Developer Learns the Value of Private API Key Security

Amazon’s cloud computing platform, Amazon Web Services (AWS), offers useful tools to developers, but it does have its risks. Andrew D Hoffman from DevFactor was billed $2,375 by Amazon’s Elastic Compute Cloud (EC2) after a bot retrieved his private API key and ran up maximum instances of EC2 servers in order to farm Bitcoins.

While teaching himself Ruby over the festive period, Hoffman built a Yelp clone and opened an Amazon Simple Storage Service (S3) account to host images for the site. Through a seemingly uncommon issue while using a Figaro gem to push code to GitHub, the .gitignore command didn’t function and Hoffman’s API key was inadvertently published online. He quickly removed the key, along with all traces of it, within 5 minutes of it being published, but the damage had already been done.

In the few minutes that the API key had been up on GitHub, it was retrieved by a bot and used to access his AWS account. And despite the key being for S3, it was able to access EC2. Hoffman’s AWS account had been running 140 servers through the night and had racked up a bill of $2,375.

He was able to explain the situation to Amazon customer support and they dropped the charges this time, but he has learned the valuable lesson of keeping your data safe. Hoffman encourages others to properly protect their own work from this type of hacking by revoking and regenerating any private API key that gets out on the web, no matter how briefly.

Be sure to read the next Security article: Z-Wave Home Controller API Leaves Door Open To Hackers

Original Article

My $2375 Amazon EC2 Mistake




Can you elaborate on the statement that "And despite the key being for S3, it was able to access EC2"?    I have used AWS-IAM to configure keys to give access only to S3, with the idea that access to EC2 should not be possible for that key.  From reading the comment thread to the original article, I'm guessing that IAM wasn't used to limit the power of the AWS key.



It seems that it is possible to initiate EC2 instances through the S3 API, but this could simply be that the credentials he used for S3 could be used for other AWS APIs.

The author made no mention of IAM, and I'm assuming that he felt no need for it since he was working alone and so didn't need to grant access to anyone else. As long as you control the IAM account that you are working with, you should be able to manage exactly who sees what, but it's always worth double-checking your security measures,