Amazon/AWS should be listed as partially safe

[Michagogo]

This article from a couple weeks ago highlights a case of inadvertent hijacking of outbound traffic from AWS to a Direct Connect Public VIF due to a typoed third octet in an advertised /26.

To quote from AWS’s response brought in said article:

In the instance you reported, there was an issue with our process for validating the ownership of the IP prefix, which led to the traffic being sent to an unintended destination. We have since improved the process by expanding the checks being performed.

AWS has adopted Resource Public Key Infrastructure (RPKI) in its public peering and transit facing infrastructure [3]. However, RPKI had not yet been adopted in DirectConnect due to the increased burden RPKI would put on DirectConnect users. We are actively investigating improvements to the customer experience by adopting more streamlined mechanisms to verify prefix ownership, similar to the Bring your own IP address (BYOIP) features used with EC2 and Amazon Global Accelerator [4].

So there is supposed to be validation everywhere, and in some places they use RPKI, but it seems they use different forms of fallible (human error-susceptible?) validation on one of the entry points by which customers can inject routes that pull AWS-origin outbound traffic globally. In fact, this seems to be the worst place to not validate, because it’s a connection point that allows — by design — for any customer to inject routes, as opposed to only transit providers or other large network operators that meet the requirements for public peering.