The $2375 Amazon AWS mistake


When I got to GitHub, I checked my application.yml, and it was online with my [Amazon S3] API keys… Crap! I reverted the last few commits, and deleted all traces from GitHub. I was able to clean it up within about 5 minutes and no one else knew about the repo. After a close call, I went to bed.

When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes!

Let this be a lesson to treat your API keys/tokens/etc. like your passwords: never expose them. And if they do get exposed – even for just a little while – change them all.

My $2375 Amazon EC2 Mistake →

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Join the Conversation


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.