Reply to post: Re: What about pre-payment?

Dev put AWS keys on Github. Then BAD THINGS happened

Ben Tasker Silver badge

Re: What about pre-payment?

Aside from the obvious issue of storing credentials securely

And, as appears to be relevant here - actually bothering to set up non-privileged keys. If they were spinning up EC2 instances (and the dev seems surprised by it) then either he was using a key with permission to do so (i.e. it's been configured in IAM) or more likely was using his root keys, granting the attacker unlimited access.

Wonder whether he remembered to purge the keys from his commit history, a 5 minute window is pretty short...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020