So let's talk a bit about "trusted user access" and how it works. Obviously this is subtweeting Twitter itself, but not entirely.

At some point, you have to put your trust in someone / something. This was an initial barrier to cloud adoption.

We take it on faith that AWS APIs, employees, audit reports, etc. aren't lying to us. Sure, there are audit documents and third party assessments and whitepapers and... yeah, nobody reads all of them and then builds things on top of AWS.

We take it on faith.

The employees at your company who have access to your AWS account are trusted. And somewhere, ideally in a safe, is the root account MFA device--because with THAT credential set, most if not all bets are off.

This isn't new. Sysadmins have always borne the weight of trust.

My first *nix admin gig was at a university as their email admin. I *could* have done evil things; I did none of them.

Relatedly, ever notice that the internet long ago decided that "access to your email inbox" was the cornerstone of trust that forms your entire online identity? Yikes.

So, given that all of the above is true, how do we trust anything?

In most cases, we separate things out. Yes, in virtually every org there are people who could access anything that you haven't encrypted that passes through their systems.

1. Those people are vetted and trusted, yes--but more usefully:

2. Everything they do is logged immutably to systems to which they definitively do not have access. A separate team entirely manages and reviews that environment.

Most of my clients have an "out of scope" account, set of accounts, or AWS organization that I'm not allowed to cost optimize. That's the infosec series of accounts, and the barriers must remain intact.

(The bill is usually small if they haven't fallen for the Macie trap.)

And all of this... pretty much works!

It turns out that in reality, it's way harder to subvert the right set of @awscloud employees than the datacenter night shift folks that your company criminally underpays.

"So why do you have a button that lets you act as a user?!"

You may not! If you can unilaterally change the user's email address in a company's records, you can effectively become them completely as far as most systems are concerned.

But:

* Who changed that customer's email address?
* What time did they do it?
* From where were they accessing the internal system?

This is why there are audit logs. You won't necessarily be able to STOP everything, but you'll for damned sure know what happened and when.

"It should require executive approval to reset an email address."

Have you *MET* users? You'd need a shitload of VPs whose entire job was rubber stamping password and email address resets! Fatigue would set in, and they'd get sloppy. Humans do that.

"You should have enabled security features / policies X, Y, and Z."

Security is a trade-off. Make things secure enough and nobody will be able to use the damned thing.

"Why does Twitter have a shadow-ban option / ability to influence the algorithm?!"

Because nobody decent wants to see racial slurs trending.

You don't have a right to a platform for your shitty opinions, just a right to be free from government persecution.

It's their platform, their rules. I'm highly sympathetic to Twitter. They're going to get dragged for this.

They're smart people. They learn from their mistakes, and this won't happen again.

But something else will! It always does! The dance continues.

I think a bit of empathy goes a long way. Yelling at @jack and the rest of the Twitter staff for this is just counterproductive noise.

Remember, today it's their breach but tomorrow it's yours. How will you want the world to treat you when it's your turn?