Reply to post:

Dev put AWS keys on Github. Then BAD THINGS happened

Sirius Lee

It is going to be the case that keys are going to be posted. The question is, why does AWS allow the default to be that someone who compromises an account is able to start 20 monster E3 instances in all 8 regions?

This happened to me (no, my keys have never been public and AWS staff were unable to find any) and AWS did remove the credit. However it took a lot of correspondence to have them set the number of available instances in all regions of my account except 1 to zero and in the region I use, set it to 6 instances (3 running, 3 spare).

In my correspondence I likened AWS to a credit provider who is delinquent in their responsibilities by letting creditors run up massive bills without even trying to limit the scope of their credit.

I recommend to any other AWS users that in addition to following the advice to cycle keys regularly they also contact AWS support and ask them to prevent instances from running especially in regions they are unlikely to use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020