So, someone uploads their secret key and passcode to GitHub, and it takes 5 mins for the bad guys to get it. Seems like this is a user issue, not a GitHub/AWS/Azure/GCP issue. So many questions, like why are they not federating access, why are they not checking for secrets when they push to GitHub, why don’t they use MFA. Then on the detective side, some basic alerts to monitor unusual behaviour is not really difficult to implement. This is all 101 stuff really.
Security researchers have uncovered a multi-year cryptojacking campaign they claim autonomously clones GitHub repositories and steals their exposed AWS credentials. Given the name "EleKtra-Leak" by researchers at Palo Alto Networks's Unit 42, the criminals behind the campaign are credited with regularly stealing AWS …
Tuesday 31st October 2023 09:01 GMT Hairy Airey
The bigger question is why are people using AWS credentials this way? Ideally you use an account that has the least access necessary to perform the task at hand. So for example you're using Terraform to build multiple instances. The account you use should only be able to build those specific instances. (There's probably an opportunity here to write separate code that gives an account those least privileges and warns if the account is "overprivileged"). This is essentially AWS best practice.
The lack of professionalism in our industry makes me want to cry sometimes. Yes it's hard work, but that's why you are not an amateur at this business. I hope.
Tuesday 31st October 2023 15:59 GMT FrogsAndChips
Re: Least privilege
First rule of AWS IAM: delete access keys, use roles to give temporary privileges to resources. Then, if you need specific credentials, store them in ParameterStore or SecretsManager. There is absolutely no reason to store credentials in clear text in your code, especially if you make it available in GitHub.