372

So I accidentally published my AWS keys to GitHub, stupid me. I realize this the next day.

$ git reset
$ git push
Reset keys in AWS

I was too late. Bot already stole the keys and started up 53 EC2 instances. Racked up $4000+ of compute time (probably Bitcoin mining, I'd assume)

4 weeks later, I finally have this shit disputed and settled.

Don't test with hardcoded keys. You WILL forget about them. Env vars always. That is all.

Comments
  • 50
    Wow key in public git repo😨
    Dont use GitHub for private repo. TFS and bitbucket both set to private as default...
  • 6
    Hmmm, is it a public repo?
  • 8
    Damn yeah, that is some expensive learning right there my friend
  • 21
    Always fun how people try to abuse every mistake they find <3

    I generally put my keys in a file then use .gitignore (as I can't always use envvars)
  • 16
    Maybe it has to do with the way we code, start with quick and dirty with all hardcoded stuff, then once the first proto is working, start refactoring.

    I do that most of the times, but with credentials we need to be bit more sophisticated. Either by adding creds in env var or adding in file and adding it to .gitignore or something else.

    Need to work on getting better at keeping things secured, maybe if someone write small git plugin to validate for any private info before commits.
  • 5
    Happened to me once, I learned the hard way
  • 5
    @hervinho243 Better to learn from someone else's mistake than your own :D
  • 5
    @yendenikhil you can activate this on gitlab
  • 1
    @azous this?
  • 1
    @FinlayDaG33k that is smart, I should do that
  • 3
    @yendenikhil validate credentials being pushed
  • 2
    @azous I didn't know GitHub has such feature, cool, will check out!
  • 2
    @yendenikhil GitLab πŸ˜›
  • 2
    @azous bah, we use gitlab at work. Will check.
  • 1
  • 0
    And this is why I have a local system that runs my containers
  • 1
    @yendenikhil I'm 100% in agreement with you here. From the start I'm looking for ways to not have this type of issue.
  • 2
    @ImCypher welcome to devRant!
  • 1
  • 1
    Thank you for this hindsight sir!
  • 1
    @yendenikhil how do you recognize private info?
  • 2
    @cyberpro4 many ways, keywords, regex patterns, file names!
  • 1
    @anolis Welcome to devRant 😎
  • 2
    This is a prevalent issue.. terrifying to think that it's not caught sometimes
  • 1
    @yendenikhil I will merge with your opinion.
  • 1
    @cyberpro4 I vaguely remember to have heard about someone using entropy measurements for this. Besides binary files, only auto generated keys should have a high entropy and can thus be identified that way.

    However I don't remember anymore if it was used to search for others' keys in public repos or if it was used to prevent uploading them. :P

    It's an interesting approach either way.
  • 0
    I did the same mistake, fortunately AWS was quickly to notice and they didn't charge us.

    My 2cts: do not initialize the AWS sdk with anything, just leave the constructor empty. Let the sdk figure the credentials of the environment. It will use ~/.aws/credentials (the file used by the cli), env vars, iam roles etc.

    Having ~/.aws/credentials available for everything you run in your computer might be dangerous, use `aws-vault` which is a great tool.
  • 0
    I’m not mad that is actually impressive?
  • 0
    Everyone should use something like this as part of their git work flow

    https://github.com/awslabs/...
Add Comment