Amazon’s cloud computing platform, Amazon Web Services (AWS), offers useful tools to developers, but it does have its risks. Andrew D Hoffman from DevFactor was billed $2,375 by Amazon’s Elastic Compute Cloud (EC2) after a bot retrieved his private API key and ran up maximum instances of EC2 servers in order to farm Bitcoins.
While teaching himself Ruby over the festive period, Hoffman built a Yelp clone and opened an Amazon Simple Storage Service (S3) account to host images for the site. Through a seemingly uncommon issue while using a Figaro gem to push code to GitHub, the .gitignore command didn’t function and Hoffman’s API key was inadvertently published online. He quickly removed the key, along with all traces of it, within 5 minutes of it being published, but the damage had already been done.
In the few minutes that the API key had been up on GitHub, it was retrieved by a bot and used to access his AWS account. And despite the key being for S3, it was able to access EC2. Hoffman’s AWS account had been running 140 servers through the night and had racked up a bill of $2,375.
He was able to explain the situation to Amazon customer support and they dropped the charges this time, but he has learned the valuable lesson of keeping your data safe. Hoffman encourages others to properly protect their own work from this type of hacking by revoking and regenerating any private API key that gets out on the web, no matter how briefly.