me, or does the article seem like gobbledygook. What is EC4 authentication anyway?

So we can assume that the cloud security is as strong as the security at weakest link in one of the centralized access component.

Can we have a workflow or multi-level authorizations for critical actions like delete or terminate actions of cloud resources?.

Did I miss something, or this basically trying to call out something that Amazon fixed before anyone actually discovered it. Reads like FUD

The attackers reported the problem to Amazon and allowed Amazon to fix it prior to their public disclosure.

I don't see how that's FUD. There was a problem, they found it, they let Amazon fix it, then they reported what they'd found.

In other news, Hitler could have won and the terrorists could have successfully followed up 9/11.

I do think this story is noteworthy, not because of the headline, but because it draws attention to the underlying deficiencies of XML cryptography, as others have pointed out in comments.

Glad the Reg is sensationalist enough to spark a discussion (seriously). The orig item didn't do so hot.

http://news.ycombinator.com/item?id=3160301

Headline wildly inaccurate.