undefined | Better HN

0 pointsSomeone123410y ago0 comments

API key theft is a common problem with AWS users.

The problem people have is that when they generate an API key they grant that key "everything" even account management stuff. Instead of giving it the least privilege needed to accomplish whatever it is that it does.

Then they'll inadvertently upload it to e.g. GitHub or similar in some source code and bad guys have bots which will steal it then make use of your account for all kinds of evil purposes.

Having things like 2F on your main account (which you should) won't save you from this. And if you go to bed, by the time you wake up the account charges could be in the tens of thousands even with billing alerts.

0 comments

1 comments · 1 top-level

mindcrime10y ago

Then they'll inadvertently upload it to e.g. GitHub or similar in some source code and bad guys have bots which will steal it then make use of your account for all kinds of evil purposes.

OK, yeah, that was the one scenario I was thinking about. I just didn't know if there was some other AWS hack being employed commonly.

For this, there is at least a solution, even if people don't use it, and that is to use IAM roles. Create your root account and never (or almost never) use it, except to create IAM users with more limited permissions, and then use the AIM user for all your day to day stuff.

j / k navigate · click thread line to collapse