I am an Amazon Redshift specialist.
I know of an issue with Redshift such that any user who can create a table and issue a query on that table is able, with normal but specially crafted table and query, to crash the cluster about ten seconds after the query is issued.
I reported this to HackerOne as a vulnerability, providing the DDL for the table and the SQL for the query.
HackerOne triage (not AWS) have come back with;
> We are happy to review this further if you are able to leverage this into a practical exploitation scenario that results in an impact to Amazon assets or data. [Your] report will be closed as Informative.
Which is not what I expected.
I am thinking I have misunderstood something fundamental.
Can anyone here with experience or knowledge in this matter provide advice?
I can also imagine disgruntled or malicious employees or contractors.
Yep, that is the key. Crashing your own org hasn't done that. Unless I'm misunderstanding what you are claiming?
Additionally, I'm not intimately familiar with Redshift, but being able to create a table suggests the attacker would already need a fairly high privilege level to begin with, no? If there are other ways to invoke denial of service conditions from that existing privilege level, this finding may be somewhat moot out of redundancy, similar to how a submission for "a root user with the ability to execute arbitrary commands can cause a denial of service condition in XYZ" would be moot - XYZ is not needed for an adversary with those perms to cause a DoS.
So we're looking at malicious or disgruntled employees, and also normal queries where users do not realize what they're doing will kill the cluster.