Don’t blindly whitelist Amazon Web Services (AWS) or Azure

Recently we had a customer call us with an issue on a software based backup system called Carbonite. The customer asked us to follow Carbonite’s instructions to whitelist *.amazonaws.com and *.azure.com. This is a terrible idea and we will explain why – and - we will call out some programs, websites and applications here until they fix their bad security practices.

Why is whitelisting *amazonaws.com and *.azure.com bad you ask?

When you whitelist something you should only whitelist the sites you need and know are safe We will use google as an example. Whitelists work by approving the traffic to a specific host (www.google.com) or IP (172.217.8.68) , or a range of IPs (172.217.8.0/24) or a set of hosts (*.google.com). That * is used by the firewall as a wildcard. So for example *.google.com would allow for both goodsite.google.com and evilsite.google.com. Note that those two sites don’t really exist. Be careful about what you whitelist and here is why you should never blindly just whitelist wildcards (*).

With regard to *.amazonaws.com or *.azure.com, both Amazon and Microsoft are cloud providers. Cloud providers make it easy to throw infrastructure up for a site or application. Both have a number of customers and anyone can effectively sign up for an account and host a website on AWS or Azure. That’s the point the cloud – make it easy to setup infrastructure and get things moving. However since everyone can create a site on those cloud platforms well… you can get malicious sites on them too. When you whitelist *.amazonaws.com or *.azure.com then you are not just allowing goodsite but you are also allowing evilsite through the firewall.

If a company tells you to whitelist *.amazonaws.com or *.azure.com then they don’t take security seriously. The company you are doing business with is not Amazon or Microsoft, it is the software vendor or website provider. They don’t own Amazon or Microsoft, they are just using those providers’ cloud infrastructure to deliver your application. They tell you to whitelist things they don’t need nor do they have control over. That’s just bad cybersecurity practice. Having a whitelist for their own domain is one thing, or even their specific hosts at the cloud provider, but whitelisting an entire domain they don’t control? That is really dumb.

We did a quick google search and very quickly put together a list of websites or software that tells you to whitelist *.amazonaws.com and *.azure.com. We didn’t go much past the first page of google search results.

So here they are just so you can tell we aren’t making this up. They really are telling you to do it this way which is really bad security policy.