undefined | Better HN

0 pointswhoknew11225y ago0 comments

> "Yes, but what they're talking about isn't a security denial but a configuration check."

Configuration is a part of security though.

Let's say AWS credentials are leaked. One of the most common uses for leaked credentials is to launch EC2 instance for crypto mining. A malicious actor tries to launch RunInstances on $20k worth of instances and gets denied because there isn't a tag on the instances. Would you want the error to say 'Access denied because you didn't don't have the following tag...'?

0 comments

1 comments · 1 top-level

Spivak5y ago

Yes, because lacking a tag isn't a security boundary. The account has permission to launch EC2 instances and knowing that instances need to have tags isn't a password designed to keep malicious actors out, it's a safeguard.

j / k navigate · click thread line to collapse