Security ain't that hard
"I believe a fair bit of the blame can be laid at the feet of developers, but this sort of thing may not be part of their core competency – security is hard to get right at the best of times,"
BS!
It ain't hard to store your access keys in Secrets Manager and retrieve the keys when you need them programatically, then rotate those keys on a regular basis and make sure the keys you are using ONLY have access to the resources you need.
This is just lazyness and/or blatent incompetance!
Biting the hand that feeds IT
